What is most secure?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dwfait
Forum Contributor
Posts: 113
Joined: Sun Aug 01, 2004 10:36 pm

What is most secure?

Post by dwfait »

What would be the most secure way to handle logins? Cookies, sessions or something else?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: What is most secure?

Post by Roja »

dwfait wrote:What would be the most secure way to handle logins? Cookies, sessions or something else?
SSL.

No SSL? Then db-driven sessions.

No db-driven sessions? Then file-system sessions.

No Sessions? Then cookies.

No cookies? Go to the store and buy some Nestle Toll House, and get cooking. Yummmm.. Cooooookies.
dwfait
Forum Contributor
Posts: 113
Joined: Sun Aug 01, 2004 10:36 pm

Post by dwfait »

Can you set up SSL on an apache system on your own computer for free? Or does SSL cost?

And if it costs, could you forward me to any tutorials on DB driven Sessions please?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

You would need to run apache-ssl..

The installer has a tool to generate a certificate, or you can get it at http://www.cacert.org/ for free.
dwfait
Forum Contributor
Posts: 113
Joined: Sun Aug 01, 2004 10:36 pm

Post by dwfait »

Could i run Apache-SSL along side a normal Apache websever or would i need to replace it with it?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Read the documentation at http://httpd.apache.org? (Yes, you can run them both)
dwfait
Forum Contributor
Posts: 113
Joined: Sun Aug 01, 2004 10:36 pm

Post by dwfait »

:'(
Apache SSL is only available for apache 1.x and on Linux only. I got the latest stable 2.x on a windows box. Guess its DB driven sessions then..
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

dwfait wrote::'(
Apache SSL is only available for apache 1.x and on Linux only. I got the latest stable 2.x on a windows box. Guess its DB driven sessions then..
Apache2 (on linux and unix) has ssl available. Your phrasing made that a little hard to grasp, so .. wanted to clarify that.

Didn't know that there wasn't ssl for apache2 on windows. Odd.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Wait, what's with the "Db_driven sessions"? How does that work?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Ambush Commander wrote:Wait, what's with the "Db_driven sessions"? How does that work?
http://phplens.com/lens/adodb/docs-session.htm

Learn it, live it, love it.

The idea is that all the session information is stored in a database - NOT on the filesystem. On a shared host, its a fantastic improvement in security.

Even on a host where you control the filesystem and the database, it puts another layer of protection in front of an attacker.

Beyond the security, it allows you to have one web front end, and a cluster of database servers behind it. With filesystem-based sessions, thats much trickier.

Beautiful stuff. Adodb even offers encryption AND compression for session information, for an even bigger win!
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Neat.

Maybe I should stop using PEAR's DB class and use Adodb?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Ambush Commander wrote:Neat.

Maybe I should stop using PEAR's DB class and use Adodb?
There are advantages to each.

For me, there was no choice - all my code is under the GPL, and PEAR's DB class is under the PHP License - which is incompatible with the GPL. So I could not use it with my code, or my chosen license.

Of course, the adodb-xmlschema, encrypted/compressed sessions, insanely great performance monitoring, and db-driven sessions all were delicious icing on top.
User avatar
shoebappa
Forum Contributor
Posts: 158
Joined: Mon Jul 11, 2005 9:14 pm
Location: Norfolk, VA

Post by shoebappa »

Apache 2 on windows doesn't come with SSL precompiled, but you can compile it, or download precompiled Binaries from: http://hunter.campbus.com/
Post Reply