Re: question about more secure authentication

On Wed, 26 Mar 2008 23:29:52 -0500, Jerry Stuckle
<jstucklex@xxxxxxxxxxxxx> wrote:

NN wrote:
I have an authentication scheme that uses the usual mysql/php.

when the username and password match the entries in the database, the
user is redirected to a user only page, otherwise, he goes back to the
login page.

on the protected pages i use SESSIONS to check if the
$_SESSION['userid'] is set and in case of failure it goes back to the
login page.

now, i've been reading about SESSION hijacking, etc and i'd like to
make this login much more secure. i'm thinking about storing the
username in a SESSION and check on every protected page whether the
userid and username match the entries in the database table.

is this a good idea or just a waste of resources?
any ideas of how to make this more secure?

thank you very much, your input is very much appreciatted.

NN



You can do it, but the chances of someone hijacking a session are very
small. They would have to be in the path between your client and your
server.

The chances of this are small, and unless you have something like
financial information, even smaller. Nonetheless, if you want to be
more secure, use https: protocol. That will encrypt the transmissions
and all but assure the session cannot be hijacked.

thank you Jerry for your response.

so what i should do is to place the login page inside del https so the
POST variables are encypted also.

now, i'm curious. in case of using http, would it be easy for a hacker
to set a SESSION['userid']= 1 and read all the information that
belongs to that user?


also, i'm trying to protect some PDF. i'm using this code.

<?php
require_once("includes/protectpage.inc.php"); ?>
protect();

header('Content-type: application/pdf');
readfile('invoice.pdf');
?>

where invoice.pdf is a path outside the web server.
is this also secure as far as authentication goes if i put it within a
https or because of reading a file that is outside de https it will be
unencryted data?

thanks again for all your help,

NN
.

Relevant Pages

  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)
  • Re: question about more secure authentication
    ... when the username and password match the entries in the database, ... now, i've been reading about SESSION hijacking, etc and i'd like to ... make this login much more secure. ... Nonetheless, if you want to be more secure, use https: ...
    (alt.php)
  • Re: question about more secure authentication
    ... when the username and password match the entries in the database, ... now, i've been reading about SESSION hijacking, etc and i'd like to ... make this login much more secure. ... more secure, use https: protocol. ...
    (alt.php)
  • Re: HTTPS & PHP
    ... > username and password I would like to set the HTTPS username and ... > secure page without seeing the browsers https login dialog. ... I know nothing about Flash. ...
    (comp.lang.php)
  • Re: Is posting from http to https secure?
    ... In my case if a username or password is incorrect ... then an error code is sent back to the unsecured page and an access ... Whether this scheme is secure... ... an https page. ...
    (microsoft.public.inetserver.iis.security)