PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I am trying to make a login routine that is a bit safer than just setting a session upon login and checking for it's existance to allow access to secure areas. There is some pretty detailed routines like http://www.devshed.com/c/a/PHP/Creating ... in-Script/ but I was wondering if something simpler would still give pretty good security.
Yes (usually i use first 9 digits, but AOL "ffs").
From my experience AOL users always have the same first 6 IP digits, just had problems with phpBB forum, others haven't reported about any problems, so I can't say 100%.
AOL just because they were only ones i had problems with.
If $REMOTE_ADDR == $_SERVER['REMOTE_ADDR'] then instead of 6 use 7, because of the dot (.)
I would say that it's ok, but you can also check browser because of session hijack attempts if it is happening from the same network (only checking 6 numbers in IP).
Probably some phpDN Guru's will can give you extra info, so wait till tomorrow (hopefully sooner).
Yes, it should be $_SERVER['REMOTE_ADDR'] for when register_globals is off. Also, I meant to be getting by address, not name, like... gethostbyaddr($_SERVER['REMOTE_ADDR']);. So now we are at...
Yea, I had ran into that when I tested it too. I decided though that it didn't really matter if the IP was in correct form since it just has to match the value it set on log-in...
12.345.67 == 12.345.67 fine
123.456.7 == 123.456.7 fine
we could even just drop the dot, but I'm not sure it's necessary either...
1234567 == 1234567 fine.
Think we should go down to 5 digits though? It's not banking software so it doesn't have to be rock-solid, just a bit harder than creating a session is all.
To me the simple solution is just use https. The browser maintains the secured session through out that transaction. You can embed a hidden value as well so that it will remain same for that secured session. So even if some one sniffs the session cookie they won't be able to decode the embedded hidden value as it is encripted by the the key generated by the server and the browser during that session. So the sniffer browser is getting another secured connection and another key for decoding.(Try understanding https or ssl. That should clear your doubts about how https ssl handshaking is done.) Me too had similar problem when I was creating a wholesaler directory.
The customers has to signup before they view the directory contents. But later I found the problem of same account being used mementarily by some bots that spidered by directory. wholesalers directory . So I used https with my own certificate and there after there was no problem.
Anyway you must understand that there are limitations to http protocol.
You need to work around to void these.
So, it seems that this method would be "pretty" secure, provided that the first 7 digits of the IP are definately going to be the same for the same person as they go from page to page. Any more thoughts on this? Should I use 5 digits instead perhaps?