SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2002
    Location
    KSA
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security of Log-in

    Will I set some methods here and I need comment about it's .

    The Step 1 :

    PHP Code:
     define('ADMIN_SAFE_LOGIN''KSA'); 
    if(
    defined('ADMIN_SAFE_LOGIN') && $row['username'] == ADMIN_SAFE_LOGIN ) {
    .........
    }else{
    .........

    Are this method might be gap in project ?
    The Step 2 :
    Save Password to remember by cookies , Are this might be gap ?

    PHP Code:

    $value 
    MD5('123');
    setcookie('password',$value,time() + 60 60 24 365); 
    Question important !
    1 - How is might protected your System log-in from burglars ?
    2 - What are the methods an unright in programming log-in might would cause gap?

  2. #2
    <? james('rules'); ?>
    Join Date
    Jun 2004
    Location
    Wales, UK
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A secure log in system would probably be easiest and still very safe if you used $_SESSION.
    Go to www.php.net, find a language that best suits you, and read a documentation on sessions. The format usually is something like this though:
    PHP Code:
    <?php
    session_start
    (); // very important, must always go first
    $user=$_POST['username'];
    $pass=$_POST['pass'];
     
    $_SESSION['user']=$user;
    $_SESSION['password']=$pass;
     
    if(isset(
    $_SESSION['user'])) {
     
    // .. check for set password session before log in etc etc..
     
    } else {

    // do something else for the non-logged in user
     
    }
    If knowledge is power - Why isn't our army librarians?!
    Statistics show that 63% of all statistics are fake.
    When i was little i broke my neck, and i havent looked back since .
    I completed the internet in 1 week. The end boss was pretty easy though .

  3. #3
    SitePoint Zealot ssttoo's Avatar
    Join Date
    Jan 2004
    Location
    LA, California
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Step 2:
    Say you're logged in and you password is crypted in a cookie. If I can get this crypted password, I can assign it to a cookie on my PC and log-in for you.
    How can I get this cookie? Easy if I have access to your computer. There's another way, but I don't want to talk about it.

    Anyway, you can rest assured that is safe enough. It's nowhere near 100% safe, but at the end a lot of sites are doing it and it works for them. The forum in which we're discussing this now (vBulletin) is also storing crypted passwords in cookies.

  4. #4
    Non-Member
    Join Date
    Jan 2004
    Location
    Planet Earth
    Posts
    1,764
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Never felt safe when given the option to store a password in a cookie, even if it's encrypted

    Better just to store the username, and have the user enter their password instead, which is what the bulk of sites do

    Ie Yahoo Mail has your email address pre entered for you, once you select the 'remember me' box when you sign on.

  5. #5
    SitePoint Zealot ssttoo's Avatar
    Join Date
    Jan 2004
    Location
    LA, California
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, a Widow Maker makes a very good point (Dude, consider changing your nick to Good Point Maker or SitePoint Maker or a combination ). It all depends on how important the protected area is. Ask yourself the question where's do you see the balance between convenience and security.

  6. #6
    SitePoint Enthusiast
    Join Date
    Jan 2002
    Location
    KSA
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The use $_SESSION might be idea good but question , How do remember ?

    I am employ this method , set the column in database in table ( USERS ) by name [ cookies ] and add this value in column when select check box remember

    PHP Code:
     if($remember) { 
    $cookies md5(uniqid(microtime()));
    setcookie('cookies',$cookies,time() + 60*60*24*365);
    $query "UPDATE USER SET cookies = '$cookies' WHER ..... ;
    .

    ssttoo > There's another way, but I don't want to talk about it ???????

    We need to information for security .

  7. #7
    SitePoint Zealot ssttoo's Avatar
    Join Date
    Jan 2004
    Location
    LA, California
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK, KSA, since you insist.
    It's possible to get a remotely stored cookie in those rare occasions when you allow your visitors to post on your site. If you don't strip out the HTML code from their postings they can inject malicious javascript that can read/send the cookie information.
    You know that when you set a cookie with PHP, you can read it with JavaScript.

  8. #8
    SitePoint Enthusiast
    Join Date
    Jan 2002
    Location
    KSA
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What is the solution ?

    look this : http://demo.4homepages.de/

    use cookies in remembers , But very good , Are Found gap in 4image ?

    can download 4image and testing
    http://www.4homepages.de/4images/download.php

  9. #9
    SitePoint Zealot ssttoo's Avatar
    Join Date
    Jan 2004
    Location
    LA, California
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Like I said before - depends on the level of security you're trying to reach. To avoid situations like the one I pictured above, simply strip out the tags from the user input, like
    PHP Code:
    $user_comment strip_tags($_POST['user_comment']); 
    Be sure to read the user contributed comments on http://php.net/strip_tags

    Rule of thumb:
    Never trust user input.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •