I'm wondering if anyone has any ideas on how to make a login site more secure. Since I'm not really sure if I've explained myself well enough and don't really know how else to say it, I'll just give examples and then you guys can follow suit and mention some oversights:
I have a regular logon: username and password. What it does is, when the user types in a name and pword, it forwards to another PHP page (a 'middleman' page that is there just to compare usernames and pwords), validates by checking the SQL database, then header forwards to the login page. A cookie is created, and voila, you're allowed into what we'll call the 'account pages'. Now, here's my 'security' (notice the quotes): 1. You can't log in when the URL includes a username and/or a password (so that no one can make direct links). 2. Same with an account page: you're redirected to the login page if you include a username and pword when linking to an account page. 3. The 'middleman' page also has this protection: you cna't directly link to it with a username and pword in the URL. Basically, users can't get into anything when they include a username and pword in the URL. 4. Obviously, you don't get access if your username and password don't match anything in the database (thought I'd mention it even though it goes without saying). 5. You can't login from a page that isn't on the server. Is there any validation or security holes that I'm overlooking? __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
