Hello Everyone!
I am new to this forum (first post actually)...so please forgive me if I post this in the wrong spot.
I am working on the user/login portion now, and am trying to figure out a way to prevent account hijacking/secure login.
I have a user database with structure user_id, username, password, secret_id ...name birth_date, etc
I want somehow to prevent session hijacking by having the session hold a random secret_id that changes every page reload and saves that value in the database and somehow have that tie in to some cookie value holding the user_id...
I have a login system now, but I am sure it is very vulnerable...It just sets a session variable holding the secret_id that changes every time a page loads, but if someone gets ahold of the secret_id, the server will think he is the valid user and keep sending him new secret values in his own session...
Please help,
Thanks,
Ben
Please help with login method
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Please help with login method
Hash your passwords before passing them into the database. Use PHP's session engine. Use session_regenerate_id() to prevent Session Fixation attacks. I would recommed you to read some books: http://www.amazon.com/s/ref=nb_ss_b?url ... ty&x=0&y=0
There are a couple of things to do. Maybe you should first create the login script, and once it's done, show us your code so that we can evaluate it.
There are a couple of things to do. Maybe you should first create the login script, and once it's done, show us your code so that we can evaluate it.
Re: Please help with login method
For beginners, the php's built in session functions are fine. But in the future, you might want to make your own functions (warning, that takes quite a while).
If you are inputting a password into a database, I recommend you use either the md5 function or the hash function. (Ex: md5($somepassword) and hash('md5',$somepassword).)
If you want to identify a person, you should probably use the person's user agent and their IP address. An easy way to do this and a way that I use in my website is to get the person's ip address and browser agent.
To generate a random 32 character string, just use md5(uniqid(microtime)));.
Good luck.
If you are inputting a password into a database, I recommend you use either the md5 function or the hash function. (Ex: md5($somepassword) and hash('md5',$somepassword).)
If you want to identify a person, you should probably use the person's user agent and their IP address. An easy way to do this and a way that I use in my website is to get the person's ip address and browser agent.
To generate a random 32 character string, just use md5(uniqid(microtime)));.
Good luck.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Please help with login method
Forget MD5. Just jump to the hash function and use a compressor SHA-256, SHA-512 or Whirlpool.coalgames wrote:I recommend you use either the md5 function or the hash function. (Ex: md5($somepassword) and hash('md5',$somepassword).)
Just bear in mind, that approach is not a bullet proof solution.coalgames wrote:If you want to identify a person, you should probably use the person's user agent and their IP address.
If you care about security, you should not generate random strings based on weak random sources.coalgames wrote:To generate a random 32 character string, just use md5(uniqid(microtime)));