Multi-user login script

A multi-user login script is a software system where many users can login with their unique login name and password and access protected area of that system. This protected area may be common to all users or may be user specific. All though a multi-user login script used in any software application but here I'm going to discuss the principle of working of login script used in internet world.

Basic principle

The basic principle of working of a multi-user login script used in websites is as follows.

  1. User enters his or her unique login name and password, and posts them to the web server via a web-form.
  2. The web server receives those data from the user end and search in the server database for such user name password pair.
  3. If no match found server delivers an error message to the user end and request for submitting correct data.
  4. If match found then the server follow some mechanism to remember user that it has already been logged in and no further verification is required during that session.

The mechanism by which server remember the login session of a user depends upon the level of security it requires to prevent any unauthorized access of restricted area. For example website which deals with online money like PayPal offers much tighter security of login session than a bulletin board where registered user only can post a message in the board. Here I discuss few common techniques to hold a login session.

Remember login session

After a successful login server holds one or more reference values about the user session. Whenever user trying to access a protected area server verifies those references before access and if not satisfied it redirects user into the login page. Thus the session security entirely depends upon the following factors.

  1. The references that are stored by server; are they really unique?
  2. The security of the place where the references are stored.

For a simple login system where security is not a consideration al all assigning a session or cookie of constant value is enough to validate session. At the end of the session life of those variables will normally expire. Security may be somehow extended by replacing the fixed value with the user IP address. But a good login system should record the following references about the login session and stores them in a secured database.

  1. Time of login, which will be expired after a maximum interval.
  2. User IP address.
  3. A random text, known as session code identifying the user session.

An encrypted copy of that session code is also saved as cookie. When browser requests WebPages from the server it also sends the previously saved cookie too. Then the server can validate that cookie value with the reference stored in its database.

Comments:

Add comment