Write authorization system. A few questions


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/code-flow.club/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
4 views
Writing, or rather, upgrade the management system for users of the website a small Internet store. In the process of working on the algorithm appeared four questions:

1. Is there any point when registering a new user send him a letter forcing you to activate your account by clicking on a link, or is it better to do without it?

2. For example, the user registered. Does it make sense for the login except username and password, provide the checkbox "Remember me" or remember all by default, minimizing the various issues?

3. If authorization is successful, I write in the session the username and double password hash from the database (in the database itself, stored in a double hash of the password), and cook in a token autologin:
$token = md5(time().$username);
setcookie('token', $token, time ( ) + 2592000, "/");
$res = $db->query("UPDATE users SET token = '".$token."' WHERE username = '".$username."'");

Different tutorials, sites and forums in different ways to solve this problem. Than cons of my decision? Whether has sense to add "salt", such as the password hash or token:
define('MY_SALT', 'KEJ2FHE#WJFHW758');

4. When you access each page I check for session data and then I have a mandatory request to the database, something like this:
if ( isset ( $_SESSION["username"] ) && isset ( $_SESSION["userpass"] ) ) {
$db->query("SELECT * FROM users
WHERE username = '".$_SESSION["username"]."'
AND userpass = '".$_SESSION["userpass"]."'
.....}

But some manuals and books do simply: if there is session data, show the page, if not — are not allowed while the database query is not, for example:
if(isset($_SESSION['user_data']))
$message[] = "Welcome, ". htmlspecialchars($_SESSION['user_data']['login']) ."! Glad to see You on the website";.........................

How do you think more intelligently? Thank you.
by | 4 views

5 Answers

0 like 0 dislike
1. Only if you need the address for future use, because the validation in the online stores from us, usually by a telephone call that allows you to check the availability of user and order (almost 100%). In fact, the address can be verified and after working with the online store and it is in response to give sweet buns some and then send newsletters with new arrivals to destinations which are interesting to him.
\r
2. There is a sense of checkbox by default, but if a person doesn't want it just uncheck the box. A not advanced users now don't think about it, accepting by default that the site remembers them. And I recommend to run through popular services like Odnoklassniki, myspace, etc. and check it out as they have not occupate from this — the similarity in visual terms and the behavior of the standard set of controls is one of odnosnik settings user-friendly interface.
\r
3. Would recommend to bind not only to the user name (or just do NOT to him), and to the browser — the username the session is always the same, but if the data browser to bind, then dragged along the cookie with the session villain will have to juggle and all the identification data of the browser.
\r
4. The idea session and is needed in order not to climb each time for verification. Now you have a nonsense — what for to check whether the username and password in database from the session if the session you do them and put? How are they different? Unavailable to the user changing session data, it makes your script.
by
0 like 0 dislike
1 and 2 — make it simple for the user, the better
3. The salt is more than desirable.
4. Suggest to read about sql injection :)
by
0 like 0 dislike
everything below is subjective
1. for online store it's too much. the use three options: ordering without registration, registration via openid, regular registration.
\r
2. has, it is very convenient. only title the checkbox to make short obyasnenie why this is.
\r
3. salt is needed in order to "aggravate" the hash, and most importantly for what would in the database were single hash (and next to salt) and in session writing with salt.
\r
4. I usually "guest" put in the cook id=1 and password md5(rand()), and the pages already checking if the value id is greater than 1 then make the identification, if 1 then no.
\r
don't forget to mysql_escape()
by
0 like 0 dislike
1. Without activating the soap at first glance, easier and more convenient. But I think user will be frustrating to know that he made a typo in the email address field when you need to recover the password to uchetku. Although here, too, depends on the purpose of your service binding to soap, as such, do not really need.
\r
3. Use your bike? Why?
\r
4. >check for session data and then I have a mandatory request to the database
that's out of this and grow the miracle scripts that put cancer any server. Here zaprosik there zaprosik. Don't be lazy, do it from a human, besides, it is more convenient.
by
0 like 0 dislike
it is not clear why do we need paragraphs 3 and 4.
I would have understood if the token was disposable, and so you just repeat the existing mechanism of the session hanging on him any unnecessary bells and whistles.
\r
store user_id in session and a flag is_logged and clean session when tagine.
by

Related questions

110,608 questions
257,186 answers
0 comments
25,023 users