SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Wizard
    Join Date
    Mar 2008
    Location
    United Kingdom
    Posts
    1,285
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    'Secure' Login script?

    Hi,

    I've used the same kind of Login script(adapted from a Larry Ullman book, using Sessions), but just wonder if there's a good example online of a fairly 'secure' Login script. I know it comes down to opinions of 'secure', but thought I'd get some feedback on this subject.

    I found a really good article on Login and PHP security(found it ), discussed brute-force, sql injections, blocking users after 3 failed attempts.....etc....... which got me wondering if there's any (almost)bulletproof login scripts out there, using PHP and MySQL?

    Roscripts looks good: http://www.roscripts.com/PHP_login_script-143.html but I'm wondering if there's any others I should be looking out for to use?

    I'm tempted to try build one myself, a little like Mike Cherim's one with the Contact Form, but with an aim to being a more secure Login for an Admin site.


    Many thanks for any thoughts.

  2. #2
    SitePoint Enthusiast Mounty's Avatar
    Join Date
    Mar 2008
    Location
    UK
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't think a 'bullet proof' is really possible since someone could theoretically obtain a new ip every time you block their brute force attempt. But thats why we always need to keep an eye on the server logs

    For some other ideas: include a 'honey pot' input field (eg, email) on the login form which is then hidden with your stylesheet. Then block anyone who actually enters any information into this box (eg: bots that only parse the markup). Could also do something similar on your registration form, etc

  3. #3
    SitePoint Member
    Join Date
    May 2009
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mounty View Post

    For some other ideas: include a 'honey pot' input field (eg, email) on the login form which is then hidden with your stylesheet. Then block anyone who actually enters any information into this box (eg: bots that only parse the markup). Could also do something similar on your registration form, etc
    What about the automatic form fillers on toolbars in such cases? Wouldn't they also be flagged as bots?

  4. #4
    SitePoint Enthusiast Mounty's Avatar
    Join Date
    Mar 2008
    Location
    UK
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmm good question - to be honest I have no idea! Maybe someone else has seen this before?

  5. #5
    SitePoint Member
    Join Date
    May 2009
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Your idea just may work btw... apparently form fields can have an attribute autocomplete="off" to specify it should not be autofilled.

    A safer way would be to just use javascript to set a hidden form field value although this also may fail if js is disabled


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •