I'm pounding through some login system tutorials for a big site I'm setting up. Getting an EV SSL is in the works and I've setup WAMP with a self-signed certificate.
Unfortunately, most of the PHP/MySQL security discussions revolve around non-SSL enabled websites and I have yet to actually use SSL for a website. My question is - with an SSL enabled website - what methods of security normally discussed should I still be using, and what methods do I no longer need to worry about?
Looking for some code specifics if possible!
SSL and security needs for login system
Moderator: General Moderators
Re: SSL and security needs for login system
SSL is really "just" a secured pipe between Apache (or whichever server you are using) and the client. Whether you are serving static HTML or dynamic PHP doesn't matter - all transfers are handled by your server and the job is done on socket level. So, you shouldn't have to amend your code to start using SSL.
Now, you may still use openssl's functionality in PHP, but you could use it with or without SSL sockets. E.g. see http://www.php.net/manual/en/function.o ... ecrypt.php
So, you could encrypt some data with a key, but if you want the other side to decrypt it, you still need to pass the key somehow, so it's probably not particularly useful to you (or much more secure than standard hashing would be).
Now, you may still use openssl's functionality in PHP, but you could use it with or without SSL sockets. E.g. see http://www.php.net/manual/en/function.o ... ecrypt.php
So, you could encrypt some data with a key, but if you want the other side to decrypt it, you still need to pass the key somehow, so it's probably not particularly useful to you (or much more secure than standard hashing would be).
Re: SSL and security needs for login system
Not entirely sure I undertand - but maybe.
For instance, take a look at this simple login setup:
http://www.evolt.org/node/60384
I'm not saying I'm using this code, but just purely as an example of the typical login scripts out there, what portions of this could be entirely removed, if anything, thanks to using an SSL certificate?
For instance, take a look at this simple login setup:
http://www.evolt.org/node/60384
I'm not saying I'm using this code, but just purely as an example of the typical login scripts out there, what portions of this could be entirely removed, if anything, thanks to using an SSL certificate?