Solved

Starting place for secure login

Posted on 2002-07-09
1
169 Views
Last Modified: 2010-05-18
Hi.  I'm not getting too much help from my host regarding how to setup a secure login for a web page i'm building.  Here's what I know about my host (basically running phpinfo() function).

Loaded modules are as follows:
mod_php4, apache_ssl, mod_setenvif, mod_so, mod_expires, mod_auth, mod_access, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

My home directory looks like this:
cgi-bin
public_html
secure
logs

Our web server is: apache-ssl on a linux o/s

It looks like I have to put my stuff into the secure directory but I want to know which encryption schemes I can use when registering new administrators on the web.
I looked on PHPBuilder and followed one of the tutorials but I don't think we have that module installed.  I'm in need of a ton of help.  What can I read that applies to the modules I have above?
0
Comment
Question by:KABOOM
1 Comment
 
LVL 40

Accepted Solution

by:
RQuadling earned 100 total points
ID: 7142925
Using a database and sessions should provide you with a reasonable amount of security.

The idea goes something like this.

User visits you unsecured, open front page and chooses the Login option.
The login script sees if there is a cookie for this user.

If so, then this CAN be their "permanent" session identifier. Retrieve the session info from the database, validate it and put them either on the secured page or on the login page if the credentials fail for any reason.

If no cookie, then they either have elected not to "remember" their login or don't have cookies or have never been here before. Either way you present them with the login page.

The login page gets their userID and password. You look these up in the database and see if they are valid.

If they are valid, then you can start a new session and log the session ID in the database for that user, making sure that this kills off any other session that this user MAY have - this stops multiple logins for the same account pretty quickly as only 1 session can be attached to a login.

If they are invalid then drop them back to the login page.

On every page you want to keep secured, you SHOULD be able to get the session ID from the cookie. Normally, session cookies are permitted, though even these can be blocked by some users/browsers/etc. if wanted. In these instances, PHP can add the session id to all URLs (unless they are in JavaScript). I think it is normally OK to say you need cookies to access a secure site.

On every secure page you get the session ID, look it up in the DB. If it is NOT present, then put them to the login page. So, if the user has shared out the password, only 1 of his friends can connect at any time and as soon as another one tries it, he kills off the first one and the first one is forced to login. And he will, which then kills off the second one who is forced to re-login in and before long they have given up and you MAY get contacted by the original id holder and you can tell him you had 200 people trying to use his account and would he like a new one? For an admin fee of course! <grin>

Anyway.

You get the cookie, look up the ID in the DB. Set the time and IP address. Maybe log it so you know who is jumping from page to page if you have logging software that can track this sort of thing and your ISP won't release log files.


The basic idea here is getting the browser to remember the session ID. You can use a cookie for this. You can encrypt the session var any way you like and some people do.

The session id links to a specific user id.

Only 1 session per ID is allowed - no concurrent uses of same id.

The session vars do NOT hold the username or the password.


So far, this is all done with standard http protocol, not https.


I've not used https.

There are others ways of doing this sort of security, and it is pretty secure.

Regards,

Richard Quadling.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now