Page 1 of 1

Secure Login

Posted: Mon Mar 07, 2005 5:29 am
by isheikh
Hi,

I am designing a site and need an extremely secure PHP login module. Can anyone suggest one? I am happy to pay for one, but it has to be securer than the average ones available. Thanks.

Imran

Posted: Mon Mar 07, 2005 6:25 am
by Weirdan
It appears client side ssl certificates would be the most secure auth method widely available. But does it worth the hassle?

Posted: Mon Mar 07, 2005 6:28 am
by isheikh
Thanks. What is the other option if we don't want to use certs. Cert's are too much of a hassle. Would also slow things down.

Posted: Mon Mar 07, 2005 6:46 am
by Weirdan
Simplier options would be: First method would require js turned on on client's computer (and it's as vulnerable to cookie theft attack as any other session based auth).

Second method effectively prevents cookie theft, but login credentials are easily intercepted by ordinary traffic sniffing.

Http basic auth over the ssl connection is something you might consider.

Posted: Mon Mar 07, 2005 6:56 am
by isheikh
Thanks a lot for all your help, really appreciate it. I think i will probably go with SSL. Thanks again.

Imran

Posted: Mon Mar 07, 2005 3:56 pm
by php_hacker
Weirdan wrote:Simplier options would be: First method would require js turned on on client's computer (and it's as vulnerable to cookie theft attack as any other session based auth).

Second method effectively prevents cookie theft, but login credentials are easily intercepted by ordinary traffic sniffing.

Http basic auth over the ssl connection is something you might consider.
Nice link there....

Posted: Tue Mar 08, 2005 5:26 pm
by pdoersch
I was just comming up with my own "home grown" security method, but a little bit of math is required to at least understand this. It only had one user though, as it is, but several could be worked into it. The general idea is that the server sends a random number to the client. The user puts in the passNUMBER which is a big prime. Then the magic...

( passNumber mod rand# ) = temporaryPassnumber

temporaryPassnumber gets sent to server, which does the same math on its side, and if they get the same answer, then your in

any bad guy could easily find the rand# and the tempPass, but they couldn't do anything with them anymore, and there would be infinite solutions when they try to find the origional pass number. The origional passnumber is not sent through the internet, and one cant work backwards to find it. Now the random number had to be around 1000 to 100000 within reason, and the passnumber i have is a 9-digit prime. If anyone actually wants to see my code to figure this out in more depth, send me a message. PHP and some JavaScript was used here