How do I secure a login?

My game uses savedata that is saved on a database which I host. The saves are chosen with a key using the players username. The player can log in and play the game with their save. I want the system to be as secure as possible. I authenticate the user by giving them a unique token every time they log in and storing it in webstorage as a session value; then when an AJAX request is sent it includes the username and token which can then be authenticated. This stops me dealing with the password more than once. I have a logout function which updates the token on the server to a value which will automatically fail authentication so the account is inaccessible without the password input again.

Given this scenario, how can I make it secure?

A user is playing the game, and instead of pressing logout, they just close the tab the game is running in, and so the logout command is never executed. The server still has the token stored and has not been set to the lock value. Somebody could exploit that the token is stored in the browser, and since the server hasn't changed the token, retrieve the token and use it to act against the account.

Would storing the token as a global variable solve this? If not, what can I do?

Is setting the lock value on logout even needed? The token each user has is 64 characters long from a set of 62 characters, giving 5.16497385e+114 possible combinations of token, I feel this could be bruteforced which is why I added the logout lock.

some thoughts:

Store the IP of the user, you can directly compare that.

You could use the IP in the token generation.

If you take that one step further, you can include the user browser agent ID in the token generation too.

You can use an auto timeout on the server.

Each time you request the user data and successfully authenticates, update a time stamp int he user table.

If you use tasks or cron jobs, you can have a script run at an interval to check timeouts in the user table based on the time stamp.

Use https connections for the ajax.

You could have a new token generated every request, or every X request, and have the client update theirs after having authenticated and a new one is generated.

Have the server generate the token each request instead of storing it in the db.

I found that using MD5()'ed (php) strings really usefull.

Just make a list of strings including all required information, then MD5 the whole string into an unique value/token.

lennaert Thanks for your response

1. How would I go about using https when I'm referencing the files relatively?

2. How would you get the users ip? Would $_SERVER['REMOTE_ADDR']; work in php, even if the file is being accessed by AJAX?

3. How do you get browser agent ID? (I don't want to have to rely on data send by the client)

1. Even if you refer to files relatively, the call is still being made over a http connection.

Just use the whole address, adding the https int he ajax call.

The ajax calls will be made by the client, and its info will be sent in the headers as if browsing.

2. As soon as you have an application running in a browser, and you perform ajax calls (to your php files for example), your making calls over the internet, https adds extra security.

3. 'HTTP_USER_AGENT'

PHP can get all the info, php.net server calls