Solved

Session control, implementing shh?

Posted on 2002-04-18
3
211 Views
Last Modified: 2006-11-17
I need any info how I can implement and maintain secure login in www and how I can protect my secure pages.

Cookie + session control ?

I'm programming a database program that is maintained and used via www. (http) I have mysql database behind all of it and I have followed Mysql and php security quidelines pretty well.

I check passwords/usernames with user that has only select granted to that specific table, nothing else.
Should I crypt passwords in browser, server or database?
Perhaps in all?

But how can I send/receive information from browser so that it is crypted?
How cookie time is measured? (I mean if I set time in server and host clock is something totally different...)

Using PHP4, Mysql ver. and Apache 2.0.35
0
Comment
Question by:9902468
  • 2
3 Comments
 
LVL 5

Expert Comment

by:LexZEUS
ID: 6953064
If you want your secure pages not to be exposed to unauthorized user, the you should use SSL (https), other than that is considered not secure.
If you use https, you won't need something to encrypt login or password, just leave it as normal approach.

You can make the login + validation page using https, upon succesful login, put the "success flag" in session and redirect it to normal http site. Then, while the user browse your site, as long as you can detect "success flag" in his/her session, you can assume that this user has login succesfully... This approach is to avoid overhead using https for long period per user since SSL stuff is generaly *slow*.
But, this is not very secure too, coz someone can listen to network and catch your session_id, and then acts as you. The most secure system if you can make the whole of your web application codes run under https, and make sure the cookie can be transmitted if https is used.. see about setCookie() and secure attribute in php manual for more information... see about installing SSL in apache docs for step by step https installation (you need to pay certificate vendor such as VeriSign though).
0
 

Author Comment

by:9902468
ID: 6953179
LexZEUS is close for some points...
Security is very important, but I'm running with very tight budget, so the server I'm running it on isn't too powerful and I can't spare much money to certificates, licences etc. Is there any free alternative to SSL.

There are only a handfull of users using this service at a time, 10 tops. How much raw processing power is needed to keep about 8 users happy at the same time if they all use https ssl? this is the only thing to be driven in server.

If you could give me some estimates about CPU, memory needs
when running on linux. What about win2000?
0
 
LVL 5

Accepted Solution

by:
LexZEUS earned 70 total points
ID: 6954239
Win2000 good for those MS stuffs such as DCOM+, .NET and ASP where the dlls are built in..
PHP works faster in Linux/UNIX environment with no GUI, the less thread (kernel process) running at background, the better PHP performence will be (as PHP is a CGI application, the web server will instantiate new thread per user's request). So for you, maybe the best to use is Linux (for both performence and price).

>Is there any free alternative to SSL.
Except than SSL, your site is still hackable, no matter what encryption you will use. But that doesn't mean we cannot implement basic security.
I thing the suitable security approach will be passing the password once to the server and make the server put "succesful flag" in session to indicate this user is login (php will automatically use session cookie).
To use persistent cookie as flag is not a good idea since a user can open it with text editor, or try to copy and destribute the cookie to his/her friends. Persistent cookie should be avoided.. unless for simple stuff such as item in shopping cart, user's last visited date..

You can use ordinary approach to pass the password from browser to server: using <form method="post" action="???">, post is more secure than get since it generally won't appears in proxy server's log, and it is uncacheable in client's browser (after client close the browser).
Another way is to use WWW-Authenticate, it is more convenient and won't be cached proxy server for sure.
Check this to learn more:
http://www.zend.com/manual/features.http-auth.php
WWW authenticate won't let you to design your own login page though... Usually I prefer using <FORM>, I can put more information regarding the login page such as "Forget your password?" or "New user register here!" links..

>Should I crypt passwords in browser, server or database? Perhaps in all?

It depends on who is your target... if you want to prevent user from internet to access your database, then using firewall is enough (make the database server local to your web server). Crypting in browser is quite *useless* since you can only implement it with scripting languages such as JavaScript or VBScript, this can be source of laugh since by doing this, you actually expose your own password .. (any user can copy-paste the javascript source code, and track down the password).. so in other words, crypting stuff with browser scripting languages is pretty useless.
Security for web server: see my comment above (about <FORM> and www-authenticate)..

>But how can I send/receive information from browser so that it is crypted?

Is not possible unless browser's scripting language is used..
The alternative way is using WWW-Authentiate with Digest algorithm

see this:
http://vip2.alfanet.wroclaw.pl/system-doc/www.php.net/manual/en/features.http-auth.php
And read about Message Digest comments from people there...
They have written a function to retrieve the value.
Basically Digest works similar to basic WWW-Authenticate, the different is the text which is transfered to server is digested, you cannot decrypt a degisted text (unlike encrypting process, you can decrypt it back), but you still can validate whether digested text is actuall representation of the original text.
Term digested means the source is converted to certain text with certain length. See about md5() function in php manual to get more info about message digest.

>How cookie time is measured? (I mean if I set time in server and host clock is something totally different...)

Relative to GMT 0:0:0, you don't have to worry, php will set the time according to GMT, and your browser will understand it..
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now