Noobish password protection v.2
Posted: Sun May 13, 2007 12:43 pm
After some tutorial reading and discussion with other php developers my password protection is as follows:
The users log in on a specific login page, where user name and password are compared to the values in the database. I have passwords encrypted in the database with sha1().
The login.php registers also the ip-address of the user into a mysql table if the user enters wrong user name or password. Then, if the user has tried to log in 3 times in 5 minutes without succeeding, he has to wait another 5 minutes before the next attempt.
If the user name and password check query returns 1 row, the script does the following:
1. Starts a session
2. Fetches the mysql row with username, password and some other information
3. Assigns the users User_ID (taken from mysql table) as $_SESSION['User_ID']
4. Assigns the users IP-address as $_SERVER['REMOTE_ADDR']
5. Sets a cookie with the md5 hash of the ip address joined with a secret word. Eg. md5($_SERVER['REMOTE_ADDR']."secret_word")
6. Gives a header with the location to restricted area.
Then, on every password protected page, I do the following check:
What I need from the script:
- A reasonable secure protection.
- Different content for different users. Therefore I need their User_ID registered.
- As little as possible of mysql connections and queries (my host is so slow).
When I first introduced my noobish password protection I got answers that said that it does nothing. I am quite sure that it did a lot, but I found also many things it didn't do and therefore this is my v.2 noobish password protection.
If someone now tells me that the SESSION['User_ID'] and the IP COOKIE check doesn't do anything, I have hard to believe that.
I still have my IP check there because of session steeling. AOL users shouldn't have any problems with that since their ip i stored in a cookie (and then it doesn't matter if their ip address changes)
I hope that you understand how my protection works and I like to have comments on it's security!
The users log in on a specific login page, where user name and password are compared to the values in the database. I have passwords encrypted in the database with sha1().
The login.php registers also the ip-address of the user into a mysql table if the user enters wrong user name or password. Then, if the user has tried to log in 3 times in 5 minutes without succeeding, he has to wait another 5 minutes before the next attempt.
If the user name and password check query returns 1 row, the script does the following:
1. Starts a session
2. Fetches the mysql row with username, password and some other information
3. Assigns the users User_ID (taken from mysql table) as $_SESSION['User_ID']
4. Assigns the users IP-address as $_SERVER['REMOTE_ADDR']
5. Sets a cookie with the md5 hash of the ip address joined with a secret word. Eg. md5($_SERVER['REMOTE_ADDR']."secret_word")
6. Gives a header with the location to restricted area.
Then, on every password protected page, I do the following check:
Code: Select all
if(!isset($_SESSION['User_ID']) || md5($_SESSION['IP']."secret_word")!=$_COOKIE['IP']){
// GIVE A HEADER TO THE LOGIN PAGE
} else {
// DISPLAY SECRET PAGE
}What I need from the script:
- A reasonable secure protection.
- Different content for different users. Therefore I need their User_ID registered.
- As little as possible of mysql connections and queries (my host is so slow).
When I first introduced my noobish password protection I got answers that said that it does nothing. I am quite sure that it did a lot, but I found also many things it didn't do and therefore this is my v.2 noobish password protection.
If someone now tells me that the SESSION['User_ID'] and the IP COOKIE check doesn't do anything, I have hard to believe that.
I still have my IP check there because of session steeling. AOL users shouldn't have any problems with that since their ip i stored in a cookie (and then it doesn't matter if their ip address changes)
I hope that you understand how my protection works and I like to have comments on it's security!