Security question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
phpCCore Brad
Forum Commoner
Posts: 47
Joined: Sun Dec 04, 2005 5:46 pm
Location: Michigan, USA
Contact:

Security question

Post by phpCCore Brad »

So, I have been reading and have noticed a lot of people say sessions aren't truly secure and IPs aren't truly secure. So, what is the best way of securing a website then. I mean right now I store a hash in my database and the user's IP along with sessions. Is that the best way to go for this situation or does someone have a better idea?

Thanks in advance!
basdog22
Forum Contributor
Posts: 158
Joined: Sun Nov 30, 2003 3:03 pm
Location: Greece

Post by basdog22 »

There is no 100% secure script... As one friend of mine says:
A safe PC is one that is burried 2 meters in the ground unplugged and covered with cement.
Sessions have their flows, Cookies have their flaws too.

I think the best way to "feel" secure is a "I don't trust my visitors" policy. :?
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

I have something on a kinda secure level, but its not really good at all if you think about it, but I have a database with keys to use for my website that generates keys every hour or so and then decrypts each users password, and recrypts it with the new key and they i just use mcypt. The only downsite is it the "hacker" gets into the database, then its worthless. See the reason its kinda secure is that if someone gets the key and trys to break it or weaken it, if they get it in an hour, then it will just be replaced/changed in another few minutes.
mikey13
Forum Newbie
Posts: 1
Joined: Thu Jun 29, 2006 6:14 am

Post by mikey13 »

As being professionally in Information security for the past 5 years, web application security can be achieved with several things..

1. confidentiality: use HTTPS, both IIS and Apache (and other major webservers) can be configured with a certificate.

2. input data: this is the main one.. filter on data coming on, think about your program and what data it will get. If you expect a number (age, credit card number, ...) then filter for non-numeric characters. Also filter for funcky characters like single quotes (for sql injection attacks) and HTML tags (< and > especially) for cross site scripting attacks.

3. Cookies are just files that contain some data. Same here, don't trust any data coming from the client here as well, if you have a numeric value (session ID for example), check if it only are numbers. You can build this into your "framework" for all your pages.

4. layered security: have several DB users.. one read only user what will (obvisouly) do read operations in your DB.. and one read-write user that can update / add / delete data...

Session ID's, if you choose them big enough, then they are secure. Can you guess a, say, 32 character random string in a reasonable amount of time? Nope. All the computers in the world cannot. (It is possible to guess it, but you need to verify this against the site.. so that would be a few billion requests in a matter of less than an hour). A 32 character string, 32 bytes.. 256 bits.. is 2^256 .. pretty impossible.

Session ID's are usually stolen by cross site scripting attacks, so that is up to the application programmer.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

mikey13! I can't belive you forgot escaping output.
Post Reply