Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Session control, implementing shh?

Posted on 2002-04-18
Medium Priority
Last Modified: 2006-11-17
I need any info how I can implement and maintain secure login in www and how I can protect my secure pages.

Cookie + session control ?

I'm programming a database program that is maintained and used via www. (http) I have mysql database behind all of it and I have followed Mysql and php security quidelines pretty well.

I check passwords/usernames with user that has only select granted to that specific table, nothing else.
Should I crypt passwords in browser, server or database?
Perhaps in all?

But how can I send/receive information from browser so that it is crypted?
How cookie time is measured? (I mean if I set time in server and host clock is something totally different...)

Using PHP4, Mysql ver. and Apache 2.0.35
Question by:9902468
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

ID: 6953064
If you want your secure pages not to be exposed to unauthorized user, the you should use SSL (https), other than that is considered not secure.
If you use https, you won't need something to encrypt login or password, just leave it as normal approach.

You can make the login + validation page using https, upon succesful login, put the "success flag" in session and redirect it to normal http site. Then, while the user browse your site, as long as you can detect "success flag" in his/her session, you can assume that this user has login succesfully... This approach is to avoid overhead using https for long period per user since SSL stuff is generaly *slow*.
But, this is not very secure too, coz someone can listen to network and catch your session_id, and then acts as you. The most secure system if you can make the whole of your web application codes run under https, and make sure the cookie can be transmitted if https is used.. see about setCookie() and secure attribute in php manual for more information... see about installing SSL in apache docs for step by step https installation (you need to pay certificate vendor such as VeriSign though).

Author Comment

ID: 6953179
LexZEUS is close for some points...
Security is very important, but I'm running with very tight budget, so the server I'm running it on isn't too powerful and I can't spare much money to certificates, licences etc. Is there any free alternative to SSL.

There are only a handfull of users using this service at a time, 10 tops. How much raw processing power is needed to keep about 8 users happy at the same time if they all use https ssl? this is the only thing to be driven in server.

If you could give me some estimates about CPU, memory needs
when running on linux. What about win2000?

Accepted Solution

LexZEUS earned 280 total points
ID: 6954239
Win2000 good for those MS stuffs such as DCOM+, .NET and ASP where the dlls are built in..
PHP works faster in Linux/UNIX environment with no GUI, the less thread (kernel process) running at background, the better PHP performence will be (as PHP is a CGI application, the web server will instantiate new thread per user's request). So for you, maybe the best to use is Linux (for both performence and price).

>Is there any free alternative to SSL.
Except than SSL, your site is still hackable, no matter what encryption you will use. But that doesn't mean we cannot implement basic security.
I thing the suitable security approach will be passing the password once to the server and make the server put "succesful flag" in session to indicate this user is login (php will automatically use session cookie).
To use persistent cookie as flag is not a good idea since a user can open it with text editor, or try to copy and destribute the cookie to his/her friends. Persistent cookie should be avoided.. unless for simple stuff such as item in shopping cart, user's last visited date..

You can use ordinary approach to pass the password from browser to server: using <form method="post" action="???">, post is more secure than get since it generally won't appears in proxy server's log, and it is uncacheable in client's browser (after client close the browser).
Another way is to use WWW-Authenticate, it is more convenient and won't be cached proxy server for sure.
Check this to learn more:
WWW authenticate won't let you to design your own login page though... Usually I prefer using <FORM>, I can put more information regarding the login page such as "Forget your password?" or "New user register here!" links..

>Should I crypt passwords in browser, server or database? Perhaps in all?

It depends on who is your target... if you want to prevent user from internet to access your database, then using firewall is enough (make the database server local to your web server). Crypting in browser is quite *useless* since you can only implement it with scripting languages such as JavaScript or VBScript, this can be source of laugh since by doing this, you actually expose your own password .. (any user can copy-paste the javascript source code, and track down the password).. so in other words, crypting stuff with browser scripting languages is pretty useless.
Security for web server: see my comment above (about <FORM> and www-authenticate)..

>But how can I send/receive information from browser so that it is crypted?

Is not possible unless browser's scripting language is used..
The alternative way is using WWW-Authentiate with Digest algorithm

see this:
And read about Message Digest comments from people there...
They have written a function to retrieve the value.
Basically Digest works similar to basic WWW-Authenticate, the different is the text which is transfered to server is digested, you cannot decrypt a degisted text (unlike encrypting process, you can decrypt it back), but you still can validate whether digested text is actuall representation of the original text.
Term digested means the source is converted to certain text with certain length. See about md5() function in php manual to get more info about message digest.

>How cookie time is measured? (I mean if I set time in server and host clock is something totally different...)

Relative to GMT 0:0:0, you don't have to worry, php will set the time according to GMT, and your browser will understand it..

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question