PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Apr 26, 2017 2:25 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 40 posts ]  Go to page Previous  1, 2, 3
Author Message
PostPosted: Wed Jan 08, 2014 12:53 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Always glad to help a student who wants to learn! Let me offer a general comment that may be useful in many situations: Try not to get so buried in coding details that you lose sight of the actual objectives--for security matters, always ask yourself exactly what you are trying to protect against before you even begin to determine what kind of code you will use. For example, are you trying to protect against someone making a deliberate attempt to gain access to a particular user's account? Or maybe an attack that might allow a hacker to gain access to your database, thereby capturing ALL of the user passwords and other user data? Or gaining access to the server's control system, or even destroying data on the server, etc. etc. You might think, "Sure, ALL of those!", but you need to consider all those possibilities, and then evaluate your preliminary choices for methods to see whether they would be effective against the specific threats that you are trying to protect against. "Security" isn't just one big basket, it's a careful consideration of each and every potential threat, and most of those require different strategies to protect against. Passwords are only one part of security and do not protect against Denial of Service attacks, for example. Just some thoughts for you to consider.


Top
 Profile  
 
PostPosted: Wed Jan 08, 2014 1:13 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
@Celauran interesting idea; i was struggling with the idea of how to get a password (a new one) to the user but this seems like it could work in a system where there isn't an option to email. Something i would add to this is time limited option where a user would have x amount of time to change their password before the temporary password expires


Top
 Profile  
 
PostPosted: Wed Jan 08, 2014 4:13 am 
Offline
Forum Newbie

Joined: Tue Jan 07, 2014 10:11 am
Posts: 3
what if the account holder wants to change his password?
i am echoing the password taken from the database to a password input field. it's still hashed so the text field contains a lot of dots.

how do i unhash the password so it matches the number of characters echoed in the textfield? or is there any other way?


Top
 Profile  
 
PostPosted: Wed Jan 08, 2014 8:48 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6224
Location: Montreal, Canada
You can't unhash. That's the whole point of hashes. If you want to allow the user to change their password, have three fields: existing, new, new repeated. When the form is submitted, hash the existing password and compare it against what's in the database, then compare the new and new repeated fields. If both tests pass, update the password with the hash of the new password.


Top
 Profile  
 
PostPosted: Sun Jun 29, 2014 4:31 pm 
Offline
Forum Newbie

Joined: Sun Jun 29, 2014 4:26 pm
Posts: 1
Great tutorial, thank you although I am having a slight problem:

Managed to register a user. I can see the user in the database and the hashed passcode but I am not able to log in. The only changes I have made are the db connection details. I havent touched the PasswordHash.php file.
When I try to login I get the "login failed" message.

Any idea what I might be doing wrong?

many thanks again.


Top
 Profile  
 
PostPosted: Sun Jun 29, 2014 9:26 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6224
Location: Montreal, Canada
Could be that a user wasn't returned, could be that CheckPassword failed. You'd need to step through the code to see which is the case.


Top
 Profile  
 
PostPosted: Mon Oct 13, 2014 4:52 am 
Offline
Forum Newbie

Joined: Fri Aug 22, 2014 4:52 am
Posts: 4
Location: Austin, Texas USA
Thank for the informative tutorial.


Top
 Profile  
 
PostPosted: Thu Jun 11, 2015 9:29 pm 
Offline
Forum Newbie

Joined: Thu Jun 11, 2015 8:44 pm
Posts: 1
Very nice tutorial. Very informative


Top
 Profile  
 
PostPosted: Mon Oct 24, 2016 5:33 pm 
Offline
Forum Newbie

Joined: Mon Oct 24, 2016 5:28 pm
Posts: 1
I can't download the zip file. It seems to be removed.
Can you suggest me where I could find some complete secure login & logout system?


Thanks in advance, it's a long time I am looking for this.
Best regards,
Ercola :banghead:


Top
 Profile  
 
PostPosted: Wed Mar 22, 2017 5:20 am 
Offline
Forum Newbie

Joined: Sun Feb 05, 2017 10:38 am
Posts: 7
kindly share the tutorials of members page where they can check and update their profile and orders payment etc


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 40 posts ]  Go to page Previous  1, 2, 3

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group