Page 1 of 1
Secure PHP login script
Posted: Mon Aug 04, 2008 9:43 am
by matboz55
Hi
I am writing a registration and login class and am trying to make the login system as secure as possible. I've looked at a few articles and it would seem my current way of logging in users is open to attack. At present I simply create two session variables: Username and Password (MD5 encypted). However, it would seem this can be hijacked and used by a hacker.
Does anyone have any idea of how to prevent this, or knows of a script which offers the best security possible? It seems a bit of a minefield so any advice would be much appreciated.
Cheers
Mat
Re: Secure PHP login script
Posted: Mon Aug 04, 2008 9:10 pm
by it2051229
Tell me situations that it can be hijacked by hackers?
Re: Secure PHP login script
Posted: Tue Aug 05, 2008 10:37 am
by alex.barylski
I am afraid tight security cannot be accomplished through a single class.
It requires insight into the various systems at play. If someone hijacked your session it could have done in any number of ways.
Re: Secure PHP login script
Posted: Fri Aug 08, 2008 4:39 am
by Mordred
code > words
Post some.
Re: Secure PHP login script
Posted: Sat Aug 09, 2008 10:49 am
by VirtuosiMedia
Attilus had an interesting method that I've started using...he describes it
here
Re: Secure PHP login script
Posted: Sat Aug 09, 2008 3:51 pm
by Mordred
Bah. Overkill (and not actually needed at that)
Re: Secure PHP login script
Posted: Mon Aug 11, 2008 3:32 pm
by VirtuosiMedia
Mordred wrote:Bah. Overkill (and not actually needed at that)
Could you elaborate a little more? I'm curious.
Re: Secure PHP login script
Posted: Mon Aug 11, 2008 3:46 pm
by onion2k
Hockey wrote:I am afraid tight security cannot be accomplished through a single class.
That's an odd thing to say. Pushing all the security checks through a single well tested class is going to reduce the chance of something being missed.
Re: Secure PHP login script
Posted: Mon Aug 11, 2008 5:06 pm
by Mordred
VirtuosiMedia wrote:Mordred wrote:Bah. Overkill (and not actually needed at that)
Could you elaborate a little more? I'm curious.
No point in all that messing with database, session and cookies. Move the sessions to the database if you have issues with file-based sessions. As I reread the thread, it has already been pointed out in the last post on page 2.
Re: Secure PHP login script
Posted: Fri Aug 15, 2008 4:05 am
by matboz55
Thanks for the feedback everyone
It would seem storing sessions in the database is the most secure way of doing things. I have yet to write any code for my login class but the advice given here has been great.