Re: [PHP] Need secure login

From: Manisha Sathe (manisha_at_starhub.net.sg)
Date: 10/10/03 

To: php-general@lists.php.net
Date: Fri, 10 Oct 2003 10:38:10 +0800

Thanks Justin, actually I was also thinking of the same, but just wanted to
confirm that it is really not a good idea.

Was also wondering if there is any third party solution ?.

Regards
Manisha

"Justin French" <justin@indent.com.au> wrote in message
news:BBA254B2-FAC5-11D7-AB96-000A9579CE3A@indent.com.au...
> This first rule is never trust the client-side.
> The second rule is never trust the client-side.
>
> This means that relying on...
> a) the user accepting the cookie
> b) the user always using the same computer
> c) the user not deleting the cookie
> ... is a BAD idea.
>
> Frankly, if you force me to use a single computer to access your site,
> I'll just leave and never return. I have 3 desktops and a laptop, all
> of which I use at different times. Telling me I can only use one of
> them to access your site is like telling me I have to be wearing green
> socks whilst visiting your site. It should be about MY preference, not
> yours.
>
> Likewise, you can't tie a member to a mac address, or to an IP address.
>
> I don't really have a solution to your problem, and anything you DO
> implement will be a pain in the arse to users (otherwise Amazon et al
> would have already implemented it), but here's some thought starters\
> -- all of which are deterrents NOT solutions.
>
> 1. Make sure that a user can't login from two different places at
> once, if the user does, generate an email report of the problem, so
> that you can keep an eye on users who might be abusing the system.
>
> 2. Randomly ask the user an additional question on login (DOB, pet's
> name, shoe size, postcode, etc) and compare it to Q's asked earlier.
>
> 3. Tell them repeatedly that sharing a userid/pass is against your
> acceptable terms, and that any members caught doing so will have their
> account closed without refund -- usually the idea of getting caught is
> a good enough deterrent.
>
> 4. Perhaps implement a rolling password system -- if this thing needs
> to be bullet proof. Each time they login, or once a month, or at
> random intervals, you could reset their password. Again, this ins't a
> solution, but it's a deterrent, because the user would have to keep
> their friends "updated".
>
>
> Most of the above is guaranteed to frustrate users though. Is your
> site worth enough to your users to frustrate them? Is the content your
> protecting really that important? I doubt it :)
>
>
> Justin
>
>
>
>
>
> On Friday, October 10, 2003, at 11:44 AM, Manisha Sathe wrote:
>
> > Hi,
> >
> > I have a client. He does not want member login by just giving password
> > and
> > login id. He says anybody can give this info to his friend and his
> > friend
> > can access the site.
> >
> > One way is to make use of cookie on his computer. So only from one
> > computer
> > he can access the site. But the thing is that user needs to accept it,
> > and i
> > believe I need to provide some method too in case they delete the
> > cookie.
> >
> > Is there any other solution for this ? Is there any third party
> > software
> > for this ?
> >
> > Regards
> > Manisha
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> > ---
> > [This E-mail scanned for viruses]
> >
> >

Relevant Pages

  • Re: Cookies Expiring due to different time zones.
    ... post to your aspx login, sending the cookie's date in a hidden field ... set the aspx login cookie using the date/time in the hidden field ... This is the code I am using to create the ticket, ... Your problem is that you're using an extremely short time for the cookie expiration. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Accessing and displaying SSL web pages and cookies from a windows form
    ... or LoadXML calls to urls on the website in order to get data or post data to ... first redirected to a SSL login page, if a particular cookie is not present, ... cookie is not present instead of getting the data. ... >> the data in the cookie and also not redirect to the login page. ...
    (microsoft.public.dotnet.languages.vb)
  • Referencing variable in calling class?
    ... I assume because the cookie destruction is being sent down in that page ... when that page renders it still appears as if the user is logged ... So, I thought perhaps as part of my logout routine, I could set a variable ... whether or not it displays the 'login' url or the 'logout' url. ...
    (php.general)
  • Re: How to share session with IE
    ... my browser module if necessary. ... program can load the cookies from your real browser's cookie store ... "need to login" condition, and react accordingly. ... Another option instead of making your program run through a series of clicks and text inputs, which is difficult to program, is to browse the html source until you find the name of the script that processes the login, and use python to request the page with the necessary form fields encoded in the request. ...
    (comp.lang.python)
  • Re: Re: Login restriction for a user account
    ... >>>Is it possible to allow a user account to login only from predefined four ... you can use Active Directory Users and Computers ... >>>J Justin ...
    (microsoft.public.windows.group_policy)