Re: [PHP] Back to security

On Sat, March 10, 2007 12:41 pm, Alain Roger wrote:
I'm continuing to work on securing my administration part of the
website.
based on previous posts and reading materials, I was thinking to use
the
following process :

Think of HTTPS as like a bank vault in the basement of a branch bank.

Anybody can walk in the door, but very very very few people can walk
into the vault.

1. user has to logon through a standard "http://"; web page
2. login and encrypted password are compared with what is stored in
database, if it is the same, the user reach point 3. if not, an error
message is displayed.
3. after successful authentication, user is redirected to https://
pages, a
session is opened in PHP and the sessionID is stored in database with
user
data.

There is a steel wall between the non-HTTPS and the HTTPS
pages/site/functionality.

If you authenticate users outside the steel wall, you then have to
pass them and their credentials THROUGH the steel wall.

Better off to do all of 1, 2, and 3 inside HTTPS.

Plus, the whole point of HTTPS is to stop network sniffers from
over-hearing passwords and other sensitive data, and if you
authenticate outside HTTPS, then you are sending the authentication
credentials over the wire for anybody to hear, so what's the point?

4. sessions holds encrypted password and every time that users do an
action,
sessionID is compared with the one in DB, as session encrypted
password is
compared with the one stored in DB. if everything match, action is
performed. if not sessions is ended and user is redirected to logon
page.

Don't store the password into the session data, imho.

If they authenticate, just store their username or user_id.
If they don't authenticate, don't store anything in session.

Valid username in session == authenticated user.

A. do you think is enough secured like that ?
B. i still do not understand how to be sure that user still use https
(SSL
protocol) ?

Compare the output of <?php phpinfo();?> on the two pages, one with
the 'S' and one without.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
.

Relevant Pages

  • Re: Dropped session variables tied to SSL pages? Or Redirect?
    ... between HTTP and HTTPS for the same application path. ... > "Mark Schupp" wrote in message ... >> session cookie can only go to one application. ... >>> I also commented that some of the Session variables stayed intact. ...
    (microsoft.public.inetserver.asp.general)
  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)
  • Re: Sessions/Cookies between sites
    ... Session variables are still retained when switching from ... http to https, I never knew it was a bug, I hope Microsoft ... session variables and cookies will not be shared ...
    (microsoft.public.inetserver.asp.db)
  • Re: Sessions/Cookies between sites
    ... Session variables are still retained when switching from ... http to https, I never knew it was a bug, I hope Microsoft ... session variables and cookies will not be shared ...
    (microsoft.public.inetserver.asp.db)
  • Re: Sessions across http/https
    ... > I'm experiencing an interesting problem with carrying a php session over ... As the user proceeds to checkout, we switch over to https. ... session information in a database. ...
    (comp.lang.php)