?
Solved

Starting place for secure login

Posted on 2002-07-09
1
Medium Priority
?
178 Views
Last Modified: 2010-05-18
Hi.  I'm not getting too much help from my host regarding how to setup a secure login for a web page i'm building.  Here's what I know about my host (basically running phpinfo() function).

Loaded modules are as follows:
mod_php4, apache_ssl, mod_setenvif, mod_so, mod_expires, mod_auth, mod_access, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

My home directory looks like this:
cgi-bin
public_html
secure
logs

Our web server is: apache-ssl on a linux o/s

It looks like I have to put my stuff into the secure directory but I want to know which encryption schemes I can use when registering new administrators on the web.
I looked on PHPBuilder and followed one of the tutorials but I don't think we have that module installed.  I'm in need of a ton of help.  What can I read that applies to the modules I have above?
0
Comment
Question by:KABOOM
1 Comment
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 400 total points
ID: 7142925
Using a database and sessions should provide you with a reasonable amount of security.

The idea goes something like this.

User visits you unsecured, open front page and chooses the Login option.
The login script sees if there is a cookie for this user.

If so, then this CAN be their "permanent" session identifier. Retrieve the session info from the database, validate it and put them either on the secured page or on the login page if the credentials fail for any reason.

If no cookie, then they either have elected not to "remember" their login or don't have cookies or have never been here before. Either way you present them with the login page.

The login page gets their userID and password. You look these up in the database and see if they are valid.

If they are valid, then you can start a new session and log the session ID in the database for that user, making sure that this kills off any other session that this user MAY have - this stops multiple logins for the same account pretty quickly as only 1 session can be attached to a login.

If they are invalid then drop them back to the login page.

On every page you want to keep secured, you SHOULD be able to get the session ID from the cookie. Normally, session cookies are permitted, though even these can be blocked by some users/browsers/etc. if wanted. In these instances, PHP can add the session id to all URLs (unless they are in JavaScript). I think it is normally OK to say you need cookies to access a secure site.

On every secure page you get the session ID, look it up in the DB. If it is NOT present, then put them to the login page. So, if the user has shared out the password, only 1 of his friends can connect at any time and as soon as another one tries it, he kills off the first one and the first one is forced to login. And he will, which then kills off the second one who is forced to re-login in and before long they have given up and you MAY get contacted by the original id holder and you can tell him you had 200 people trying to use his account and would he like a new one? For an admin fee of course! <grin>

Anyway.

You get the cookie, look up the ID in the DB. Set the time and IP address. Maybe log it so you know who is jumping from page to page if you have logging software that can track this sort of thing and your ISP won't release log files.


The basic idea here is getting the browser to remember the session ID. You can use a cookie for this. You can encrypt the session var any way you like and some people do.

The session id links to a specific user id.

Only 1 session per ID is allowed - no concurrent uses of same id.

The session vars do NOT hold the username or the password.


So far, this is all done with standard http protocol, not https.


I've not used https.

There are others ways of doing this sort of security, and it is pretty secure.

Regards,

Richard Quadling.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses
Course of the Month17 days, 8 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question