|
Posted by Colin McKinnon on 11/16/13 11:28
Marcus wrote:
> Hello,
>
> Currently all of my php pages use SSL, not just my initial login.
> Originally I thought this would be more secure, but after thinking about
> things and looking at sites like Amazon and Gmail, they all SSL the
> login scripts and then use regular http for everything else, which I'm
> sure speeds things up without the encrypt/decrypt process.
>
Keeping things constantly under SSL is a good idea.
You should also discard the current session and create a new one (perhaps
copying data from the old session) when presented with login information.
To avoid session fixation.
A few caveats is to make sure that you maintain the patches on your SSL
config, and preferably run the SSL remote from the webserver (even in a
chroot stunnel). Its also handy to run an assymetric encryption program
with only one of the key pair on the server to log information securely.
>
> Lastly, I was also wondering if it matters that I use mysql_connect() on
> every page in the event I do not SSL every page... please correct me if
> I am wrong, but since it resides on the server, I don't *think* the
> database password, which is stored in the php file in plain text, should
> ever actually be transported across the network. I have not been able
> to confirm this however.
>
If it is connecting locally, the password will not be visible from the
network (this connection is quite seperate from the connection between user
and webserver - so it makes no difference if that is encapsulated or not).
HTH
C.
[Back to original message]
|