9902468
asked on
Session control, implementing shh?
I need any info how I can implement and maintain secure login in www and how I can protect my secure pages.
Cookie + session control ?
I'm programming a database program that is maintained and used via www. (http) I have mysql database behind all of it and I have followed Mysql and php security quidelines pretty well.
I check passwords/usernames with user that has only select granted to that specific table, nothing else.
Should I crypt passwords in browser, server or database?
Perhaps in all?
But how can I send/receive information from browser so that it is crypted?
How cookie time is measured? (I mean if I set time in server and host clock is something totally different...)
Using PHP4, Mysql ver. and Apache 2.0.35
Cookie + session control ?
I'm programming a database program that is maintained and used via www. (http) I have mysql database behind all of it and I have followed Mysql and php security quidelines pretty well.
I check passwords/usernames with user that has only select granted to that specific table, nothing else.
Should I crypt passwords in browser, server or database?
Perhaps in all?
But how can I send/receive information from browser so that it is crypted?
How cookie time is measured? (I mean if I set time in server and host clock is something totally different...)
Using PHP4, Mysql ver. and Apache 2.0.35
ASKER
LexZEUS is close for some points...
Security is very important, but I'm running with very tight budget, so the server I'm running it on isn't too powerful and I can't spare much money to certificates, licences etc. Is there any free alternative to SSL.
There are only a handfull of users using this service at a time, 10 tops. How much raw processing power is needed to keep about 8 users happy at the same time if they all use https ssl? this is the only thing to be driven in server.
If you could give me some estimates about CPU, memory needs
when running on linux. What about win2000?
Security is very important, but I'm running with very tight budget, so the server I'm running it on isn't too powerful and I can't spare much money to certificates, licences etc. Is there any free alternative to SSL.
There are only a handfull of users using this service at a time, 10 tops. How much raw processing power is needed to keep about 8 users happy at the same time if they all use https ssl? this is the only thing to be driven in server.
If you could give me some estimates about CPU, memory needs
when running on linux. What about win2000?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you use https, you won't need something to encrypt login or password, just leave it as normal approach.
You can make the login + validation page using https, upon succesful login, put the "success flag" in session and redirect it to normal http site. Then, while the user browse your site, as long as you can detect "success flag" in his/her session, you can assume that this user has login succesfully... This approach is to avoid overhead using https for long period per user since SSL stuff is generaly *slow*.
But, this is not very secure too, coz someone can listen to network and catch your session_id, and then acts as you. The most secure system if you can make the whole of your web application codes run under https, and make sure the cookie can be transmitted if https is used.. see about setCookie() and secure attribute in php manual for more information... see about installing SSL in apache docs for step by step https installation (you need to pay certificate vendor such as VeriSign though).