PHP user authentication using database and ip address?

Question

I have been considering the problems arising with user authentication, using sessions/cookies and the security risks that come up with session hijacking. I understand that using a secure https:// is the most effective method, as well as regenerate_session_id() and using a random string for validation (amongst numerous additional procedures).

My question is this: is there a possibility to incorporate a method that forgoes sessions and cookies, and uses just database held variables?

Here is how I would set it up:

-Have a column in the user table that can hold an IP address, and one that would be a Boolean.

-When the user 'logs in', set the current IP address of the user into the database, and sets the Boolean value to false (if the user doesn't want to be 'remembered') or true (if they do).

-On page load, it checks the current IP address with the one stored in the user database. If it matches, the user is considered valid.

-On window close, the script would then clear those values and the user would be 'logged out'.

-If the user wanted to 'stay logged in' (which I know is a huge security risk) then a toggle (the Boolean value) would simply deactivate the log out script and the IP address would stay stored for the user.

What would be the fallbacks to such a method? Is it even possible?

Dynamic & shared IPs can cause serious problems is this manner — Ehsan Khodarahmi, Jun 18 '12 at 04:11
Yeah, I had hoped there would be a way to identify the computer specifically, but I'm quickly realizing that there is no way that such a concept would work securely, let alone consistantly. — Jesse Kernaghan, Jun 18 '12 at 04:16

score 5 · Accepted Answer · answered Jun 18 '12 at 04:00

5

IP addresses are simply not an accurate and reliable way to uniquely identify a user. The IP may change during the session, and more than one user agent may be using the same outbound IP.

Sorry :-)

answered Jun 18 '12 at 04:00

Chris Trahey

18,202
1
42
55

1

Thank you for the information, I suppose if it didn't have any fallbacks everyone would be doing it. I'll just go back to doing the same old! – Jesse Kernaghan Jun 18 '12 at 04:14

score 3 · Answer 2 · answered Jun 18 '12 at 04:01

3

I saw this kind of IP check on a system recently, and it was causing numerous problems with users being randomly disconnected all the time (whenever their dynamic IP changes). Just don't do that, IPs can changes so you cannot rely on them.

Most likely, you should take a look at existing authentication methods and try to implement that. Keep it simple.

answered Jun 18 '12 at 04:01

laurent

88,262
77
290
428

Ah, my understanding of how dynamic IP addresses function is miniscule at best. Thank you for the information! – Jesse Kernaghan Jun 18 '12 at 04:12

score 1 · Answer 3 · answered Jun 18 '12 at 04:18

1

The existing answers saying "dynamic IP is an issue" are absolutely correct. Consider a mobile device connected via 3g. each time the user walks into range of a new tower their IP changes...

answered Jun 18 '12 at 04:18

Dean Rather

31,756
15
66
72

PHP user authentication using database and ip address?

3 Answers3

Linked