Re: secure login form
- From: Dikkie Dik <dikkie@xxxxxxxxxx>
- Date: Thu, 05 Jun 2008 16:52:45 +0200
Harris Kosmidhs wrote:
Hello,
while I'm developing sites for some time I never coded a login form with security in mind.
I was wondering what guidelines there are.
For my point of view I'm thinking of using md5 passwords (it's an one way function right?) in db. Is this a correct approach?
Yes. It certainly does not hurt. Better "salt" your hashes (by appending a known, self chosen string to it). I can check for md5('password'), but it is harder to check for md5('SiteNamepassword') if I do not know that 'SiteName' is the salt of your hash. Also note that hashes are not necessarily different for different passwords. So the password field in the database must not be unique if you use hashes. But it must not be unique anyway.
But this is mainly database security. If your PHP site calculates the hashes, the password is already sent over the big bad internet to your server. That is where https comes in.
Then, if I'm permitted by the server admin I want to use https. Is it as simple as puting the login form in the httpdocs of the https server an when login is successful then I just set a session variable? Will I then be able to read this from a page under http?
These are great questions to system administrators. You will need a separate IP address for each https site, but you can run "normal" http on the same IP address. So if you just have one site, one address will do. In the web server, you 'll have to configure another directory that becomes the root of the https site. Just see it as a separate site. You can, however, define symlinks to parts the regular site. This can be useful for sharing directories like CSS, images, etc. that contain static content and are also needed in the https site.
One note of care: if you use cookie-based sessions (meaning that the session ID is in a cookie), you can mark your cookies as secure. This will prevent browsers from sending them to the non-secure part. Off course, the PHP manual has some nice info on the matter as well. See, for instance, session_destroy and session_regenerate_id. Read especially the last one. A net search for "session fixation" and "session hijacking" also gives some valuable insight.
Best regards
.
- References:
- secure login form
- From: Harris Kosmidhs
- secure login form
- Prev by Date: Re: secure login form
- Next by Date: base64 in url allways safe ?
- Previous by thread: Re: secure login form
- Next by thread: Re: secure login form
- Index(es):
