|
|
Posted by shimmyshack on 03/30/07 08:50
On 30 Mar, 08:55, Geoff Berrow <blthe...@ckdog.co.uk> wrote:
> Message-ID: <460c3865$0$5814$4c368faf@roadrunner.com> from Ben contained
> the following:
>
> >First question is can someone direct me to a site or provide a sample code
> >for a login page that prompts for user/password then either displays a
> >message "Login Succeeded!" or "Login Failed!"
>
> The process is to take the supplied username and password and do a
> database query to see if there is a row containing that combination. Of
> course, this presupposes that you ensured that the combination was
> unique before storing in the database. If a row is found the log in is
> successful.
>
>
>
> >Second, how do I prevent users from bypassing the login? Session variable
> >right? Need instructions on how to implement that.
>
> On success a session variable is set. Each protected page needs code
> which will check for the presence of the session variable. Additionally
> or alternatively an expiring cookie may be set. Another way is to set a
> timestamp in the db and check that has not expired each time.
>
>
>
> >Lastly, what is the best, maybe I should word that differently, the most
> >commonly used method for login encryption? I would like the password text
> >physically in the DB to be encrypted text that is decrypted through the
> >login process.
>
> It's not usually decrypted, the hashes uses are usually one way.
> Ideally the username and password are sent via an encrypted connection.
> The reason for encrypting the passwords in the database is simple so
> that the db admin does not know what they are. Passwords are encrypted
> using a hash function before insertion into the db. When the user tries
> to log in the hash function is used again and then the hashed version is
> compared with the one in the db.
>
> As others have pointed out, even supplying sample code will require a
> lot of hand holding and it may be a better idea to establish and off
> list relationship with someone here.
> --
> Geoff Berrow (put thecat out to email)
> It's only Usenet, no one dies.
> My opinions, not the committee's, mine.
> Simple RFDshttp://www.ckdog.co.uk/rfdmaker/
It is usually called "auth" as in implementing an auth login, here's a
link from the Zend website, it uses php5 techniwues together with the
Zend Framework, which would make a good starting point if you like
Java, and will mean you code will likely to have less insecurities in
it.
http://devzone.zend.com/node/view/id/1665
PHP suffers from a bad rep in that because it can be picked up and
copied and pasted by anyone (myself included) very bad and insecure
code often results. Using a framework helps, but as has been said, if
you make even one little mistake then your code is as wide open as if
you were a rookie, it is not really a 5 minute job as you have to
ensure that there is end to end security, in both directions, which
doesnt just mean "use SSL" and that there are no SQL/XSS injection
flaws, encoding/charset flaws, and a whole load of other
vulnerabilities, not just in the logic, but in the database
implementation (as has been said) eg. making sure you don't use the
same crendentials table for one app as you do another unless you have
looked at the consequences thoroughly.
Once you hace authenticated your user, your entire site must be
tighter than, or people can still leverage the slighest hole to get
access to other's info... it's all fun, no one here wants to make you
think you can just be given a walk through / code which will be
secure.
Navigation:
[Reply to this message]
|