nielsene wrote:I've just searched through many of your past threads, can you point me to one where you list the 8 steps you consider for a login system?
I was fairly certain I listed them in another thread, but I don't see them. Here are the main threads we've covered this ground in before:
viewtopic.php?p=176943#176943 (This one spells out 6 issues)
viewtopic.php?t=34899 (This one talks in general about it, and gets very confused by the end)
viewtopic.php?t=18633 (This one is solid too)
viewtopic.php?t=16390 (Also worth reading)
There were another handful in addition to those.
From the repetition and the number of times this topic has come up, it sounds like I need to write a solid tutorial that covers all the bases, explaining each of the problems and solutions needed. I was working on one for sitepoint, but never finished it.
I'll see what I can come up with.
nielsene wrote:I agree with you in principle that its stupid to throw out everything if its not perfect. I'm less comfortable about the JavaScript hash suggestions -- I'm one of the people who doesn't like to have JS enabled. If a site requires a real login, I expect SSL.
I don't disagree. SSL is always the ideal. But if SSL isn't available, what then?
Keep in mind that I developed a decent amount of my login code from multiple opensource games. Games which other admins deploy on a *huge* variety of sites stretching from free-hosting, ad-riddled minor 'homepages', all the way to million+ hits per day domains. Some could have SSL, many couldn't.
So, I had to find reasonable solutions that didn't require SSL.
nielsene wrote:Sites with "fake SSL", which I consider the hash method to be, normally feel *less* secure than a normal cleartext site -- most of them are seriously broken in other ways and think they are being "smart". Now'd I'd trust your sites, since you understand what you're doing and why. But I'm afraid many will take it as a golden bullet solution....
To be completely clear: They
ARE less secure than SSL. The full explanation about why isn't totally needed, but your gut feeling was right on the money. They are less secure.
JS, hashing, and structured logins aren't about replacing SSL. It's about providing the best security you can when SSL isn't available (or in addition to SSL).