Secure PHP login script

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
matboz55
Forum Newbie
Posts: 4
Joined: Mon Jun 09, 2008 10:42 am

Secure PHP login script

Post by matboz55 »

Hi

I am writing a registration and login class and am trying to make the login system as secure as possible. I've looked at a few articles and it would seem my current way of logging in users is open to attack. At present I simply create two session variables: Username and Password (MD5 encypted). However, it would seem this can be hijacked and used by a hacker.

Does anyone have any idea of how to prevent this, or knows of a script which offers the best security possible? It seems a bit of a minefield so any advice would be much appreciated.

Cheers

Mat
User avatar
it2051229
Forum Contributor
Posts: 312
Joined: Tue Dec 25, 2007 8:34 pm

Re: Secure PHP login script

Post by it2051229 »

Tell me situations that it can be hijacked by hackers?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Secure PHP login script

Post by alex.barylski »

I am afraid tight security cannot be accomplished through a single class.

It requires insight into the various systems at play. If someone hijacked your session it could have done in any number of ways.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Secure PHP login script

Post by Mordred »

code > words
Post some.
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: Secure PHP login script

Post by VirtuosiMedia »

Attilus had an interesting method that I've started using...he describes it here
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Secure PHP login script

Post by Mordred »

Bah. Overkill (and not actually needed at that)
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: Secure PHP login script

Post by VirtuosiMedia »

Mordred wrote:Bah. Overkill (and not actually needed at that)
Could you elaborate a little more? I'm curious.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: Secure PHP login script

Post by onion2k »

Hockey wrote:I am afraid tight security cannot be accomplished through a single class.
That's an odd thing to say. Pushing all the security checks through a single well tested class is going to reduce the chance of something being missed.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Secure PHP login script

Post by Mordred »

VirtuosiMedia wrote:
Mordred wrote:Bah. Overkill (and not actually needed at that)
Could you elaborate a little more? I'm curious.
No point in all that messing with database, session and cookies. Move the sessions to the database if you have issues with file-based sessions. As I reread the thread, it has already been pointed out in the last post on page 2.
matboz55
Forum Newbie
Posts: 4
Joined: Mon Jun 09, 2008 10:42 am

Re: Secure PHP login script

Post by matboz55 »

Thanks for the feedback everyone

It would seem storing sessions in the database is the most secure way of doing things. I have yet to write any code for my login class but the advice given here has been great.
Post Reply