Hi,
I am designing a site and need an extremely secure PHP login module. Can anyone suggest one? I am happy to pay for one, but it has to be securer than the average ones available. Thanks.
Imran
Secure Login
Moderator: General Moderators
Simplier options would be:
Second method effectively prevents cookie theft, but login credentials are easily intercepted by ordinary traffic sniffing.
Http basic auth over the ssl connection is something you might consider.
- client side md5 hashing ( viewtopic.php?p=91538#91538 )
- http basic/digest auth
Second method effectively prevents cookie theft, but login credentials are easily intercepted by ordinary traffic sniffing.
Http basic auth over the ssl connection is something you might consider.
-
php_hacker
- Forum Newbie
- Posts: 7
- Joined: Mon Mar 07, 2005 3:44 pm
Nice link there....Weirdan wrote:Simplier options would be:First method would require js turned on on client's computer (and it's as vulnerable to cookie theft attack as any other session based auth).
- client side md5 hashing ( viewtopic.php?p=91538#91538 )
- http basic/digest auth
Second method effectively prevents cookie theft, but login credentials are easily intercepted by ordinary traffic sniffing.
Http basic auth over the ssl connection is something you might consider.
I was just comming up with my own "home grown" security method, but a little bit of math is required to at least understand this. It only had one user though, as it is, but several could be worked into it. The general idea is that the server sends a random number to the client. The user puts in the passNUMBER which is a big prime. Then the magic...
( passNumber mod rand# ) = temporaryPassnumber
temporaryPassnumber gets sent to server, which does the same math on its side, and if they get the same answer, then your in
any bad guy could easily find the rand# and the tempPass, but they couldn't do anything with them anymore, and there would be infinite solutions when they try to find the origional pass number. The origional passnumber is not sent through the internet, and one cant work backwards to find it. Now the random number had to be around 1000 to 100000 within reason, and the passnumber i have is a 9-digit prime. If anyone actually wants to see my code to figure this out in more depth, send me a message. PHP and some JavaScript was used here
( passNumber mod rand# ) = temporaryPassnumber
temporaryPassnumber gets sent to server, which does the same math on its side, and if they get the same answer, then your in
any bad guy could easily find the rand# and the tempPass, but they couldn't do anything with them anymore, and there would be infinite solutions when they try to find the origional pass number. The origional passnumber is not sent through the internet, and one cant work backwards to find it. Now the random number had to be around 1000 to 100000 within reason, and the passnumber i have is a 9-digit prime. If anyone actually wants to see my code to figure this out in more depth, send me a message. PHP and some JavaScript was used here