Login Script

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kipp
Forum Commoner
Posts: 27
Joined: Fri Jan 09, 2009 1:25 pm

Login Script

Post by kipp »

So you could spend years in forums, blogs, classes and in books and still not know everything there is to know about login security etc...Is there such a thing as an uncrackable login script and if there is why isn't it possible for people to find it and learn from it?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Login Script

Post by Mordred »

It's because people are lazy and don't care enough. There's a couple of subtle problems around login, all solvable in various ways, you'd also need some policy decisions for a couple of things at voila - the perfect login script. Making a working but insecure login script is too easy and that's why there are so many stupid scripts out there. If you care enough, it could certainly be done though.
Care to share your story?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Login Script

Post by kaisellgren »

Mordred wrote:It's because people are lazy and don't care enough. There's a couple of subtle problems around login, all solvable in various ways, you'd also need some policy decisions for a couple of things at voila - the perfect login script. Making a working but insecure login script is too easy and that's why there are so many stupid scripts out there. If you care enough, it could certainly be done though.
Care to share your story?
Yup.

There are a few things that may increase the security as a whole, but limit the usability - so there are no ultimate solutions.
kipp
Forum Commoner
Posts: 27
Joined: Fri Jan 09, 2009 1:25 pm

Re: Login Script

Post by kipp »

Thanks for the responses. No real story except for the never ending search to try and keep the bad men out. I honestly feel like I look for an idea on proper ways to handle logins, etc. But at the same time I wonder what I am missing. Not having the most experience with php or with security I know I have a lot to learn and have a definite disadvantage when trying to prevent attacks.

I try to secure a given password in the database by encoding it with a couple different encoders, plus a salt. As for sessions after login, still no idea on the best way to manage them to provide a dynamic variable etc to pass to prevent hijacks. I get lost juat thinking about it. I feel like I can code php to do basically anything I need it to do, but I know I have to be leaving doors open on nearly every piece of code.

Thanks for letting me vent...getting off the couch now...
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Login Script

Post by kaisellgren »

kipp wrote:Thanks for the responses. No real story except for the never ending search to try and keep the bad men out. I honestly feel like I look for an idea on proper ways to handle logins, etc. But at the same time I wonder what I am missing. Not having the most experience with php or with security I know I have a lot to learn and have a definite disadvantage when trying to prevent attacks.

I try to secure a given password in the database by encoding it with a couple different encoders, plus a salt. As for sessions after login, still no idea on the best way to manage them to provide a dynamic variable etc to pass to prevent hijacks. I get lost juat thinking about it. I feel like I can code php to do basically anything I need it to do, but I know I have to be leaving doors open on nearly every piece of code.

Thanks for letting me vent...getting off the couch now...
Oh well, security is a wide area. I'm actually writing a security book that discusses PHP and MySQL (or SQL in general) related security stuff. Lots of information. Will be available in English and can be bought from Amazon at a price I have not yet decided. Reading books helps a lot to understand the bigger picture of this whole subject.
kipp
Forum Commoner
Posts: 27
Joined: Fri Jan 09, 2009 1:25 pm

Re: Login Script

Post by kipp »

a definite christmas wish list item...keep us posted.
Post Reply