Page 1 of 2
Security question.
Posted: Wed Feb 21, 2007 10:31 pm
by Tommy1402
Hi, I develop a website and currently trying to apply a security system.
I use database to store: user, pass, session, and IP. In success, I store user ID to $_SESSION[uid].
I also use token to make sure that all request come from my web forms.
in login page, I use javascript to hash (md5) the password (with salting added).
so, everytime a user request a page, I check for: user id, session, IP and token.
My question is: Are those enough to make my site secure?
if not, please suggest what should be done.
Thanks a lot for any helps.
Posted: Wed Feb 21, 2007 11:13 pm
by feyd
If you want to go paranoid, SSL is the next step.
Posted: Wed Feb 21, 2007 11:54 pm
by Tommy1402
feyd wrote:If you want to go paranoid, SSL is the next step.
Since I don't want to use SSL, it's pretty secure.
Posted: Wed Feb 21, 2007 11:57 pm
by feyd
It sounds okay.
What happens if Javascript is disabled?
Posted: Thu Feb 22, 2007 12:17 am
by Tommy1402
feyd wrote:It sounds okay.
What happens if Javascript is disabled?
If JS is off, the password will never be hashed. then, the user will never be able to log-in.
I just want that the user's password doesn't wander all around the network unencrypted.
Posted: Thu Feb 22, 2007 12:48 am
by feyd
Are you sure you want to make the site inaccessible to users who do not have Javascript enabled/supported?
Posted: Thu Feb 22, 2007 12:52 am
by Tommy1402
feyd wrote:Are you sure you want to make the site inaccessible to users who do not have Javascript enabled/supported?
are there any other way beside using ssl ?
if not, then I'll stick with it.
Posted: Thu Feb 22, 2007 1:06 am
by feyd
Let them log in without the protection.
It's not keeping your server more safe, but your users' data safer.
Posted: Thu Feb 22, 2007 1:31 am
by Tommy1402
feyd wrote:Let them log in without the protection.
It's not keeping your server more safe, but your users' data safer.
I think you right. well, I think I have to make a script to check whether user's JS is enabled or not. If not, then I hash the password in the server...
Posted: Thu Feb 22, 2007 1:33 am
by Luke
why not just hash the password regardless?
Posted: Thu Feb 22, 2007 1:42 am
by Tommy1402
The Ninja Space Goat wrote:why not just hash the password regardless?
I've read in some site, that suggests to encrypt the user's pwd so that the data roaming the net is not the in plain text.
Posted: Thu Feb 22, 2007 1:47 am
by Luke
Tommy1402 wrote:I've read in some site, that suggests to encrypt the user's pwd so that the data roaming the net is not the in plain text.
well in response to that, sometimes you have to make a trade-off. What is more important to you, security or usability/accessibility? Do you want users with javascript disabled to be able to use your site?
what I was asking is why you don't just hash ALL passwords before storing them in the database (or wherever you store them)?
Posted: Thu Feb 22, 2007 2:13 am
by Tommy1402
The Ninja Space Goat wrote:Tommy1402 wrote:I've read in some site, that suggests to encrypt the user's pwd so that the data roaming the net is not the in plain text.
well in response to that, sometimes you have to make a trade-off. What is more important to you, security or usability/accessibility? Do you want users with javascript disabled to be able to use your site?
what I was asking is why you don't just hash ALL passwords before storing them in the database (or wherever you store them)?
in my database, all passwords are already hashed (along with salting). So, basically, when a registered user tries to log-in, a javascript hash the password's value, then send it to the server to be checked. The server doesn't hash the value again.
The registering process is also the same. When a user tries to register, I hash the password using javascript, then store it directly into database without any hashing.
one issue is when Javascript is disabled. In that case, I decided to make a script to check whether user's JS is disabled or not. If JS is off, then I hash the password inside the server.
I hope it's clear. or can you suggest something?
Thanks
Posted: Thu Feb 22, 2007 2:14 am
by feyd
Tommy1402, I don't know if you've read it or not, but there's a tutorial by Maugrim_the_Reaper
here which talks about this stuff is fair detail.
Posted: Thu Feb 22, 2007 2:27 am
by Luke
I decided to make a script to check whether user's JS is disabled or not. If JS is off, then I hash the password inside the server.
OK, you're wording confused me a little. I see what you're saying now. Feyd is right, Maugrim wrote a great article about just that. I read it in its entirety a while back. Great article.
