Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server which I use to run my application has "register_globa ls"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client
How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?
Happy for suggestions and comments on this.
regards
ojorus
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =----- 7  3450 
ojorus <oj****@hotmail .com> wrote in message
news:40******** @corp.newsgroup s.com... Hello!
I want to make a login system as secure as possible on a website I
develop.
* The user shall log on using a Username and a password (which is stored
in a mySQL database)
*The server which I use to run my application has "register_globa ls"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when
he is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client
How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?
Happy for suggestions and comments on this.
regards
ojorus
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
Use sessions and SSL
Complexity is the bane of security. Keep things simple--that's my
recommendation.
Uzytkownik "ojorus" <oj****@hotmail .com> napisal w wiadomosci
news:40******** @corp.newsgroup s.com... Hello!
I want to make a login system as secure as possible on a website I
develop.
* The user shall log on using a Username and a password (which is stored
in a mySQL database)
*The server which I use to run my application has "register_globa ls"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when
he is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client
How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?
Happy for suggestions and comments on this.
regards
ojorus
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
ojorus wrote: I want to make a login system as secure as possible on a website I develop.
First step is to use SSL.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
Of course, never store the actual password, but some sort of hash of it.
*The server which I use to run my application has "register_globa ls"
activated (set to "on"), so that has to be taken into concideration
If the server is running apache, use a .htaccess file to turn them off:
php_flag register_global s off
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
Use sessions with custom handlers to store the session data in a
database table. Set the following to be sure that all stale session
records are removed when they have expired:
session.gc_prob ability = 1
session.gc_divi sor = 1
Then you can set your session timeout stuff according to your needs
(seconds):
session.gc_maxl ifetime = 1440
*It is good if the system works even if coockies are not enabled on the
client
session.use_tra ns_sid = 1
How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?
If you want to do it without cookies, you'll need to use sessions, which
may be more secure anyway. That way there are no details kept on client
machine in cookies, making public computer use safer.
I have a system like this that I have used on quite a few sites over on
sourceforge. I haven't updated anything on it for a while, but that's
just because I haven't added any new features or have received any bug
reports. If you're interested, I believe the address is: http://www.sf.net/projects/phpsecurityadm
However, SF is undergoing maintenance right now, so you'd have to wait
for the site to come back up again. I'm no expert, but I haven't had any
complaints about the methods I use.
--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
Official Google SERPs SEO Competition: http://www.koivi.com/serps.php
"ojorus" <oj****@hotmail .com> wrote in message news:<40******* *@corp.newsgrou ps.com>... Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server which I use to run my application has "register_globa ls"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client
How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?
Happy for suggestions and comments on this. http://martin.f2o.org/php/login
--
"Success = 10% sweat + 90% tears"
Email: rrjanbiah-at-Y!com
Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.
Recap.
Is your server shared?
If yes is PHP running as an apache module?
If yes you've got a problem with a security.
ry******@yahoo. com (Ryan Hubbard) wrote in
news:ab******** *************** **@posting.goog le.com: Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.
Well, they won't be able to get the passwords if, as it should, the
database stores an MD5 or SHA1 hash of the password rather than the actual
password, and you could do the same thing for usernames if they're used
only for authentication rather than things like displaying lists of users.
Eric Bohlman <eb******@earth link.net> wrote in message
Eric you have a very good point. The password, if stored in a one way
hash will be very difficult to crack if someone gains access to the
database. But please do not forget to ensure that your login
information to the database is secure. If your on a shared server
running php as a apache module then there is no secure way to hold the
login information to the database without the information being
exposed to anyone with an account on the server. If PHP is installed
as a binary CGI then you're secure, if not use a CGI wrapper for php.
news:<Xn******* *************** *********@130.1 33.1.17>... ry******@yahoo. com (Ryan Hubbard) wrote in
news:ab******** *************** **@posting.goog le.com:
Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.
Well, they won't be able to get the passwords if, as it should, the
database stores an MD5 or SHA1 hash of the password rather than the actual
password, and you could do the same thing for usernames if they're used
only for authentication rather than things like displaying lists of users. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: syncman |
last post by:
In C, I would always make a log() function instead of using printfs,
so that I could disable the messages or otherwise process them, all in
one place. This worked in 1 line, for constant strings, but not for
variable values, as in:
char s;
sprintf (s, "The value is %d \n", value);
log (s); // 3 lines!!
In C++, is it really as bad as it was? If I use streams:
ostringstream oss;
|
by: hype |
last post by:
Hi,
How can I find out how much space has been used in the log file
and how much of it is free or yet to be used ?
Thanks,
Hype
|
by: Just D. |
last post by:
All,
I'm having a WebApp working through a secure connection (https). One of my
pages is calling an external site to show the geographical map, this site is
not secure and it should be calling inside the frame on the secure page. The
browser (IE) complains that the page has secure and non-secure items. When
we click Yes, it continues and works just fine.
Do we have any method to tell the browser do not show this warning on this
page...
|
by: Trevor Best |
last post by:
According to BOL
<---
BACKUP LOG
Specifies a backup of the transaction log only. The log is backed up
from the last successfully executed LOG backup to the current end of
the log. Once the log is backed up, the space may be truncated when no
longer required by replication or active transactions.
--->
Does this mean I could do something else to truncate the log or is it
|
by: laststubborn |
last post by:
Hi All,
I have a dillema that I created 2 transaction file before I started to
take log back. Now I changed my recovery model from simple to full. Do
I still need to keep my second transaction file? If I remove it would
it be a problem for my system and log back up?
If somebody responds me I really appreciate it
Regards
| | |
by: bay_dar |
last post by:
It seems there has got to be a better way to work with log files where
I want to keep 8 days of logs. For instance if I wanted to keep 80
days, this would be a horrible approach. How can I make this more
dynamic and efficient?
Const FTPOutputFile = "output-files.log"
Const FTPOutputFile1 = "output-files-1.log"
Const FTPOutputFile2 = "output-files-2.log"
Const FTPOutputFile3 = "output-files-3.log"
|
by: indiarocks |
last post by:
Just a basic question, I want to create a standard log file API and want that API to be shared by all my other python files.
For eg. I have file1 which creates a file handle and hands it over to say log.py
Now say I have file2, and it needs to write into the same log file, how do I achieve this and what is the best way of doing it ?
-------
File1:
--------
log_file = file('out.log',"w")
log_obj = log.log(log_file)
|
by: Varlamov Konstantyn |
last post by:
I have simple script:
<?php
$connection = ssh2_connect("ip", 22);
ssh2_auth_password($connection,"login","test");
|
by: dshoultz |
last post by:
I have purchased a software that requires a login page for my users, however I want to build a custom page for my users having a basic login form
username:
password:
and after the press submit, it would log them into a completely different URL.
For example: My login page is at www.golite.com/sales
and I need to log them into http://e.brandwise.com
|
by: zr |
last post by:
Hi,
Does usage of checked iterators and checked containers make code more
secure?
If so, can that code considered to be reasonably secure?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
