Best way for authentication in PHP

Question

What's the best and most secure way to go when writing an authentication library in a model-view-controller way?

The things that give me a hard time are keeping track of the users activity and remembering users via a cookie or storing sessions in the database?

Thanks in advance :).

Answer 1

If you want to use sessions, you have secure them against attacks like session fixation and session hijacking.

To prevent both you have to ensure that only authenticated requests are allowed to use the session. This is commonly done by chaining as many specific (possibly unique) informations about the client as possible with the session. But as some informations may change on every request (like the IP address), it can be difficult to find good one.
This is why it is useful to use the method denoted as Trending.

Another good protection measure is to swap the session ID periodically. Thus the period for an attack on a valid session ID is smaller.

Answer 2

The simplest way to implement it is with PHP SESSIONS.

just session_start (); near the beginning of your script and you have access to the $_SESSION global array for holding your authentication data.

Depending on the configuration of your server all the data stored in $_SESSION will only be available on the server from which it is hosted (with few exceptions). You can configure it to be saved in a temporary directory, in memcached, or even a database.

The only thing that is transmitted between the client and your server is a "session key". The key can be passed by cookie or URL-rewrites (which are transparently handled by the start_session output buffer).