a secure log-in system

Re: a secure log-in system

ojorus <ojorus@hotmail .com> wrote in message
news:401afc8e_6 @corp.newsgroup s.com...[color=blue]
> Hello!
> I want to make a login system as secure as possible on a website I[/color]
develop.[color=blue]
>
> * The user shall log on using a Username and a password (which is stored[/color]
in[color=blue]
> a mySQL database)
> *The server which I use to run my application has "register_globa ls"
> activated (set to "on"), so that has to be taken into concideration
> *The system should be secure even if the user do not click "log out" when[/color]
he[color=blue]
> is finished. (Users often just close the browser window)
> *It is good if the system works even if coockies are not enabled on the
> client
>
> How can I make a login-system as secure as possible based on this?
> Do I have to use session-variables, or are there other ways?
>
> Happy for suggestions and comments on this.
>
> regards
> ojorus
>
>
>
>
>
> -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> -----== Over 100,000 Newsgroups - 19 Different Servers! =-----[/color]

Use sessions and SSL

Re: a secure log-in system

Complexity is the bane of security. Keep things simple--that's my
recommendation.

Uzytkownik "ojorus" <ojorus@hotmail .com> napisal w wiadomosci
news:401afc8e_6 @corp.newsgroup s.com...[color=blue]
> Hello!
> I want to make a login system as secure as possible on a website I[/color]
develop.[color=blue]
>
> * The user shall log on using a Username and a password (which is stored[/color]
in[color=blue]
> a mySQL database)
> *The server which I use to run my application has "register_globa ls"
> activated (set to "on"), so that has to be taken into concideration
> *The system should be secure even if the user do not click "log out" when[/color]
he[color=blue]
> is finished. (Users often just close the browser window)
> *It is good if the system works even if coockies are not enabled on the
> client
>
> How can I make a login-system as secure as possible based on this?
> Do I have to use session-variables, or are there other ways?
>
> Happy for suggestions and comments on this.
>
> regards
> ojorus
>
>
>
>
>
> -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> -----== Over 100,000 Newsgroups - 19 Different Servers! =-----[/color]

Re: a secure log-in system

ojorus wrote:
[color=blue]
> I want to make a login system as secure as possible on a website I develop.[/color]

First step is to use SSL.
[color=blue]
> * The user shall log on using a Username and a password (which is stored in
> a mySQL database)[/color]

Of course, never store the actual password, but some sort of hash of it.
[color=blue]
> *The server which I use to run my application has "register_globa ls"
> activated (set to "on"), so that has to be taken into concideration[/color]

If the server is running apache, use a .htaccess file to turn them off:

php_flag register_global s off
[color=blue]
> *The system should be secure even if the user do not click "log out" when he
> is finished. (Users often just close the browser window)[/color]

Use sessions with custom handlers to store the session data in a
database table. Set the following to be sure that all stale session
records are removed when they have expired:

session.gc_prob ability = 1
session.gc_divi sor = 1

Then you can set your session timeout stuff according to your needs
(seconds):

session.gc_maxl ifetime = 1440
[color=blue]
> *It is good if the system works even if coockies are not enabled on the
> client[/color]

session.use_tra ns_sid = 1
[color=blue]
> How can I make a login-system as secure as possible based on this?
> Do I have to use session-variables, or are there other ways?[/color]

If you want to do it without cookies, you'll need to use sessions, which
may be more secure anyway. That way there are no details kept on client
machine in cookies, making public computer use safer.

I have a system like this that I have used on quite a few sites over on
sourceforge. I haven't updated anything on it for a while, but that's
just because I haven't added any new features or have received any bug
reports. If you're interested, I believe the address is:


However, SF is undergoing maintenance right now, so you'd have to wait
for the site to come back up again. I'm no expert, but I haven't had any
complaints about the methods I use.

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
Official Google SERPs SEO Competition: http://www.koivi.com/serps.php

Re: a secure log-in system

"ojorus" <ojorus@hotmail .com> wrote in message news:<401afc8e_ 6@corp.newsgrou ps.com>...[color=blue]
> Hello!
> I want to make a login system as secure as possible on a website I develop.
>
> * The user shall log on using a Username and a password (which is stored in
> a mySQL database)
> *The server which I use to run my application has "register_globa ls"
> activated (set to "on"), so that has to be taken into concideration
> *The system should be secure even if the user do not click "log out" when he
> is finished. (Users often just close the browser window)
> *It is good if the system works even if coockies are not enabled on the
> client
>
> How can I make a login-system as secure as possible based on this?
> Do I have to use session-variables, or are there other ways?
>
> Happy for suggestions and comments on this.[/color]



--
"Success = 10% sweat + 90% tears"
Email: rrjanbiah-at-Y!com

Re: a secure log-in system

Just adding a note that should be addressed. Is you server shared or
dedicated? If its dedicated your fine. If its shared is PHP running
as an apache module? or a CGI with suexec or some kind of cgi wrapper?
If its running as an apache module which most do because of the
benefit of speed you have a problem with logging into the mysql
database. It is no longer secure. Sure you may be able to right an
application that is secure from a web point of view but anyone with an
account on the server will be able to gain access to your database of
usernames and passwords.

Recap.
Is your server shared?
If yes is PHP running as an apache module?
If yes you've got a problem with a security.

Re: a secure log-in system

ryanmhuc@yahoo. com (Ryan Hubbard) wrote in
news:ab43e670.0 402111046.f1e2d 13@posting.goog le.com:
[color=blue]
> Just adding a note that should be addressed. Is you server shared or
> dedicated? If its dedicated your fine. If its shared is PHP running
> as an apache module? or a CGI with suexec or some kind of cgi wrapper?
> If its running as an apache module which most do because of the
> benefit of speed you have a problem with logging into the mysql
> database. It is no longer secure. Sure you may be able to right an
> application that is secure from a web point of view but anyone with an
> account on the server will be able to gain access to your database of
> usernames and passwords.[/color]

Well, they won't be able to get the passwords if, as it should, the
database stores an MD5 or SHA1 hash of the password rather than the actual
password, and you could do the same thing for usernames if they're used
only for authentication rather than things like displaying lists of users.

Re: a secure log-in system

Eric Bohlman <ebohlman@earth link.net> wrote in message
Eric you have a very good point. The password, if stored in a one way
hash will be very difficult to crack if someone gains access to the
database. But please do not forget to ensure that your login
information to the database is secure. If your on a shared server
running php as a apache module then there is no secure way to hold the
login information to the database without the information being
exposed to anyone with an account on the server. If PHP is installed
as a binary CGI then you're secure, if not use a CGI wrapper for php.


news:<Xns948DEE AFF96C5ebohlman omsdevcom@130.1 33.1.17>...[color=blue]
> ryanmhuc@yahoo. com (Ryan Hubbard) wrote in
> news:ab43e670.0 402111046.f1e2d 13@posting.goog le.com:
>[color=green]
> > Just adding a note that should be addressed. Is you server shared or
> > dedicated? If its dedicated your fine. If its shared is PHP running
> > as an apache module? or a CGI with suexec or some kind of cgi wrapper?
> > If its running as an apache module which most do because of the
> > benefit of speed you have a problem with logging into the mysql
> > database. It is no longer secure. Sure you may be able to right an
> > application that is secure from a web point of view but anyone with an
> > account on the server will be able to gain access to your database of
> > usernames and passwords.[/color]
>
> Well, they won't be able to get the passwords if, as it should, the
> database stores an MD5 or SHA1 hash of the password rather than the actual
> password, and you could do the same thing for usernames if they're used
> only for authentication rather than things like displaying lists of users.[/color]