Session control, implementing shh?

I need any info how I can implement and maintain secure login in www and how I can protect my secure pages.

Cookie + session control ?

I'm programming a database program that is maintained and used via www. (http) I have mysql database behind all of it and I have followed Mysql and php security quidelines pretty well.

I check passwords/usernames with user that has only select granted to that specific table, nothing else.
Should I crypt passwords in browser, server or database?
Perhaps in all?

But how can I send/receive information from browser so that it is crypted?
How cookie time is measured? (I mean if I set time in server and host clock is something totally different...)

Using PHP4, Mysql ver. and Apache 2.0.35
Who is Participating?
Win2000 good for those MS stuffs such as DCOM+, .NET and ASP where the dlls are built in..
PHP works faster in Linux/UNIX environment with no GUI, the less thread (kernel process) running at background, the better PHP performence will be (as PHP is a CGI application, the web server will instantiate new thread per user's request). So for you, maybe the best to use is Linux (for both performence and price).

>Is there any free alternative to SSL.
Except than SSL, your site is still hackable, no matter what encryption you will use. But that doesn't mean we cannot implement basic security.
I thing the suitable security approach will be passing the password once to the server and make the server put "succesful flag" in session to indicate this user is login (php will automatically use session cookie).
To use persistent cookie as flag is not a good idea since a user can open it with text editor, or try to copy and destribute the cookie to his/her friends. Persistent cookie should be avoided.. unless for simple stuff such as item in shopping cart, user's last visited date..

You can use ordinary approach to pass the password from browser to server: using <form method="post" action="???">, post is more secure than get since it generally won't appears in proxy server's log, and it is uncacheable in client's browser (after client close the browser).
Another way is to use WWW-Authenticate, it is more convenient and won't be cached proxy server for sure.
Check this to learn more:
WWW authenticate won't let you to design your own login page though... Usually I prefer using <FORM>, I can put more information regarding the login page such as "Forget your password?" or "New user register here!" links..

>Should I crypt passwords in browser, server or database? Perhaps in all?

It depends on who is your target... if you want to prevent user from internet to access your database, then using firewall is enough (make the database server local to your web server). Crypting in browser is quite *useless* since you can only implement it with scripting languages such as JavaScript or VBScript, this can be source of laugh since by doing this, you actually expose your own password .. (any user can copy-paste the javascript source code, and track down the password).. so in other words, crypting stuff with browser scripting languages is pretty useless.
Security for web server: see my comment above (about <FORM> and www-authenticate)..

>But how can I send/receive information from browser so that it is crypted?

Is not possible unless browser's scripting language is used..
The alternative way is using WWW-Authentiate with Digest algorithm

see this:
And read about Message Digest comments from people there...
They have written a function to retrieve the value.
Basically Digest works similar to basic WWW-Authenticate, the different is the text which is transfered to server is digested, you cannot decrypt a degisted text (unlike encrypting process, you can decrypt it back), but you still can validate whether digested text is actuall representation of the original text.
Term digested means the source is converted to certain text with certain length. See about md5() function in php manual to get more info about message digest.

>How cookie time is measured? (I mean if I set time in server and host clock is something totally different...)

Relative to GMT 0:0:0, you don't have to worry, php will set the time according to GMT, and your browser will understand it..
If you want your secure pages not to be exposed to unauthorized user, the you should use SSL (https), other than that is considered not secure.
If you use https, you won't need something to encrypt login or password, just leave it as normal approach.

You can make the login + validation page using https, upon succesful login, put the "success flag" in session and redirect it to normal http site. Then, while the user browse your site, as long as you can detect "success flag" in his/her session, you can assume that this user has login succesfully... This approach is to avoid overhead using https for long period per user since SSL stuff is generaly *slow*.
But, this is not very secure too, coz someone can listen to network and catch your session_id, and then acts as you. The most secure system if you can make the whole of your web application codes run under https, and make sure the cookie can be transmitted if https is used.. see about setCookie() and secure attribute in php manual for more information... see about installing SSL in apache docs for step by step https installation (you need to pay certificate vendor such as VeriSign though).
9902468Author Commented:
LexZEUS is close for some points...
Security is very important, but I'm running with very tight budget, so the server I'm running it on isn't too powerful and I can't spare much money to certificates, licences etc. Is there any free alternative to SSL.

There are only a handfull of users using this service at a time, 10 tops. How much raw processing power is needed to keep about 8 users happy at the same time if they all use https ssl? this is the only thing to be driven in server.

If you could give me some estimates about CPU, memory needs
when running on linux. What about win2000?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.