Page 1 of 1

PHP Login Script Ready To Install and Configure??

Posted: Wed Apr 16, 2008 4:34 pm
by french2080
Hello,

Does anyone know of an already built and script for user login accounts for download????? Similar to wordpress, except without the blog, just the database creations and local host info. That would be great for me study while I duplicate one on my website.

-Chad-

Re: PHP Login Script Ready To Install and Configure??

Posted: Fri Apr 18, 2008 11:55 am
by samb0057
Check out my blog at http://www.sambarrow.com.

There is an advanced login script on there that includes brute-force protection (user is allowed X login attempts before they are locked out for N minutes).

Re: PHP Login Script Ready To Install and Configure??

Posted: Sat Apr 19, 2008 12:17 am
by Mordred
samb0057 wrote:There is an advanced login script on there that includes brute-force protection (user is allowed X login attempts before they are locked out for N minutes).
It has several security problems:
1. Denial of service by locking out arbitrary accounts
2. User enumeration by specific error messages
3. Unsalted passwords (looks like it at least)

(4. Bad API design, esp. on the escaping mechanisms, but that's more of a subjective sin)

I wouldn't call it "advanced" until there are precautions against the entire (or at least much larger parts of the) attack tree against logins.

Re: PHP Login Script Ready To Install and Configure??

Posted: Sun Apr 20, 2008 3:06 pm
by french2080
Cool,

I will look at these things and try see if I can figure out the code. It is just ever since I started learning html, and css styling I had an application to work off of, and I was able to pick up the language rather quickly. I am finding it to be a challenge right now using php and understanding all the functions. But again thanks for the link I will try it out and hopefully have a response.

-Chad- :wink:

Re: PHP Login Script Ready To Install and Configure??

Posted: Mon Apr 21, 2008 12:47 am
by matthijs
Picking up PHP is a bit more difficult then html and css. And more importantly, the consequences of doing something wrong are much much bigger (I'm thinking about security).

A login system is something quite difficult to do well. Many ways to do it wrong (and insecure). I'd be careful in just putting up something on your server and trusting that. I don't know what you're planning to do with it, but it's just a suggestion.