It's pretty simple. Uses BLOWFISH (
- PHP 5.3.7+
- MySQL
- Set up a new MySQL database, build its tables using user_tables.sql
- Rename dbconn_mysql.example.php to dbconn_mysql.php and put the database info in there.
- Upload the files to your web server and visit index.php
- User registers using an email address and password (though you could easily swap out email for username).
- A unique salt is generated using /dev/urandom via a get_key() function originally found here.
- Password is hashed using crypt()
$2y$ BLOWFISH hashing, at 12 cost. - New user data is stored in MySQL, yay.
- User is presented to log in.
- When a user logs in, it looks up their email, and compares passwords based on crypt() functionality.
- If the user logs in successfully, they are given a 256-bit key and a 256-bit secret (using get_key(256)) that identifies them.
- The session key/secret token is saved via a cookie, which is set to expire in 30 days by default.
- When the user accesses a page, PHP looks up their session based on this key.
That's it! Obviously you'd probably want to build in a way for a user to invalidate all of their current sessions and change their password.
Originally this used /dev/random instead of /dev/urandom, but it got way too slow as /dev/random would run out of entropy. Not sure exactly how to fix that yet, as my server does not have a TRNG to run rng-tools with.
Obviously you'd still want to use SSL to prevent any over-the-wire (or over-the-air) session hijacking and password stealing.
It also features a login flood control mechanism to prevent bots from trying to brute-force their way in; after 20 failed attempts from a given IP, you need to wait half an hour to try logging in again.
This is just a proof of concept, I don't think you should keep the file structure like this, but you could.
Also, you could easily use memcached or riak or something more efficient to store session data.
Check this out: http://cylesoft.com/