Page 1 of 1
Login Script
Posted: Fri Feb 06, 2009 1:14 am
by kipp
So you could spend years in forums, blogs, classes and in books and still not know everything there is to know about login security etc...Is there such a thing as an uncrackable login script and if there is why isn't it possible for people to find it and learn from it?
Re: Login Script
Posted: Fri Feb 06, 2009 5:42 am
by Mordred
It's because people are lazy and don't care enough. There's a couple of subtle problems around login, all solvable in various ways, you'd also need some policy decisions for a couple of things at voila - the perfect login script. Making a working but insecure login script is too easy and that's why there are so many stupid scripts out there. If you care enough, it could certainly be done though.
Care to share your story?
Re: Login Script
Posted: Sat Feb 07, 2009 1:47 pm
by kaisellgren
Mordred wrote:It's because people are lazy and don't care enough. There's a couple of subtle problems around login, all solvable in various ways, you'd also need some policy decisions for a couple of things at voila - the perfect login script. Making a working but insecure login script is too easy and that's why there are so many stupid scripts out there. If you care enough, it could certainly be done though.
Care to share your story?
Yup.
There are a few things that may increase the security as a whole, but limit the usability - so there are no ultimate solutions.
Re: Login Script
Posted: Sun Feb 08, 2009 6:56 pm
by kipp
Thanks for the responses. No real story except for the never ending search to try and keep the bad men out. I honestly feel like I look for an idea on proper ways to handle logins, etc. But at the same time I wonder what I am missing. Not having the most experience with php or with security I know I have a lot to learn and have a definite disadvantage when trying to prevent attacks.
I try to secure a given password in the database by encoding it with a couple different encoders, plus a salt. As for sessions after login, still no idea on the best way to manage them to provide a dynamic variable etc to pass to prevent hijacks. I get lost juat thinking about it. I feel like I can code php to do basically anything I need it to do, but I know I have to be leaving doors open on nearly every piece of code.
Thanks for letting me vent...getting off the couch now...
Re: Login Script
Posted: Sun Feb 08, 2009 7:09 pm
by kaisellgren
kipp wrote:Thanks for the responses. No real story except for the never ending search to try and keep the bad men out. I honestly feel like I look for an idea on proper ways to handle logins, etc. But at the same time I wonder what I am missing. Not having the most experience with php or with security I know I have a lot to learn and have a definite disadvantage when trying to prevent attacks.
I try to secure a given password in the database by encoding it with a couple different encoders, plus a salt. As for sessions after login, still no idea on the best way to manage them to provide a dynamic variable etc to pass to prevent hijacks. I get lost juat thinking about it. I feel like I can code php to do basically anything I need it to do, but I know I have to be leaving doors open on nearly every piece of code.
Thanks for letting me vent...getting off the couch now...
Oh well, security is a wide area. I'm actually writing a security book that discusses PHP and MySQL (or SQL in general) related security stuff. Lots of information. Will be available in English and can be bought from Amazon at a price I have not yet decided. Reading books helps a lot to understand the bigger picture of this whole subject.
Re: Login Script
Posted: Sun Feb 08, 2009 7:10 pm
by kipp
a definite christmas wish list item...keep us posted.