Secure Login

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
isheikh
Forum Newbie
Posts: 6
Joined: Mon Mar 07, 2005 5:26 am

Secure Login

Post by isheikh »

Hi,

I am designing a site and need an extremely secure PHP login module. Can anyone suggest one? I am happy to pay for one, but it has to be securer than the average ones available. Thanks.

Imran
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

It appears client side ssl certificates would be the most secure auth method widely available. But does it worth the hassle?
isheikh
Forum Newbie
Posts: 6
Joined: Mon Mar 07, 2005 5:26 am

Post by isheikh »

Thanks. What is the other option if we don't want to use certs. Cert's are too much of a hassle. Would also slow things down.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Simplier options would be: First method would require js turned on on client's computer (and it's as vulnerable to cookie theft attack as any other session based auth).

Second method effectively prevents cookie theft, but login credentials are easily intercepted by ordinary traffic sniffing.

Http basic auth over the ssl connection is something you might consider.
isheikh
Forum Newbie
Posts: 6
Joined: Mon Mar 07, 2005 5:26 am

Post by isheikh »

Thanks a lot for all your help, really appreciate it. I think i will probably go with SSL. Thanks again.

Imran
php_hacker
Forum Newbie
Posts: 7
Joined: Mon Mar 07, 2005 3:44 pm

Post by php_hacker »

Weirdan wrote:Simplier options would be: First method would require js turned on on client's computer (and it's as vulnerable to cookie theft attack as any other session based auth).

Second method effectively prevents cookie theft, but login credentials are easily intercepted by ordinary traffic sniffing.

Http basic auth over the ssl connection is something you might consider.
Nice link there....
pdoersch
Forum Newbie
Posts: 12
Joined: Sun Mar 06, 2005 1:09 pm

Post by pdoersch »

I was just comming up with my own "home grown" security method, but a little bit of math is required to at least understand this. It only had one user though, as it is, but several could be worked into it. The general idea is that the server sends a random number to the client. The user puts in the passNUMBER which is a big prime. Then the magic...

( passNumber mod rand# ) = temporaryPassnumber

temporaryPassnumber gets sent to server, which does the same math on its side, and if they get the same answer, then your in

any bad guy could easily find the rand# and the tempPass, but they couldn't do anything with them anymore, and there would be infinite solutions when they try to find the origional pass number. The origional passnumber is not sent through the internet, and one cant work backwards to find it. Now the random number had to be around 1000 to 100000 within reason, and the passnumber i have is a 9-digit prime. If anyone actually wants to see my code to figure this out in more depth, send me a message. PHP and some JavaScript was used here
Post Reply