Page 1 of 1
authentication
Posted: Thu Sep 19, 2002 8:19 am
by grcodal
Posted: Thu Sep 19, 2002 8:48 am
by nielsene
If you can run a Certificate Authority, the "most" secure way would probably be to use both client and server certificates for two-way SSL authentication. I haven't implemented this type of system yet, but keep meaning to try it.
If you can't run your own CA, then you're probably stuck with a solution using some combination of SSL, PHP, and MySQL. There are numerous tutorials are creating login systems. The things to look for in a good one:
stored hashed passwords only, preferably also salted
works with SSL (most do if you change the http:// to https:// and have an SSL enabled server)
contains an email address confirmation step
validates all user data
Other useful features to investigate:
Is any attempt made to detect Session Hijacking?
-- ex. do all requests in a session orginate from the same client IP?
Are login tokens (cookies) time limited to reasonable lengths?
-- do you allow auto-login? do you trust the exp-time sent in the cookie?
What information is logged?
-- every successful, unsucessful login?
How are brute force attack limited?
-- time delays on login, retry counters, etc?
As you'll hear many times, there is no such thing as "perfect" security. Many people here are happy with systems based on tutorials that miss one ore more element of my "required" list (often the SSL), some use JavaScript to fake it, but I can't agree with it.
You always need to ask yourself
1) What happens if a user account is compromised? What can the malicious user now do?
2) Is your site high visibility? Will people be trying to break in?
In my opinion, if your site needs a login, you should aim to make your site more secure than the average similar site out there. Let those other sites be your "honeypots" and attract the bad guys. If your information/service is of minor interest to the cracking public and you've made it non-trivial to crack, they'll go elsewhere.