Re: nooB PhP login using MySQL


"shimmyshack" <matt.farey@xxxxxxxxx> wrote in message
news:1175208366.040091.161750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 29 Mar, 23:06, "Ben" <nos...@xxxxxxxxxxxx> wrote:
Hello, I'll bet this has been asked a million times but I can't seem to
find
a thread that gives the clear example I need.

This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I
also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.

First question is can someone direct me to a site or provide a sample
code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"

Second, how do I prevent users from bypassing the login? Session
variable
right? Need instructions on how to implement that.

Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password
text
physically in the DB to be encrypted text that is decrypted through the
login process.

I'll deal with this only because it is something that I can just copy
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.



Ok, that'll get me through step 1. Any help appreciated.

=B


firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]

so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)


but anyway logging in:


login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.basi
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form

auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',

if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )

then OK, redirect to their destination which has a file at the top
requiring authentication

else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.

Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.

When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).


We have the cert. Thanks for your info it was helpful. I'm unfamiliar with
PHP/Java...a VFP programmer actually. Was hoping for something more
specific. Spent a lot of time at google before posting and found lots of
info but all pre-coded tools with no walk thru. I'm looking to understand
what is happening and not just implement someone else's stuff. Lean code
geared just for a secure login. I'll find it eventually. Thanks again for
the reply.

=B


.

Relevant Pages

  • Re: nooB PhP login using MySQL
    ... This PC has MySQL and IIS configured and running. ... how do I prevent users from bypassing the login? ... create a random string and store in session on server, ... euphemism for md5) but now that there are secure ways, ...
    (comp.lang.php)
  • Re: nooB PhP login using MySQL
    ... This PC has MySQL and IIS configured and running. ... how do I prevent users from bypassing the login? ... create a random string and store in session on server, ... euphemism for md5) but now that there are secure ways, ...
    (comp.lang.php)
  • Re: [PHP] method to prevent multiple logons of same account
    ... it can be done easily with the proper use of mysql indexes. ... you store the userid in the session my reply is going to be. ... >> and login as testuser1 it'll work just fine. ... Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. ...
    (php.general)
  • Re: security for AJAX-style function calls
    ... I might have been OK with the login ID rolled into a session ... > that one does not 'home-brew' security, ... > available and accepted as secure. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Multiple LoginURLs
    ... A session expires when the number of minutes specified by the Timeout passes without a request being made for the session. ... I have a situation where I have a certain url redirect into my secure ... I have the specific login credentials handled fine. ...
    (microsoft.public.dotnet.framework.aspnet)