• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 179
  • Last Modified:

Starting place for secure login

Hi.  I'm not getting too much help from my host regarding how to setup a secure login for a web page i'm building.  Here's what I know about my host (basically running phpinfo() function).

Loaded modules are as follows:
mod_php4, apache_ssl, mod_setenvif, mod_so, mod_expires, mod_auth, mod_access, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

My home directory looks like this:

Our web server is: apache-ssl on a linux o/s

It looks like I have to put my stuff into the secure directory but I want to know which encryption schemes I can use when registering new administrators on the web.
I looked on PHPBuilder and followed one of the tutorials but I don't think we have that module installed.  I'm in need of a ton of help.  What can I read that applies to the modules I have above?
1 Solution
Richard QuadlingSenior Software DeveloperCommented:
Using a database and sessions should provide you with a reasonable amount of security.

The idea goes something like this.

User visits you unsecured, open front page and chooses the Login option.
The login script sees if there is a cookie for this user.

If so, then this CAN be their "permanent" session identifier. Retrieve the session info from the database, validate it and put them either on the secured page or on the login page if the credentials fail for any reason.

If no cookie, then they either have elected not to "remember" their login or don't have cookies or have never been here before. Either way you present them with the login page.

The login page gets their userID and password. You look these up in the database and see if they are valid.

If they are valid, then you can start a new session and log the session ID in the database for that user, making sure that this kills off any other session that this user MAY have - this stops multiple logins for the same account pretty quickly as only 1 session can be attached to a login.

If they are invalid then drop them back to the login page.

On every page you want to keep secured, you SHOULD be able to get the session ID from the cookie. Normally, session cookies are permitted, though even these can be blocked by some users/browsers/etc. if wanted. In these instances, PHP can add the session id to all URLs (unless they are in JavaScript). I think it is normally OK to say you need cookies to access a secure site.

On every secure page you get the session ID, look it up in the DB. If it is NOT present, then put them to the login page. So, if the user has shared out the password, only 1 of his friends can connect at any time and as soon as another one tries it, he kills off the first one and the first one is forced to login. And he will, which then kills off the second one who is forced to re-login in and before long they have given up and you MAY get contacted by the original id holder and you can tell him you had 200 people trying to use his account and would he like a new one? For an admin fee of course! <grin>


You get the cookie, look up the ID in the DB. Set the time and IP address. Maybe log it so you know who is jumping from page to page if you have logging software that can track this sort of thing and your ISP won't release log files.

The basic idea here is getting the browser to remember the session ID. You can use a cookie for this. You can encrypt the session var any way you like and some people do.

The session id links to a specific user id.

Only 1 session per ID is allowed - no concurrent uses of same id.

The session vars do NOT hold the username or the password.

So far, this is all done with standard http protocol, not https.

I've not used https.

There are others ways of doing this sort of security, and it is pretty secure.


Richard Quadling.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now