Anti-theft mechanism through cron job

Question

0.00/5 (No votes)

See more:

I just finished writing a php script for android user registration and login which is working perfectly but i need to add
a theft of identity mechanism to the script. Here are my questions is there a way for me to

1. make the username and password self destruct through cron job immediately after successfull login
or after 30 seconds login of the user i.e if the user logs out of the app and wants to access the app
again he will have to register.

2. Is there a way to make the password locked to phone number or imei of a device. If the user B wants to use user A password
the app should prompt or show dialog "password already in use by another user".

See my code below

<?php

class DbOperations{

private $con;

function __construct(){

require_once dirname(__FILE__).'/DbConnect.php';

$db = new DbConnect();

$this->con = $db->connect();

}

/*CRUD -> C -> CREATE */

public function createUser($username, $pass, $email){
if($this->isUserExist($username,$email)){
return 0;
}else{
$password = md5($pass);
$stmt = $this->con->prepare("INSERT INTO `users` (`id`, `username`, `password`, `email`) VALUES (NULL, ?, ?, ?);");
$stmt->bind_param("sss",$username,$password,$email);

if($stmt->execute()){
return 1;
}else{
return 2;
}
}
}

public function userLogin($username, $pass){
$password = md5($pass);
$stmt = $this->con->prepare("SELECT id FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss",$username,$password);
$stmt->execute();
$stmt->store_result();
return $stmt->num_rows > 0;
}

public function getUserByUsername($username){
$stmt = $this->con->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s",$username);
$stmt->execute();
return $stmt->get_result()->fetch_assoc();
}

private function isUserExist($username, $email){
$stmt = $this->con->prepare("SELECT id FROM users WHERE username = ? OR email = ?");
$stmt->bind_param("ss", $username, $email);
$stmt->execute();
$stmt->store_result();
return $stmt->num_rows > 0;
}

}

Kindly help

What I have tried:

I posted the above question in stackoverflow and gdg no response yet

Posted 12-Aug-17 2:25am

Member 10627743

Updated 12-Aug-17 4:25am

Add a Solution

Comments

Richard MacCutchan 12-Aug-17 9:52am

Why would you want to destroy a user's credentials when he logs out? Better to keep them in a database after registration. Also, you should not be able to tell if a password has already been used. Each password should be a salted hash kept with the user's registration entry. See Secure Password Authentication Explained Simply[^].

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Answer 1 · 2017-08-12T04:25:00

If you want to make your site a royal pain in the ass to use and alienate your users, these requirements are great!

You're doing just almost everything wrong, like restricting the use of a password to a single account. WHY WOULD YOU WANT TO DO THAT? You're basically telling the world that, hey, "someone is using this password on this site!" That's a MASSIVE security risk to other users of the site.

You're also storing passwords in clear text. This is a MASSIVE security risk to all of your users. People tend to use the same username and password on multiple sites. Exposing this data as clear text risks the security of users on other sites. This is true even if you have the delusion that your database is hack-proof and will never be stolen. ALWAYS assume it will be stolen and protect the personal information in it as appropriate.

Oh, and you're not preventing the theft of anything with that code nor your requirements.

Salt the passwords and hash them, storing the hash value, not the password itself.