Security Precautions
Moderator: General Moderators
-
CraniumDesigns
- Forum Newbie
- Posts: 18
- Joined: Fri Nov 07, 2003 1:35 am
Security Precautions
Ok. I am developing my first super major php driven community site and I need to make sure all login/pass info and anything else I want is secure and not readable, especially my inc files. How can I go about doing this? What are some general security precautions that should eb taken before a site of this magnitude is published?
Re: Security Precautions
- Minimize the amount that has to be stored in .inc filesCraniumDesigns wrote:Ok. I am developing my first super major php driven community site and I need to make sure all login/pass info and anything else I want is secure and not readable, especially my inc files.
- Make your .inc files .inc.php files with a 'cannot access directly' header
- Use htaccess to prevent direct access of the .inc.php files
- Use good coding practices like defining variables and not trusting user input.
Those are good general approaches to ensuring general security and preventing direct access to your .inc files.
As to login/pass info, it can be more complex.
First and foremost, md5() the password against a time-based session stamp. By doing so, you remove the ability to sniff the password cleartext (its sent in md5 form), and you reduce the amount of time the attacker can do a replay attack to roughly 5-15 minutes (while the user is logging in).
If you also ensure that the session stamp clears upon login, then it will be virtually impossible to replay the login!
Of course if you really want HIGH security, you should use SSL, but a solid CHAP/md5 login sequence (as described above) should get you most of the security you'll need.
More information on CHAP logins (with example backend scripts in php) available here: http://pajhome.org.uk/crypt/md5/chaplogin.html
More infomation on md5 passwords via javascript (again, with example scripts) available here: http://pajhome.org.uk/crypt/md5/
That is the method Yahoo uses for sections that don't use SSL.
- scorphus
- Forum Regular
- Posts: 589
- Joined: Fri May 09, 2003 11:53 pm
- Location: Belo Horizonte, Brazil
- Contact:
Re: Security Precautions
There is a tutorial posted by jason on this matter: Protecting your .inc files.CraniumDesigns wrote:(...) I want is secure and not readable, especially my inc files. How can I go about doing this? (...)
Regards,
Scorphus.