Re: [PHP] Logging Users In - What is the Best Way
At 06:17 PM 2/18/2002 -0800, Phillip S. Baker wrote: I have a MyQSL back end. It houses a users user_name and password. I have a secure area of the site that I only want members to view. The way I have it now is that the user logs in. If user_name and password match cookies are set. Each page in the secure are checks for a variable in the cookie. If set the user can view the page, if not set the page redirects back to the login page. That's how I do it. When creating user accounts I hash the passwords with md5() before putting them into the database. When a user logs in he submits his password to my script in plain text only ONCE. At that point my script hashes the password with md5(), compares it to the hashed password already in the database...and if it's the same it sets a cookie on the client containing the username and the hashed version of the password. So from that point forward only the hashed version is submitted as a cookie variable. From what I have seen lots of scripts use a similar mechanism. Of course, it's not the most secure thing in the world. The password is sent in plain text at least once (not good), but even hashing doesn't really help you that much. Sure, it prevents a hacker from knowing what your password is, but if he can eavesdrop on your connection he can just steal the hashed version and then find a way to send it along with the request (fairly easy)...no need to know the unhashed version. The only way to be truly secure is to use SSL...but then you have to ask yourself if it's really worth it. My app is not that critical and certainly not worth encrypting. Your needs may vary... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Logging Users In - What is the Best Way
On Monday, February 18, 2002, at 09:17 PM, Phillip S. Baker wrote: Now first question is - how secure is this? Second question - what is a better more secure way to handle this. Then most importantly where do I get information on how to go about doing that? I know nothing about sessions and would need some good links for that arena. Also I do not know much of anything about Object Oriented Programming. I'm in the exact same shoes as you are. I just did the exact same auth scheme, pretty much (is this the standard auth scheme?). Also, I'm sure there's a better way I could be doing this. Thirdly, I don't know much of anything about OOP either but I'm trying to learn. I was in a bookstore today, and saw a brand new book: the Visual QuickPro Advanced PHP guide or something. It looked excellent -- a whole section on object oriented programming within PHP (sic quotes). I'd like to pick it up for more info, and maybe you should look into. Sometimes Amazon.com has like a 20 page excerpt of the book in PDF I think. Anyways, the important thing is to remember that HTTP is a pretty insecure protocol if you're not encrypting your data. Make sure that your password is encrypted by PHP before you send it to the MySQL server. There's an open source (free) program used for diagnostic purposes that can be pointed to any server on the internet, and monitor port 80, so anyone see exactly what GET, POST, and COOKIE data you'd be sending along with your authorization request. I think the standard way most do it is to store the password encrypted in the database too, which means you can't email the password to someone if they forget it -- it has to be changed. The other thing to do is add an exit() function immediately after your header() redirect. I did this, because if you don't, the user agent doesn't necessarily HAVE to get redirected. Think of the redirect as a suggestion. Sure, most browsers will comply and the user will never see the data. But the data is still sent, and if the user agent is a Perl script or something then of course it will only automatically redirect if its author has programmed it to do so. Using exit() will prevent the rest of your script from executing, which means that the rest of the page will not display. Ummm... well, there's probably more security-conscious people on this list than me who can come up with more. Just think about the logical HTTP exchange and where data might accidentally leak out, and you'll probably cover most of your bases. Erik PS: I'm assuming that SSL is beyond the scope of your application. Otherwise, consider it. Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Logging Users In - What is the Best Way
A way i've done things like this is to setup sessions, and when a user logs in correctly, issue a randomly generated value id and set that as a cookie. in the database, there's a row id (same as the cookie) that holds the user name and any other data that i might want to store. Since none of the user's information is being saved as cookies, and the id number is mostly random, it seems to be a pretty secure way of knowing who is valid. -Original Message- From: Phillip S. Baker [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 9:18 PM To: PHP Email List Subject: [PHP] Logging Users In - What is the Best Way Okay Gents and Ladies, I am looking for more information on how best to do this. I have a MyQSL back end. It houses a users user_name and password. I have a secure area of the site that I only want members to view. The way I have it now is that the user logs in. If user_name and password match cookies are set. Each page in the secure are checks for a variable in the cookie. If set the user can view the page, if not set the page redirects back to the login page. Now first question is - how secure is this? Second question - what is a better more secure way to handle this. Then most importantly where do I get information on how to go about doing that? I know nothing about sessions and would need some good links for that arena. Also I do not know much of anything about Object Oriented Programming. Thanks for the feedback. Phillip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Logging Users In - What is the Best Way
Okay Gents and Ladies, I am looking for more information on how best to do this. I have a MyQSL back end. It houses a users user_name and password. I have a secure area of the site that I only want members to view. The way I have it now is that the user logs in. If user_name and password match cookies are set. Each page in the secure are checks for a variable in the cookie. If set the user can view the page, if not set the page redirects back to the login page. Now first question is - how secure is this? Cookies are pretty secure. I wouldn't store credit card numbers in them, but for what you described they sound fine. Second question - what is a better more secure way to handle this. Then most importantly where do I get information on how to go about doing that? I know nothing about sessions and would need some good links for that arena. Sessions are basically just server side cookies, but you can do neat stuff like store them in a db such MySQL. The best place to learn about PHP sessions is by reading the manual and writting some code: http://www.php.net/manual/en/ref.session.php Also I do not know much of anything about Object Oriented Programming. Me neither :) Thanks for the feedback. No problem... Greg Donald - http://destiney.com/ http://phprated.com/ | http://phplinks.org/ | http://phptopsites.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
