SSL and security needs for login system

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
midimid
Forum Newbie
Posts: 3
Joined: Mon Jul 20, 2009 4:01 pm

SSL and security needs for login system

Post by midimid »

I'm pounding through some login system tutorials for a big site I'm setting up. Getting an EV SSL is in the works and I've setup WAMP with a self-signed certificate.

Unfortunately, most of the PHP/MySQL security discussions revolve around non-SSL enabled websites and I have yet to actually use SSL for a website. My question is - with an SSL enabled website - what methods of security normally discussed should I still be using, and what methods do I no longer need to worry about?

Looking for some code specifics if possible!
dejan
Forum Newbie
Posts: 8
Joined: Tue Dec 21, 2010 6:11 am

Re: SSL and security needs for login system

Post by dejan »

SSL is really "just" a secured pipe between Apache (or whichever server you are using) and the client. Whether you are serving static HTML or dynamic PHP doesn't matter - all transfers are handled by your server and the job is done on socket level. So, you shouldn't have to amend your code to start using SSL.

Now, you may still use openssl's functionality in PHP, but you could use it with or without SSL sockets. E.g. see http://www.php.net/manual/en/function.o ... ecrypt.php

So, you could encrypt some data with a key, but if you want the other side to decrypt it, you still need to pass the key somehow, so it's probably not particularly useful to you (or much more secure than standard hashing would be).
midimid
Forum Newbie
Posts: 3
Joined: Mon Jul 20, 2009 4:01 pm

Re: SSL and security needs for login system

Post by midimid »

Not entirely sure I undertand - but maybe.

For instance, take a look at this simple login setup:
http://www.evolt.org/node/60384

I'm not saying I'm using this code, but just purely as an example of the typical login scripts out there, what portions of this could be entirely removed, if anything, thanks to using an SSL certificate?
Post Reply