Login System with many users.

[G1K777]

Hello,

I want to know how bigger websites handle huge amount of users.
Is it a good idea to use PHP sessions combined with memcached or is it better to use something different?

[PineyCreek]

A DB that's properly secured.

[G1K777]

I'm not talking about security here. I'm asking which "technology" should be used.

This thread has nothing to do with Databases.

Spoiler

I'm using MongoDB and MariaDB.

 

[vorticalbox]

That fully depends there are lots of ways. At work, we use JSON web tokens that are sent via HTTP cookies we then have an OAuth server that validates and then rejects the request if the token is invalid.

 

 

[G1K777]

You mean something like a "Keep me logged in" thing? Where you get a login token/cookie? The token is saved in the database but I could do it with memcached instead of a database that will have a expiration date on it.
Would that work? Does it make sense?

[Kleine IJsbeer]

Well the biggest part of handling a lot of users is the big server farm that has enough power to serve all those users in a reasonable amount of time. But the system behind logging all the users can differ a lot between different big sites as there's plenty different server sides and each has it's own advantages for certain workloads. Node.js is quite popular at the moment but apache/php servers are also still relevant for plenty of sites. 

 

About the login system itself, well in principle you have the login action for which a server needs to compare the filled in credentials with the ones in the database and for security it's best to hash at least the password before storing it in the database (whichever one you use). After that the session is often stored in a cookie with a unique identifier which is linked to your account for the duration of the session and set to only be modified using a http cookie header from the host that encrypted it and set it so that the user can't edit it.

 

Or at least that is approximately what I was thought during recent lectures about web technology

[G1K777]

I'm doing few validations and checking before allowing someone to login.

I'm using also "password_verify" and if it matches, I just echo a string like "Logged in" because I have no idea how to make the session.

I made already a login system that worked except I had different php files.
I'm using now only one php file, index.php. For checking and validation I'm using other php files, but I don't have files like profile.php, forum.php etc. only index.php.

In my other login system, I was using "session_start()" on all php files and after someone was successfully logged in, he got redirected to profile.php (accessing profile.php is not possible if not logged in.).

 

Would it work if I would add session_start() in my index.php and then instead of returning a string just set some session variables?

index.php

<?php session_start() ?>
<!DOCTYPE html>
<html lang="en">
<head>
	<meta http-equiv="content-type" content="text/html;charset=utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
	<meta name="viewport" content="width=device-width,initial-scale=1.0,user-scalable=no">
	<title>xyz</title>
	<link rel="stylesheet" type="text/css" href="/css/style.css">
	<link rel="icon" type="image/x-icon" href="favicon.ico">
</head>
<body>
	<noscript>
    	<p>Foo</p>
	</noscript>
</body>
<script type="text/javascript" src="/test/hyperLoop/hyperLoop.js"></script>
<script type="text/javascript" src="/js/pages.js"></script>
<script type="text/javascript" src="/js/script.js"></script>
</html>

loginsystem.php
 

if( password_verify($password, $row['password']) ){
  $_SESSION['username'] = $username;
  $_SESSION['firstname'] = $firstname;
}else{
  return 'Wrong email or password.';
}

#Edit

The above doesn't work for some reason and it looks like it needs a refresh to make the session work on index. But it works when I make something like this.
 

loginsystem.php

if( password_verify($password, $row['password']) ){
  return true;
}else{
  return 'Wrong email or password.';
}

afterLogin.php

if( $login->loginUser($email,$password) ){ $_SESSION['id'] = '123'; }

This works when I'm tryint to return the session ID. How can I make this work?