473,542 Members | 2,904 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Secure login tutorial

Hi there,

I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them really
seem secure, or have other kind of flaws (like IP based login etc.).

Why i'm asking here, is because there's experience out there, and i
hope experience can tell me what my best shot is. I'm aware that i will
very probably have to do some consessions ...
I'm not a PHP-er, but i have some PHP experience ...

Thanks a lot.

Knal.

Jan 5 '07 #1
14 4899
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

knal schrieb:
Hi there,

I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them really
seem secure, or have other kind of flaws (like IP based login etc.).
Hi,

What's your understanding of secure in this case?
>...

Thanks a lot.
Regards
Stefan
Knal.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)

iD8DBQFFnkWGyeC Lzp/JKjARArezAJwLX2 nEhqJ04h7281UHY 2UuffN4TwCdH3xL
hXdROeUXauPS+ht lXBNEUcs=
=C5SZ
-----END PGP SIGNATURE-----
Jan 5 '07 #2
I'd like to keep out unwanted guests. Members that have registered
(stored in MySQL DB) are allowed to login with usern/passw.
Along with that an admin-level is stored wich tells the site how much
rights the user has.

I know i can manage the login via sessions, but i've read only sessions
isn't secure. (Users can even "manually" force their own Session id).
I don't really else know how to explain what i mean with "secure".

Thanks.
On Jan 5, 1:33 pm, Stefan Rybacki <stefan.ryba... @gmx.netwrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

knal schrieb:
Hi there,
I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them really
seem secure, or have other kind of flaws (like IP based login etc.).Hi,

What's your understanding of secure in this case?
...
Thanks a lot.Regards
Stefan
Knal.-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)

iD8DBQFFnkWGyeC Lzp/JKjARArezAJwLX2 nEhqJ04h7281UHY 2UuffN4TwCdH3xL
hXdROeUXauPS+ht lXBNEUcs=
=C5SZ
-----END PGP SIGNATURE-----
Jan 5 '07 #3
knal wrote:
Hi there,

I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them really
seem secure, or have other kind of flaws (like IP based login etc.).

Why i'm asking here, is because there's experience out there, and i
hope experience can tell me what my best shot is. I'm aware that i will
very probably have to do some consessions ...
I'm not a PHP-er, but i have some PHP experience ...

Thanks a lot.

Knal.
Hi,

Define 'secure login' better.
What do you want to secure?

To name a few:
1)networktraffi c-eavesdropper:
Are you afraid somebody is listening to the internettraffic and sees the
username/password?
If so, use https instead of http.

2) Are you afraid somebody goes to restricted pages?
Use a session, or use directory-access (eg .htaccess)

3) Are you afraid somebody can steal a session of somebody else?
make sure you understand HOW you PHP installation handles session.
Eg: (default) Is it storing the sessions in files in a common
temp-directory?
Then wonder if anybody else on the same machine (the server) can see them
and access them.
(PHP sessionfiles are stored with the sessionid in the filename, so anybody
who can get a listing of all files in the sessiondirector y, can steal all
sessions).

While sessions are incredible usefull, they also pose a possible
securityrisk if you do not understand how they work.
The better you understand how sessions work, the better you can think up how
to break them yourself.
Knowlegde = power here.

It is good you care about security, but if you seriously want to secure your
site more, you MUST dive into the details and get a grib on the matter.
It is not rocketscience, but it may take you some time to understand all the
stuff involved. And a lot of testing.
eg: On *nix servers you must understand the meaning of all (well, actually
most) permission-bits for the directory and the files to judge if the
sessionfile are 'safely' stored.

One thing that will surely NOT give you high security is implementing some
script somebody in here throws at you, or you find on the net, without
understanding what security means for eg networktraffic, session, etc..
Been there. :-/

Sorry for the long teacherlike answer, I am just the kid next door, but I
have been there (hacked sites).

Good luck.

Regards,
Erwin Moller
Jan 5 '07 #4
Thanks Erwin,

I don't mind the teacher-like answer, it's good that you emphasize the
importance of understanding the right things in the right way. I've
(tried to) read a lot on this subject, but most of it was PHP-docs.

The security part: i'm "afraid" of points one and two:
1 - if someone listens to my traffic, what use is it to try to secure
anything? (passw, usern. could easily be picked from the traffic)
2 - why would i want to secure something, if i have nothing to
restrict?

Anyway, what it comes to the HTTPS, i know there are a lot of community
sites out there, and i've never encountered one that managed it's
member profiles etc. via https, (this far, only my bank does ;) )

I'm not affraid of the third "argument", but i read upon some other
method where the visitor forces his own Session ID, wich replaces the
generated one. This means he can put in there (in the session info)
whatever he likes.

It's difficult to subscribe the kind of security-tightness i'm looking
for, since i don't know what "levels" of security there are out there.
Of course i'd like to keep hackers out, but i doubt if that's possible.
I'm hoping for a script that i can implement in a site that i'm at the
base of now, but also use it on sites in the future.

Users, passes etc. would "have to be" in a MySQL DB, since i don't want
to manually add every new member to a .htaccess file.

I hope this clears things up ..

Thanks for the help sofar!

On Jan 5, 1:44 pm, Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:
knal wrote:
Hi there,
I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them really
seem secure, or have other kind of flaws (like IP based login etc.).
Why i'm asking here, is because there's experience out there, and i
hope experience can tell me what my best shot is. I'm aware that i will
very probably have to do some consessions ...
I'm not a PHP-er, but i have some PHP experience ...
Thanks a lot.
Knal.Hi,

Define 'secure login' better.
What do you want to secure?

To name a few:
1)networktraffi c-eavesdropper:
Are you afraid somebody is listening to the internettraffic and sees the
username/password?
If so, use https instead of http.

2) Are you afraid somebody goes to restricted pages?
Use a session, or use directory-access (eg .htaccess)

3) Are you afraid somebody can steal a session of somebody else?
make sure you understand HOW you PHP installation handles session.
Eg: (default) Is it storing the sessions in files in a common
temp-directory?
Then wonder if anybody else on the same machine (the server) can see them
and access them.
(PHP sessionfiles are stored with the sessionid in the filename, so anybody
who can get a listing of all files in the sessiondirector y, can steal all
sessions).

While sessions are incredible usefull, they also pose a possible
securityrisk if you do not understand how they work.
The better you understand how sessions work, the better you can think up how
to break them yourself.
Knowlegde = power here.

It is good you care about security, but if you seriously want to secure your
site more, you MUST dive into the details and get a grib on the matter.
It is not rocketscience, but it may take you some time to understand all the
stuff involved. And a lot of testing.
eg: On *nix servers you must understand the meaning of all (well, actually
most) permission-bits for the directory and the files to judge if the
sessionfile are 'safely' stored.

One thing that will surely NOT give you high security is implementing some
script somebody in here throws at you, or you find on the net, without
understanding what security means for eg networktraffic, session, etc..
Been there. :-/

Sorry for the long teacherlike answer, I am just the kid next door, but I
have been there (hacked sites).

Good luck.

Regards,
Erwin Moller
Jan 5 '07 #5
knal wrote:
I'd like to keep out unwanted guests. Members that have registered
(stored in MySQL DB) are allowed to login with usern/passw.
Along with that an admin-level is stored wich tells the site how much
rights the user has.

I know i can manage the login via sessions, but i've read only
sessions isn't secure. (Users can even "manually" force their own
Session id). I don't really else know how to explain what i mean
with "secure".
So basically, "secure" as in "trusted".

I've created a method that stores the user's IP address and user agent
string in session variables. Users behind the same public IP address as
the original user may be able to forge the session ID, though.
http://dev.bd0.net/test/sessions_trusted.phps

--
Kim André Akerø
- ki******@NOSPAM betadome.com
(remove NOSPAM to contact me directly)
Jan 5 '07 #6
..oO(knal)
>The security part: i'm "afraid" of points one and two:
1 - if someone listens to my traffic, what use is it to try to secure
anything? (passw, usern. could easily be picked from the traffic)
That's what SSL (HTTPS) is for.
>I'm not affraid of the third "argument", but i read upon some other
method where the visitor forces his own Session ID, wich replaces the
generated one. This means he can put in there (in the session info)
whatever he likes.
That's not possible. Manipulating the data that's stored in the session
would only be possible if you made really bad errors in your script. The
session data is stored on the server and can't be accessed directly from
the client side. Of course a user can fake his session ID, but that's
not really a problem - he just gets a new and fresh session. Trying to
guess another user's session ID in order to hijack it can be considered
impossible, unless you use network sniffing or some other dirty tricks.

Micha
Jan 5 '07 #7
In article <11************ **********@v33g 2000cwv.googleg roups.com>,
kn******@gmail. com (knal) wrote:
Users, passes etc. would "have to be" in a MySQL DB, since i don't want
to manually add every new member to a .htaccess file.
In that case one thing you *must* block is a "sql injection attack". If
you don't already know about this please google for it, there's a lot of
information out there.

Almost every example login script ignores it. It can give an attacker
complete control of your database, and in extreme cases the ability to run
arbitrary system commands.

--
To reply email rafe, at the address cix co uk
Jan 5 '07 #8
I'm aware of the SQL-injection danger. But by using
mysql_real_esca pe_string() in all queries (on wich the visitor has any
influence) i should be safe AFAIK ...

Thanks for the mention.

On Jan 5, 2:27 pm, nos...@see.sig. to.reply (Rafe Culpin) wrote:
In article <1168002079.875 499.106...@v33g 2000cwv.googleg roups.com>,

knalp...@gmail. com (knal) wrote:
Users, passes etc. would "have to be" in a MySQL DB, since i don't want
to manually add every new member to a .htaccess file.In that case one thing you *must* block is a "sql injection attack". If
you don't already know about this please google for it, there's a lot of
information out there.

Almost every example login script ignores it. It can give an attacker
complete control of your database, and in extreme cases the ability to run
arbitrary system commands.

--
To reply email rafe, at the address cix co uk
Jan 5 '07 #9
Michael Fesser wrote:
.oO(knal)
>>The security part: i'm "afraid" of points one and two:
1 - if someone listens to my traffic, what use is it to try to secure
anything? (passw, usern. could easily be picked from the traffic)

That's what SSL (HTTPS) is for.
>>I'm not affraid of the third "argument", but i read upon some other
method where the visitor forces his own Session ID, wich replaces the
generated one. This means he can put in there (in the session info)
whatever he likes.

That's not possible.
Hi Misha,

I think he is refering to 'session fixation' when he writes about 'forcing a
sessionid on another user'.

A link on php.net is provided on:
http://nl3.php.net/manual/en/ref.session.php
under the chapter 'Sessions and security'.

Regards,
Erwin Moller

Manipulating the data that's stored in the session
would only be possible if you made really bad errors in your script. The
session data is stored on the server and can't be accessed directly from
the client side. Of course a user can fake his session ID, but that's
not really a problem - he just gets a new and fresh session. Trying to
guess another user's session ID in order to hijack it can be considered
impossible, unless you use network sniffing or some other dirty tricks.

Micha
Jan 5 '07 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
7584
by: Bennett Haselton | last post by:
I'm looking for a PHP tutorial that specializes in how to build sites that are based around user logins. i.e. the user logs in on the front page, and are taken to a main login page where fields on the page are populated with values from some server-side database. Ideally, there would be a server-side "user" database table, with fields such...
6
3123
by: Sarah Tanembaum | last post by:
I was wondering if it is possible to create a secure database system using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination? I have the following in mind: I wanted to store all my( and my brothers and sisters) important document information such as birth...
18
2447
by: | last post by:
Please help. After a number of wrong turns and experiments I need advice on login management system to secure our web pages without inconveniencing our visitors or our internal staff. What I need: A system whereby the user only has to register ONCE and he will have automatic entry to ANY page without havinto to RE-LOGIN even if he...
6
4801
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and...
2
1300
by: H | last post by:
I have designed a C# application that will populate a database with customer information and email a randomly generated password to them. I would like them to have the ability to update their details on a form via secure login. I'm looking for a web tutorial or book recommendation that can explain the correct way to validate an email address...
1
2141
by: sharp2037 | last post by:
Hi Everyone, I am working on an ASP.net application and I have a homepage to which everyone visits of course and on that front page I have a user ID and password box and a login button. What I don't understand is some sites I visit don't use SSL on the login page. Instead you visit the homepage and there is no padlock. Then you type in...
0
1473
by: Holly | last post by:
I copied this code that works to connect into Unix. I am looking for a way to get it to work with a secure Unix box. Anyone have any insights on how to do this? I am trying to build an sftp service. Thanks Holly Imports System Imports System.Net Imports System.IO
4
2028
by: 2good2b | last post by:
Hi Everyone, Do you have a place where i can find an example for a PHP system that uses secure user login (e.g. web based mail application etc) Thanks
2
1828
by: raknin | last post by:
Hi, I am looking for a close package of secure login and registeration written in PHP.The package that I am looking for should have the following functionality I believe this is standard functionality today: Login: 1. User enter user name and passsword 2. Forgot your password 3. Remember me on this computer
0
7395
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7333
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7576
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
7723
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7326
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
7673
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
4882
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3382
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3383
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.