https logins

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

https logins

Post by social_experiment »

When writing a login system, are there any considerations to take into account if the login takes place over a https connection? Would i have to make changes to existing code that works over a standard http connection?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: https logins

Post by requinix »

No: it'll work the exact same way. All SSL does is encrypt the connection between the user and your server - what's said and done in that communication doesn't change.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: https logins

Post by social_experiment »

Cool; thanks for the reply
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: https logins

Post by flying_circus »

The short answer is, it depends.

Are you using dedicated or shared SSL? If you are using shared SLL, then you will probably need to force the session id to be passed in the address when transitioning from https to http and vice versa.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: https logins

Post by social_experiment »

flying_circus wrote:Are you using dedicated or shared SSL?
At the moment i am unsure of this, i won't be handling the hosting. By 'force the session id to be passed', do you refer to passing the session id along in the query string?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: https logins

Post by flying_circus »

Yes, I've found that to be the easiest way, but as soon as the request is received through https (or vice versa) I regenerate the id.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: https logins

Post by flying_circus »

I've been giving more thought to your original question, and figured I'd take a little more time to weigh in.

I classify login/registration systems in 2 ways, private and public.

Private:
I build a website and my client wants to log in through a web portal to change aspects of the site. There are are no user registrations as they dont offer "accounts" to their customers. Basically they do not offer any account registrations for anyone outside of their company.

Public:
The most typical scenario is e-commerce where website visitors can register and create an account.


If you are going to offer a public registration, you need to get a dedicated SSL certificate signed by one of the trusted certificate authorities (geo-trust, verisgn, etc). This also requires a static IP address, which will cost a few bucks more each month.

If you are only offering private access, then you have a decision to make. You can use a shared SSL certificate or a self-signed certificate.

Let's talk self-signed first, it's a shorter discussion.

Self Signed Certificate:
This also requires a static IP, so it will cost a few extra bucks per month, but you will remain at the same domain for the entire transaction (read next section for clarification). This means it will function as you expect, either http://example.com or https://example.com. This is an easy solution from a development standpoint, but your client will receive a warning "The security certificate presented by this website was not issued by a trusted certificate authority." and they will have to click the link "Continue to this website (not recommended).". Not usually an issue if you take the time to educate your client.

Shared SLL:
Does not require a static IP, but your address will change when moving between http/https sections of the website. The difference is easy to see: http://example.com and https://secure.mywebhost.com/~example. The problem is, cookies are tied to domain names, so when you go from example.com to mywebhost.com/~example (or vice versa) your session will not persist, logging your users out. You can get around this by doing the trick I suggest above, your application will need to propogate the session variable through a POST or GET var. This however brings up a host of other concerns on session based attacks, so make sure you regenerate the session id when a request is received like this.

Other thoughts on Shared SLL:
Most browsers are becoming more strict about mixed content. They will display a prompt asking "Do you want to display only secure content on this page?" if you are pulling the request over https and other parts of the page (like javascripts, stylesheets, or images) over http. Lets face it, those things dont really need to come over https anyway.

Another consideration is that some webhosts (specifically bluehost and I dont know who else) are throttling the data coming through their shared SSL server. They will truncate the request after x number of bytes. I have a project that includes some external scripts such as jquery, and the https stream truncates in the middle of the jquery javascript file. The only option is to pull it over an http connection.


Anways, this post has turned more to rambling than anything, so hopefully you learned atleast 1 thing new from it. Lunch Time! 8)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: https logins

Post by social_experiment »

:) thank you for the description; as i mentioned i won't be handling the hosting but it was worthwhile reading which issues there might be should SSL be used. If it is used the more likely option will be the private login system and user registration will be done by the administrator/s so no public registration will be present.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply