Re: nooB PhP login using MySQL
- From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
- Date: Thu, 29 Mar 2007 21:47:52 -0500
Ben wrote:
"shimmyshack" <matt.farey@xxxxxxxxx> wrote in message news:1175208366.040091.161750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxOn 29 Mar, 23:06, "Ben" <nos...@xxxxxxxxxxxx> wrote:Hello, I'll bet this has been asked a million times but I can't seem to findI'll deal with this only because it is something that I can just copy
a thread that gives the clear example I need.
This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.
First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"
Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.
Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.
and paste from a few entries on this newsgroup in the last few days,
the rest I'll leave to google.
you can get javascript sha256 (sha2)so why not use that.
Ok, that'll get me through step 1. Any help appreciated.
=B
firstly changing/registering the password should only be done over
SSL, unless you can use one of the js asymmetric encryption
implementations that are doing the rounds. [hee hee]
so registration stage:
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha256(users_plaintext_password)
but anyway logging in:
login stage
1. create a random string and store in session on server,
2. send login form with username and password fields, and random
string as javascript var that will be sued later by function that
submits form.basi
3. when user enters password, set password field to
sha256( sha256(users_plaintext_password)+random string ), and post
form
auth stage
server computes sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
remove the random string immediately from the session using
$_SESSION['random_string'] = '',
if $_POST['password'] ==
sha256( users_hashed_password_in_database +
$_SESSION['random_string'] )
then OK, redirect to their destination which has a file at the top
requiring authentication
else they made an invalid attempt, redirect back to login script,
setting new random_string which is sent along with login form and also
stored in session.
Usually databases tend to use md5() or sha1() I think that has
commonly been because more secure hashes werent around in javascript
(and becasue the defacto mysql uses PASSWORD() which I think is a
euphemism for md5() ) but now that there are secure ways, and you dont
have to use PASSWORD() anyway, stick to something like sha2, there
have been noises about problems with md5 but as with all such noises,
if you wanted to be secure you would sheel out for an SSL cert, or
pick one up from cacert.org for nothing.
When your users have logged in, set a new session, with a new session
ID, and try not to simply use the presence of the session id with that
value as the determining factor as to whether they have logged in or
not, after all someone could grab the session id and replay it. The
difficulty here is that if you make it too "secure" using "process or
application flow" or a running-one-time-pad for each request the
presence of a man-in-the-middle could cause a denial of service to the
real user, whose authentication would be invalidation once the mim and
user both attempted to replay the same session. Anyway, my advice get
yourself a free cert from www.cacert.org (which is fine for
encryption) and go get assured and join the web of trust to get your
name on it (so it can be used as proof of ownership/id).
We have the cert. Thanks for your info it was helpful. I'm unfamiliar with PHP/Java...a VFP programmer actually. Was hoping for something more specific. Spent a lot of time at google before posting and found lots of info but all pre-coded tools with no walk thru. I'm looking to understand what is happening and not just implement someone else's stuff. Lean code geared just for a secure login. I'll find it eventually. Thanks again for the reply.
=B
Ben,
Your problem here is that your question is really too broad for a newsgroup. I can easily spend a full day in lecture/lab on these very points for instance.
I suggest you look for some PHp and MySQL tutorials for a start. Get a feel for the language - it is *quite different* than VFP.
Then come back here with specific questions and code you've tried. That will help us help you.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.
- Follow-Ups:
- Re: nooB PhP login using MySQL
- From: Ben
- Re: nooB PhP login using MySQL
- References:
- nooB PhP login using MySQL
- From: Ben
- Re: nooB PhP login using MySQL
- From: shimmyshack
- Re: nooB PhP login using MySQL
- From: Ben
- nooB PhP login using MySQL
- Prev by Date: Re: Downloaded word document not correct
- Next by Date: Re: Video upload and playback
- Previous by thread: Re: nooB PhP login using MySQL
- Next by thread: Re: nooB PhP login using MySQL
- Index(es):
Relevant Pages
|
Loading
