I'm going to try to make my site a "members" kind of thing..
What do you guys reccomend looking into about making it secure, and handling members only content, and public content...
opinion on passwords
Moderator: General Moderators
- hob_goblin
- Forum Regular
- Posts: 978
- Joined: Sun Apr 28, 2002 9:53 pm
- Contact:
- hob_goblin
- Forum Regular
- Posts: 978
- Joined: Sun Apr 28, 2002 9:53 pm
- Contact:
Secure?
Well, if you are worried about a person that's allready logged in, I would say two things.
1) DO NOT move sensitve information from page to page using the GET method. That puts all of the info right in the URL. Use the POST method. If you are using the built in PHP sessions, then it's even easier to deal with.
Now sessions have some security issues as well. There is a document about PHP security that you can check out. Here is the link. http://www.securereality.com.au/studyinscarlet.txt
This is the reason I developed my own sessions handling.
2) You want to make sure that an inactive logged in user is automatically logged out after a set period of time. I set it at 15 minutes.
Something to consider about logging in and using MD5(). MD5() doesn't do any good unitl the password has reached the server. What that means is anyone that captures the information between the users browser and the server can see and read the password in PLAIN TEXT. That said, I do Javascript MD5() and send the password that way. The added bonus is that it's less processing I have to do server side.
Later on,
BDKR (TR Cox)
1) DO NOT move sensitve information from page to page using the GET method. That puts all of the info right in the URL. Use the POST method. If you are using the built in PHP sessions, then it's even easier to deal with.
Now sessions have some security issues as well. There is a document about PHP security that you can check out. Here is the link. http://www.securereality.com.au/studyinscarlet.txt
This is the reason I developed my own sessions handling.
2) You want to make sure that an inactive logged in user is automatically logged out after a set period of time. I set it at 15 minutes.
Something to consider about logging in and using MD5(). MD5() doesn't do any good unitl the password has reached the server. What that means is anyone that captures the information between the users browser and the server can see and read the password in PLAIN TEXT. That said, I do Javascript MD5() and send the password that way. The added bonus is that it's less processing I have to do server side.
Later on,
BDKR (TR Cox)
I have read http://www.securereality.com.au/studyinscarlet.txt and I see no general fault in php-implementations. Upgrade your php-version (if necessary), turn register_globals off and keep an open eye on those security risks.
PHP and security
The things mentioned as potential issues with PHP implementation of sessions is enough for me.
Are you sure you read the section concerning sessions?
Also, developers can't just simply rely on PHP to fix all issues or be watchful for them. The changes that have been made in PHP are indeed good, but does that mean that some clever dodger isn't going to find other issues? As developers, we in the PHP community have to be as paranoid about security as everybody else.
That said, I will not use PHP's implentation of sessions when I feel mine is "more" secure. Notice also that I said "more" secure. Not totally secure.
later on,
BDKR (TR COX)
Are you sure you read the section concerning sessions?
Also, developers can't just simply rely on PHP to fix all issues or be watchful for them. The changes that have been made in PHP are indeed good, but does that mean that some clever dodger isn't going to find other issues? As developers, we in the PHP community have to be as paranoid about security as everybody else.
That said, I will not use PHP's implentation of sessions when I feel mine is "more" secure. Notice also that I said "more" secure. Not totally secure.
later on,
BDKR (TR COX)
ok ok, I agree there are pitfalls a developer/admin is invited to step in. But before reimplementig a 'basic' framework feature I try to make the most of it (and sometimes I don't
).
When I started to earn my money with developing I was eager to do it all on my own (it's not in <stdio.h> or <stdlib.h> - I have to implement it
)
May be I changed sides a litte bit too much.
When I started to earn my money with developing I was eager to do it all on my own (it's not in <stdio.h> or <stdlib.h> - I have to implement it
May be I changed sides a litte bit too much.