a secure log-in system

Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client

How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?

Happy for suggestions and comments on this.

regards
ojorus

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client

How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?

Happy for suggestions and comments on this.

regards
ojorus

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

I want to make a login system as secure as possible on a website I develop.
First step is to use SSL.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
Of course, never store the actual password, but some sort of hash of it.
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
If the server is running apache, use a .htaccess file to turn them off:

php_flag register_globals off
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
Use sessions with custom handlers to store the session data in a
database table. Set the following to be sure that all stale session
records are removed when they have expired:

session.gc_probability = 1
session.gc_divisor = 1

Then you can set your session timeout stuff according to your needs
(seconds):

session.gc_maxlifetime = 1440
*It is good if the system works even if coockies are not enabled on the
client
session.use_trans_sid = 1
How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?

Hello!
I want to make a login system as secure as possible on a website I develop.

* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client

How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?

Happy for suggestions and comments on this.

Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.

ry******@yahoo.com (Ryan Hubbard) wrote in
news:ab*************************@posting.google.co m:

Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.

Well, they won't be able to get the passwords if, as it should, the
database stores an MD5 or SHA1 hash of the password rather than the actual
password, and you could do the same thing for usernames if they're used
only for authentication rather than things like displaying lists of users.