Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client
How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?
Happy for suggestions and comments on this.
regards
ojorus
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =----- 7 3427
ojorus <oj****@hotmail.com> wrote in message
news:40********@corp.newsgroups.com... Hello! I want to make a login system as secure as possible on a website I
develop. * The user shall log on using a Username and a password (which is stored
in a mySQL database) *The server which I use to run my application has "register_globals" activated (set to "on"), so that has to be taken into concideration *The system should be secure even if the user do not click "log out" when
he is finished. (Users often just close the browser window) *It is good if the system works even if coockies are not enabled on the client
How can I make a login-system as secure as possible based on this? Do I have to use session-variables, or are there other ways?
Happy for suggestions and comments on this.
regards ojorus
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1 Newsgroup Service in the World! -----== Over 100,000 Newsgroups - 19 Different Servers! =-----
Use sessions and SSL
Complexity is the bane of security. Keep things simple--that's my
recommendation.
Uzytkownik "ojorus" <oj****@hotmail.com> napisal w wiadomosci
news:40********@corp.newsgroups.com... Hello! I want to make a login system as secure as possible on a website I
develop. * The user shall log on using a Username and a password (which is stored
in a mySQL database) *The server which I use to run my application has "register_globals" activated (set to "on"), so that has to be taken into concideration *The system should be secure even if the user do not click "log out" when
he is finished. (Users often just close the browser window) *It is good if the system works even if coockies are not enabled on the client
How can I make a login-system as secure as possible based on this? Do I have to use session-variables, or are there other ways?
Happy for suggestions and comments on this.
regards ojorus
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1 Newsgroup Service in the World! -----== Over 100,000 Newsgroups - 19 Different Servers! =-----
ojorus wrote: I want to make a login system as secure as possible on a website I develop.
First step is to use SSL.
* The user shall log on using a Username and a password (which is stored in a mySQL database)
Of course, never store the actual password, but some sort of hash of it.
*The server which I use to run my application has "register_globals" activated (set to "on"), so that has to be taken into concideration
If the server is running apache, use a .htaccess file to turn them off:
php_flag register_globals off
*The system should be secure even if the user do not click "log out" when he is finished. (Users often just close the browser window)
Use sessions with custom handlers to store the session data in a
database table. Set the following to be sure that all stale session
records are removed when they have expired:
session.gc_probability = 1
session.gc_divisor = 1
Then you can set your session timeout stuff according to your needs
(seconds):
session.gc_maxlifetime = 1440
*It is good if the system works even if coockies are not enabled on the client
session.use_trans_sid = 1
How can I make a login-system as secure as possible based on this? Do I have to use session-variables, or are there other ways?
If you want to do it without cookies, you'll need to use sessions, which
may be more secure anyway. That way there are no details kept on client
machine in cookies, making public computer use safer.
I have a system like this that I have used on quite a few sites over on
sourceforge. I haven't updated anything on it for a while, but that's
just because I haven't added any new features or have received any bug
reports. If you're interested, I believe the address is: http://www.sf.net/projects/phpsecurityadm
However, SF is undergoing maintenance right now, so you'd have to wait
for the site to come back up again. I'm no expert, but I haven't had any
complaints about the methods I use.
--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
Official Google SERPs SEO Competition: http://www.koivi.com/serps.php
"ojorus" <oj****@hotmail.com> wrote in message news:<40********@corp.newsgroups.com>... Hello! I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in a mySQL database) *The server which I use to run my application has "register_globals" activated (set to "on"), so that has to be taken into concideration *The system should be secure even if the user do not click "log out" when he is finished. (Users often just close the browser window) *It is good if the system works even if coockies are not enabled on the client
How can I make a login-system as secure as possible based on this? Do I have to use session-variables, or are there other ways?
Happy for suggestions and comments on this. http://martin.f2o.org/php/login
--
"Success = 10% sweat + 90% tears"
Email: rrjanbiah-at-Y!com
Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.
Recap.
Is your server shared?
If yes is PHP running as an apache module?
If yes you've got a problem with a security. ry******@yahoo.com (Ryan Hubbard) wrote in
news:ab*************************@posting.google.co m: Just adding a note that should be addressed. Is you server shared or dedicated? If its dedicated your fine. If its shared is PHP running as an apache module? or a CGI with suexec or some kind of cgi wrapper? If its running as an apache module which most do because of the benefit of speed you have a problem with logging into the mysql database. It is no longer secure. Sure you may be able to right an application that is secure from a web point of view but anyone with an account on the server will be able to gain access to your database of usernames and passwords.
Well, they won't be able to get the passwords if, as it should, the
database stores an MD5 or SHA1 hash of the password rather than the actual
password, and you could do the same thing for usernames if they're used
only for authentication rather than things like displaying lists of users.
Eric Bohlman <eb******@earthlink.net> wrote in message
Eric you have a very good point. The password, if stored in a one way
hash will be very difficult to crack if someone gains access to the
database. But please do not forget to ensure that your login
information to the database is secure. If your on a shared server
running php as a apache module then there is no secure way to hold the
login information to the database without the information being
exposed to anyone with an account on the server. If PHP is installed
as a binary CGI then you're secure, if not use a CGI wrapper for php.
news:<Xn*******************************@130.133.1. 17>... ry******@yahoo.com (Ryan Hubbard) wrote in news:ab*************************@posting.google.co m:
Just adding a note that should be addressed. Is you server shared or dedicated? If its dedicated your fine. If its shared is PHP running as an apache module? or a CGI with suexec or some kind of cgi wrapper? If its running as an apache module which most do because of the benefit of speed you have a problem with logging into the mysql database. It is no longer secure. Sure you may be able to right an application that is secure from a web point of view but anyone with an account on the server will be able to gain access to your database of usernames and passwords.
Well, they won't be able to get the passwords if, as it should, the database stores an MD5 or SHA1 hash of the password rather than the actual password, and you could do the same thing for usernames if they're used only for authentication rather than things like displaying lists of users. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: syncman |
last post by:
In C, I would always make a log() function instead of using printfs,
so that I could disable the messages or otherwise process them, all in
one place. This worked in 1 line, for constant strings,...
|
by: hype |
last post by:
Hi,
How can I find out how much space has been used in the log file
and how much of it is free or yet to be used ?
Thanks,
Hype
|
by: Just D. |
last post by:
All,
I'm having a WebApp working through a secure connection (https). One of my
pages is calling an external site to show the geographical map, this site is
not secure and it should be calling...
|
by: Trevor Best |
last post by:
According to BOL
<---
BACKUP LOG
Specifies a backup of the transaction log only. The log is backed up
from the last successfully executed LOG backup to the current end of
the log. Once the log...
|
by: laststubborn |
last post by:
Hi All,
I have a dillema that I created 2 transaction file before I started to
take log back. Now I changed my recovery model from simple to full. Do
I still need to keep my second transaction...
|
by: bay_dar |
last post by:
It seems there has got to be a better way to work with log files where
I want to keep 8 days of logs. For instance if I wanted to keep 80
days, this would be a horrible approach. How can I make...
|
by: indiarocks |
last post by:
Just a basic question, I want to create a standard log file API and want that API to be shared by all my other python files.
For eg. I have file1 which creates a file handle and hands it over to...
|
by: Varlamov Konstantyn |
last post by:
I have simple script:
<?php
$connection = ssh2_connect("ip", 22);
ssh2_auth_password($connection,"login","test");
|
by: dshoultz |
last post by:
I have purchased a software that requires a login page for my users, however I want to build a custom page for my users having a basic login form
username:
password:
and after the press submit,...
|
by: zr |
last post by:
Hi,
Does usage of checked iterators and checked containers make code more
secure?
If so, can that code considered to be reasonably secure?
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |