Re: secure login form
- From: Erwin Moller <Since_humans_read_this_I_am_spammed_too_much@xxxxxxxxxxxxxxxx>
- Date: Fri, 06 Jun 2008 11:09:22 +0200
Harris Kosmidhs schreef:
Erwin Moller wrote:Harris Kosmidhs schreef:Hello,
Hi,
while I'm developing sites for some time I never coded a login form with security in mind.
I was wondering what guidelines there are.
For my point of view I'm thinking of using md5 passwords (it's an one way function right?) in db. Is this a correct approach?
What is it you want to protect against excactly?
If you want the avoid the man-in-the-middle eavesdropping on you: Then you need https, as you described.
If you are afraid the username/password you store in your database is hacked somehow, then it can make sense to store them with an md5 hash, which is one-way encryption indeed.
So that means you, as admin of the database, cannot tell what the password is since you only see the md5 hash.
You can check of course if a provided password 'translates' to the stored md5.
Personally, I stopped storing my passwords with a md5 hash in database.
I figured that if somebody can enter my database at will, my site is hopelessly cracked beyound repair anyway. ;-)
And what's your approach now? Clean passwords as text db fields?
Yes.
Then, if I'm permitted by the server admin I want to use https. Is it as simple as puting the login form in the httpdocs of the https server an when login is successful then I just set a session variable? Will I then be able to read this from a page under http?
You have NO shared session between you http and https pages.
So if you need that, you must build that yourself somehow.
(You can propagate the sessionid from http to https via a form, and let the receiving script use that sessionid for its https session. But be carefull and always remember that your client can set ANY value for PHPSESSID easily). Always try to hack your own site with all the knowledge you have about its internals.
What should look like what I have to build? Let's say you press "log in". It load the (https) login.php which finds out you are a user. Then? A header('http://example.org/loginnext.php?id=$userid') ??
Is there a way not to pass id with GET but with POST without user submitting the form himself?
Well, I was assuming that both the http-domain AND the https domain were on the same server.
If that is not the case, things will get more complicated, because you'll have to build a system that uses a common session-storage for different machines (using a database instead of serialized session-array, which is default).
The important thing is (when using a common sessionstorageplace) to pass around the sessionid.
eg, from http to https:
<form action="https://www.example.com/myhttps.php"; method="post">
<input type="hidden" name="httpsessid" value="GJHGA577FKJ98FGKJ3">
<input type="submit">
</form>
From www.example.com/myhttps.php you can now pick up the passed httpsessid from $_POST["httpsessid"] and use that one to pick up the session under that name.
There are a lot of ins and outs, depending on your serverconfig, so be sure you test everything you try.
I would advise you to first read through the relevant pages on php.net so you have a firm understanding of how sessions work before building this.
Be sure how to name a session (PHPSESSID), how to overrule a name, when sesisons are autostarted, etc etc.
Good luck.
Regards,
Erwin Moller
.
thanks
- References:
- secure login form
- From: Harris Kosmidhs
- Re: secure login form
- From: Erwin Moller
- Re: secure login form
- From: Harris Kosmidhs
- secure login form
- Prev by Date: Re: create html from flat file
- Next by Date: Re: Please check my auth login script
- Previous by thread: Re: secure login form
- Next by thread: Re: secure login form
- Index(es):
Relevant Pages
|
