|
|
Posted by knal on 01/05/07 13:01
Thanks Erwin,
I don't mind the teacher-like answer, it's good that you emphasize the
importance of understanding the right things in the right way. I've
(tried to) read a lot on this subject, but most of it was PHP-docs.
The security part: i'm "afraid" of points one and two:
1 - if someone listens to my traffic, what use is it to try to secure
anything? (passw, usern. could easily be picked from the traffic)
2 - why would i want to secure something, if i have nothing to
restrict?
Anyway, what it comes to the HTTPS, i know there are a lot of community
sites out there, and i've never encountered one that managed it's
member profiles etc. via https, (this far, only my bank does ;) )
I'm not affraid of the third "argument", but i read upon some other
method where the visitor forces his own Session ID, wich replaces the
generated one. This means he can put in there (in the session info)
whatever he likes.
It's difficult to subscribe the kind of security-tightness i'm looking
for, since i don't know what "levels" of security there are out there.
Of course i'd like to keep hackers out, but i doubt if that's possible.
I'm hoping for a script that i can implement in a site that i'm at the
base of now, but also use it on sites in the future.
Users, passes etc. would "have to be" in a MySQL DB, since i don't want
to manually add every new member to a .htaccess file.
I hope this clears things up ..
Thanks for the help sofar!
On Jan 5, 1:44 pm, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> knal wrote:
> > Hi there,
>
> > I'm looking for a secure login script for a sort-of-community site...
> > (PHP, MySQL, sessions, or maybe something else ... )
> > I know there are a lot of scripts out there, but none of them really
> > seem secure, or have other kind of flaws (like IP based login etc.).
>
> > Why i'm asking here, is because there's experience out there, and i
> > hope experience can tell me what my best shot is. I'm aware that i will
> > very probably have to do some consessions ...
> > I'm not a PHP-er, but i have some PHP experience ...
>
> > Thanks a lot.
>
> > Knal.Hi,
>
> Define 'secure login' better.
> What do you want to secure?
>
> To name a few:
> 1)networktraffic-eavesdropper:
> Are you afraid somebody is listening to the internettraffic and sees the
> username/password?
> If so, use https instead of http.
>
> 2) Are you afraid somebody goes to restricted pages?
> Use a session, or use directory-access (eg .htaccess)
>
> 3) Are you afraid somebody can steal a session of somebody else?
> make sure you understand HOW you PHP installation handles session.
> Eg: (default) Is it storing the sessions in files in a common
> temp-directory?
> Then wonder if anybody else on the same machine (the server) can see them
> and access them.
> (PHP sessionfiles are stored with the sessionid in the filename, so anybody
> who can get a listing of all files in the sessiondirectory, can steal all
> sessions).
>
> While sessions are incredible usefull, they also pose a possible
> securityrisk if you do not understand how they work.
> The better you understand how sessions work, the better you can think up how
> to break them yourself.
> Knowlegde = power here.
>
> It is good you care about security, but if you seriously want to secure your
> site more, you MUST dive into the details and get a grib on the matter.
> It is not rocketscience, but it may take you some time to understand all the
> stuff involved. And a lot of testing.
> eg: On *nix servers you must understand the meaning of all (well, actually
> most) permission-bits for the directory and the files to judge if the
> sessionfile are 'safely' stored.
>
> One thing that will surely NOT give you high security is implementing some
> script somebody in here throws at you, or you find on the net, without
> understanding what security means for eg networktraffic, session, etc..
> Been there. :-/
>
> Sorry for the long teacherlike answer, I am just the kid next door, but I
> have been there (hacked sites).
>
> Good luck.
>
> Regards,
> Erwin Moller
Navigation:
[Reply to this message]
|