Reply to Re: Secure login tutorial

Your name:

Reply:


Posted by Erwin Moller on 01/05/07 12:44

knal wrote:

> Hi there,
>
> I'm looking for a secure login script for a sort-of-community site...
> (PHP, MySQL, sessions, or maybe something else ... )
> I know there are a lot of scripts out there, but none of them really
> seem secure, or have other kind of flaws (like IP based login etc.).
>
> Why i'm asking here, is because there's experience out there, and i
> hope experience can tell me what my best shot is. I'm aware that i will
> very probably have to do some consessions ...
> I'm not a PHP-er, but i have some PHP experience ...
>
> Thanks a lot.
>
> Knal.

Hi,

Define 'secure login' better.
What do you want to secure?

To name a few:
1)networktraffic-eavesdropper:
Are you afraid somebody is listening to the internettraffic and sees the
username/password?
If so, use https instead of http.

2) Are you afraid somebody goes to restricted pages?
Use a session, or use directory-access (eg .htaccess)

3) Are you afraid somebody can steal a session of somebody else?
make sure you understand HOW you PHP installation handles session.
Eg: (default) Is it storing the sessions in files in a common
temp-directory?
Then wonder if anybody else on the same machine (the server) can see them
and access them.
(PHP sessionfiles are stored with the sessionid in the filename, so anybody
who can get a listing of all files in the sessiondirectory, can steal all
sessions).

While sessions are incredible usefull, they also pose a possible
securityrisk if you do not understand how they work.
The better you understand how sessions work, the better you can think up how
to break them yourself.
Knowlegde = power here.

It is good you care about security, but if you seriously want to secure your
site more, you MUST dive into the details and get a grib on the matter.
It is not rocketscience, but it may take you some time to understand all the
stuff involved. And a lot of testing.
eg: On *nix servers you must understand the meaning of all (well, actually
most) permission-bits for the directory and the files to judge if the
sessionfile are 'safely' stored.

One thing that will surely NOT give you high security is implementing some
script somebody in here throws at you, or you find on the net, without
understanding what security means for eg networktraffic, session, etc..
Been there. :-/

Sorry for the long teacherlike answer, I am just the kid next door, but I
have been there (hacked sites).

Good luck.

Regards,
Erwin Moller

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация