469,275 Members | 1,794 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,275 developers. It's quick & easy.

a secure log-in system

Hello!
I want to make a login system as secure as possible on a website I develop.

* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client

How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?

Happy for suggestions and comments on this.

regards
ojorus

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
Jul 17 '05 #1
7 3199
ojorus <oj****@hotmail.com> wrote in message
news:40********@corp.newsgroups.com...
Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client

How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?

Happy for suggestions and comments on this.

regards
ojorus

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----


Use sessions and SSL
Jul 17 '05 #2
Complexity is the bane of security. Keep things simple--that's my
recommendation.

Uzytkownik "ojorus" <oj****@hotmail.com> napisal w wiadomosci
news:40********@corp.newsgroups.com...
Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client

How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?

Happy for suggestions and comments on this.

regards
ojorus

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

Jul 17 '05 #3
ojorus wrote:
I want to make a login system as secure as possible on a website I develop.
First step is to use SSL.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
Of course, never store the actual password, but some sort of hash of it.
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
If the server is running apache, use a .htaccess file to turn them off:

php_flag register_globals off
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
Use sessions with custom handlers to store the session data in a
database table. Set the following to be sure that all stale session
records are removed when they have expired:

session.gc_probability = 1
session.gc_divisor = 1

Then you can set your session timeout stuff according to your needs
(seconds):

session.gc_maxlifetime = 1440
*It is good if the system works even if coockies are not enabled on the
client
session.use_trans_sid = 1
How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?


If you want to do it without cookies, you'll need to use sessions, which
may be more secure anyway. That way there are no details kept on client
machine in cookies, making public computer use safer.

I have a system like this that I have used on quite a few sites over on
sourceforge. I haven't updated anything on it for a while, but that's
just because I haven't added any new features or have received any bug
reports. If you're interested, I believe the address is:
http://www.sf.net/projects/phpsecurityadm

However, SF is undergoing maintenance right now, so you'd have to wait
for the site to come back up again. I'm no expert, but I haven't had any
complaints about the methods I use.

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
Official Google SERPs SEO Competition: http://www.koivi.com/serps.php
Jul 17 '05 #4
"ojorus" <oj****@hotmail.com> wrote in message news:<40********@corp.newsgroups.com>...
Hello!
I want to make a login system as secure as possible on a website I develop.

* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client

How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?

Happy for suggestions and comments on this.


http://martin.f2o.org/php/login

--
"Success = 10% sweat + 90% tears"
Email: rrjanbiah-at-Y!com
Jul 17 '05 #5
Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.

Recap.
Is your server shared?
If yes is PHP running as an apache module?
If yes you've got a problem with a security.
Jul 17 '05 #6
ry******@yahoo.com (Ryan Hubbard) wrote in
news:ab*************************@posting.google.co m:
Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.


Well, they won't be able to get the passwords if, as it should, the
database stores an MD5 or SHA1 hash of the password rather than the actual
password, and you could do the same thing for usernames if they're used
only for authentication rather than things like displaying lists of users.
Jul 17 '05 #7
Eric Bohlman <eb******@earthlink.net> wrote in message
Eric you have a very good point. The password, if stored in a one way
hash will be very difficult to crack if someone gains access to the
database. But please do not forget to ensure that your login
information to the database is secure. If your on a shared server
running php as a apache module then there is no secure way to hold the
login information to the database without the information being
exposed to anyone with an account on the server. If PHP is installed
as a binary CGI then you're secure, if not use a CGI wrapper for php.
news:<Xn*******************************@130.133.1. 17>...
ry******@yahoo.com (Ryan Hubbard) wrote in
news:ab*************************@posting.google.co m:
Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.


Well, they won't be able to get the passwords if, as it should, the
database stores an MD5 or SHA1 hash of the password rather than the actual
password, and you could do the same thing for usernames if they're used
only for authentication rather than things like displaying lists of users.

Jul 17 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

16 posts views Thread by syncman | last post: by
4 posts views Thread by hype | last post: by
3 posts views Thread by Just D. | last post: by
7 posts views Thread by Trevor Best | last post: by
5 posts views Thread by laststubborn | last post: by
1 post views Thread by CARIGAR | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.