Page 1 of 1
Security question
Posted: Wed Jun 28, 2006 8:03 pm
by phpCCore Brad
So, I have been reading and have noticed a lot of people say sessions aren't truly secure and IPs aren't truly secure. So, what is the best way of securing a website then. I mean right now I store a hash in my database and the user's IP along with sessions. Is that the best way to go for this situation or does someone have a better idea?
Thanks in advance!
Posted: Wed Jun 28, 2006 10:15 pm
by basdog22
There is no 100% secure script... As one friend of mine says:
A safe PC is one that is burried 2 meters in the ground unplugged and covered with cement.
Sessions have their flows, Cookies have their flaws too.
I think the best way to "feel" secure is a "I don't trust my visitors" policy.

Posted: Wed Jun 28, 2006 10:24 pm
by tecktalkcm0391
I have something on a kinda secure level, but its not really good at all if you think about it, but I have a database with keys to use for my website that generates keys every hour or so and then decrypts each users password, and recrypts it with the new key and they i just use mcypt. The only downsite is it the "hacker" gets into the database, then its worthless. See the reason its kinda secure is that if someone gets the key and trys to break it or weaken it, if they get it in an hour, then it will just be replaced/changed in another few minutes.
Posted: Thu Jun 29, 2006 6:30 am
by mikey13
As being professionally in Information security for the past 5 years, web application security can be achieved with several things..
1. confidentiality: use HTTPS, both IIS and Apache (and other major webservers) can be configured with a certificate.
2. input data: this is the main one.. filter on data coming on, think about your program and what data it will get. If you expect a number (age, credit card number, ...) then filter for non-numeric characters. Also filter for funcky characters like single quotes (for sql injection attacks) and HTML tags (< and > especially) for cross site scripting attacks.
3. Cookies are just files that contain some data. Same here, don't trust any data coming from the client here as well, if you have a numeric value (session ID for example), check if it only are numbers. You can build this into your "framework" for all your pages.
4. layered security: have several DB users.. one read only user what will (obvisouly) do read operations in your DB.. and one read-write user that can update / add / delete data...
Session ID's, if you choose them big enough, then they are secure. Can you guess a, say, 32 character random string in a reasonable amount of time? Nope. All the computers in the world cannot. (It is possible to guess it, but you need to verify this against the site.. so that would be a few billion requests in a matter of less than an hour). A 32 character string, 32 bytes.. 256 bits.. is 2^256 .. pretty impossible.
Session ID's are usually stolen by cross site scripting attacks, so that is up to the application programmer.
Posted: Thu Jun 29, 2006 9:13 am
by Ollie Saunders
mikey13! I can't belive you forgot escaping output.