Security question.
Moderator: General Moderators
Security question.
Hi, I develop a website and currently trying to apply a security system.
I use database to store: user, pass, session, and IP. In success, I store user ID to $_SESSION[uid].
I also use token to make sure that all request come from my web forms.
in login page, I use javascript to hash (md5) the password (with salting added).
so, everytime a user request a page, I check for: user id, session, IP and token.
My question is: Are those enough to make my site secure?
if not, please suggest what should be done.
Thanks a lot for any helps.
I use database to store: user, pass, session, and IP. In success, I store user ID to $_SESSION[uid].
I also use token to make sure that all request come from my web forms.
in login page, I use javascript to hash (md5) the password (with salting added).
so, everytime a user request a page, I check for: user id, session, IP and token.
My question is: Are those enough to make my site secure?
if not, please suggest what should be done.
Thanks a lot for any helps.
well in response to that, sometimes you have to make a trade-off. What is more important to you, security or usability/accessibility? Do you want users with javascript disabled to be able to use your site?Tommy1402 wrote:I've read in some site, that suggests to encrypt the user's pwd so that the data roaming the net is not the in plain text.
what I was asking is why you don't just hash ALL passwords before storing them in the database (or wherever you store them)?
in my database, all passwords are already hashed (along with salting). So, basically, when a registered user tries to log-in, a javascript hash the password's value, then send it to the server to be checked. The server doesn't hash the value again.The Ninja Space Goat wrote:well in response to that, sometimes you have to make a trade-off. What is more important to you, security or usability/accessibility? Do you want users with javascript disabled to be able to use your site?Tommy1402 wrote:I've read in some site, that suggests to encrypt the user's pwd so that the data roaming the net is not the in plain text.
what I was asking is why you don't just hash ALL passwords before storing them in the database (or wherever you store them)?
The registering process is also the same. When a user tries to register, I hash the password using javascript, then store it directly into database without any hashing.
one issue is when Javascript is disabled. In that case, I decided to make a script to check whether user's JS is disabled or not. If JS is off, then I hash the password inside the server.
I hope it's clear. or can you suggest something?
Thanks
Last edited by Tommy1402 on Thu Feb 22, 2007 2:14 am, edited 1 time in total.
OK, you're wording confused me a little. I see what you're saying now. Feyd is right, Maugrim wrote a great article about just that. I read it in its entirety a while back. Great article.I decided to make a script to check whether user's JS is disabled or not. If JS is off, then I hash the password inside the server.
