Re: [PHP-DB] Safe / Secure Login Script
Sorry, I always forget to reply all...
Original message bellow...
-Original Message-
From: Gavin Amm
Sent: Tuesday, 5 October 2004 3:55 PM
Subject: RE: [PHP-DB] Safe / Secure Login Script
1. Personal preference, but you may find sessions a better option (does
not store user data (like passwords) on workstation) -
http://au2.php.net/manual/en/ref.session.php
2. In MySQL you can use the BINARY keyword to tighten the password
string comparison.
3. In addition, if you're not already using one, you could use an SSL
connection to further tighten security & prevent passwords from being
transmitted in clear text.
Cheers,
Gav
-Original Message-
From: Wendell Frohwein [mailto:[EMAIL PROTECTED]
Sent: Monday, 4 October 2004 6:11 AM
To: [EMAIL PROTECTED]
Subject: [PHP-DB] Safe / Secure Login Script
I have been writing php code for about 2 years now. I have a login
script that I have written for my clients. I just would like to know if
there is a better / safer way of logging people into websites. This is
my current method.
1.) Username and Password are entered in an html / php form using
field names user, pass and submit button named do_login.
2.) Form is submitted to the same page (PHP_SELF).
3.) Login script is triggered by $_POST["do_login"].
4.) Form is validated to make sure the fields "user" and "pass" are
not empty.
5.) Password is then encrypted using base64_encode()
6.) MySql Select Statement To find $_POST["user"].
7.) If found, Verify that $result["pass"] ===
base64_encode($_POST["pass"]).
8.) If No username is found, Message is sent to end user stating
username does not exist.
9.) If $result["pass"] === base64_encode($_POST["pass"]) send user
to a page called wait.php
10.) At wait.php, a cookie is set containing the user id, user name, and
encrypted pass.
11.) Wait.php contains a () meta tag which directs
user to directory
12.) Inside $dir, there is a script called validate.php which is
included inside header.php. So the script actions of validate.php tag
along with every page.
13.) This functions makes sure you have a cookie set with the names
"user_id", "user_name", "user_pass".
14.) It then validates this information though mysql.
15.) If the information is sound, user is allowed to browse that page
and or do whatever they are supposed to be doing in that directory.
16.) If the information is not sound, user is redirected to the home
page using header("Location http://some_domain/some_file.php";);
This works great for me, but I want to perfect it. If anyone out there
knows any better way to login, validate a user and so on. Please let me
know
Thanks a lot people.
-Wendell Frohwein
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Safe / Secure Login Script
You should definately not set a cooking containing the encrypted
password, anyone that's able to grab that cookie can set to work brute
forcing the password.
On Sun, 3 Oct 2004 13:11:00 -0700, Wendell Frohwein
<[EMAIL PROTECTED]> wrote:
> I have been writing php code for about 2 years now. I have a login
> script that I have written for my clients. I just would like to know if
> there is a better / safer way of logging people into websites. This is
> my current method.
>
> 1.) Username and Password are entered in an html / php form using
> field names user, pass and submit button named do_login.
> 2.) Form is submitted to the same page (PHP_SELF).
> 3.) Login script is triggered by $_POST["do_login"].
> 4.) Form is validated to make sure the fields "user" and "pass" are
> not empty.
> 5.) Password is then encrypted using base64_encode()
> 6.) MySql Select Statement To find $_POST["user"].
> 7.) If found, Verify that $result["pass"] ===
> base64_encode($_POST["pass"]).
> 8.) If No username is found, Message is sent to end user stating
> username does not exist.
> 9.) If $result["pass"] === base64_encode($_POST["pass"]) send user
> to a page called wait.php
> 10.) At wait.php, a cookie is set containing the user id, user name, and
> encrypted pass.
> 11.) Wait.php contains a ( content="5;URL=//welcome.php">) meta tag which directs
> user to directory
> 12.) Inside $dir, there is a script called validate.php which is
> included inside header.php. So the script actions of validate.php tag
> along with every page.
> 13.) This functions makes sure you have a cookie set with the names
> "user_id", "user_name", "user_pass".
> 14.) It then validates this information though mysql.
> 15.) If the information is sound, user is allowed to browse that page
> and or do whatever they are supposed to be doing in that directory.
> 16.) If the information is not sound, user is redirected to the home
> page using header("Location http://some_domain/some_file.php";);
>
> This works great for me, but I want to perfect it. If anyone out there
> knows any better way to login, validate a user and so on. Please let me
> know
>
> Thanks a lot people.
>
>
> -Wendell Frohwein
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Safe / Secure Login Script
On Sun, 3 Oct 2004 13:11:00 -0700, Wendell Frohwein <[EMAIL PROTECTED]> wrote: > 10.) At wait.php, a cookie is set containing the user id, user name, and > encrypted pass. I don't know that I would set a cookie containing such easily identifiable information, especially if the user name is cleartext. If your application is deciding whether or not your user is logged in based on that cookie alone, I could see the potential for a hacker to sniff it and use it to their advantage. Just changing the names of the variables to something a little more vague would help. A few days ago on the php-general list, Chris Shiflett posted some links to an article of his that addresses secure session validation, you might want to have a look at it. The name of the thread is Session Variable Security. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Safe / Secure Login Script
I have been writing php code for about 2 years now. I have a login
script that I have written for my clients. I just would like to know if
there is a better / safer way of logging people into websites. This is
my current method.
1.) Username and Password are entered in an html / php form using
field names user, pass and submit button named do_login.
2.) Form is submitted to the same page (PHP_SELF).
3.) Login script is triggered by $_POST["do_login"].
4.) Form is validated to make sure the fields "user" and "pass" are
not empty.
5.) Password is then encrypted using base64_encode()
6.) MySql Select Statement To find $_POST["user"].
7.) If found, Verify that $result["pass"] ===
base64_encode($_POST["pass"]).
8.) If No username is found, Message is sent to end user stating
username does not exist.
9.) If $result["pass"] === base64_encode($_POST["pass"]) send user
to a page called wait.php
10.) At wait.php, a cookie is set containing the user id, user name, and
encrypted pass.
11.) Wait.php contains a () meta tag which directs
user to directory
12.) Inside $dir, there is a script called validate.php which is
included inside header.php. So the script actions of validate.php tag
along with every page.
13.) This functions makes sure you have a cookie set with the names
"user_id", "user_name", "user_pass".
14.) It then validates this information though mysql.
15.) If the information is sound, user is allowed to browse that page
and or do whatever they are supposed to be doing in that directory.
16.) If the information is not sound, user is redirected to the home
page using header("Location http://some_domain/some_file.php";);
This works great for me, but I want to perfect it. If anyone out there
knows any better way to login, validate a user and so on. Please let me
know
Thanks a lot people.
-Wendell Frohwein
