Solved

Starting place for secure login

Posted on 2002-07-09
1
175 Views
Last Modified: 2010-05-18
Hi.  I'm not getting too much help from my host regarding how to setup a secure login for a web page i'm building.  Here's what I know about my host (basically running phpinfo() function).

Loaded modules are as follows:
mod_php4, apache_ssl, mod_setenvif, mod_so, mod_expires, mod_auth, mod_access, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

My home directory looks like this:
cgi-bin
public_html
secure
logs

Our web server is: apache-ssl on a linux o/s

It looks like I have to put my stuff into the secure directory but I want to know which encryption schemes I can use when registering new administrators on the web.
I looked on PHPBuilder and followed one of the tutorials but I don't think we have that module installed.  I'm in need of a ton of help.  What can I read that applies to the modules I have above?
0
Comment
Question by:KABOOM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 100 total points
ID: 7142925
Using a database and sessions should provide you with a reasonable amount of security.

The idea goes something like this.

User visits you unsecured, open front page and chooses the Login option.
The login script sees if there is a cookie for this user.

If so, then this CAN be their "permanent" session identifier. Retrieve the session info from the database, validate it and put them either on the secured page or on the login page if the credentials fail for any reason.

If no cookie, then they either have elected not to "remember" their login or don't have cookies or have never been here before. Either way you present them with the login page.

The login page gets their userID and password. You look these up in the database and see if they are valid.

If they are valid, then you can start a new session and log the session ID in the database for that user, making sure that this kills off any other session that this user MAY have - this stops multiple logins for the same account pretty quickly as only 1 session can be attached to a login.

If they are invalid then drop them back to the login page.

On every page you want to keep secured, you SHOULD be able to get the session ID from the cookie. Normally, session cookies are permitted, though even these can be blocked by some users/browsers/etc. if wanted. In these instances, PHP can add the session id to all URLs (unless they are in JavaScript). I think it is normally OK to say you need cookies to access a secure site.

On every secure page you get the session ID, look it up in the DB. If it is NOT present, then put them to the login page. So, if the user has shared out the password, only 1 of his friends can connect at any time and as soon as another one tries it, he kills off the first one and the first one is forced to login. And he will, which then kills off the second one who is forced to re-login in and before long they have given up and you MAY get contacted by the original id holder and you can tell him you had 200 people trying to use his account and would he like a new one? For an admin fee of course! <grin>

Anyway.

You get the cookie, look up the ID in the DB. Set the time and IP address. Maybe log it so you know who is jumping from page to page if you have logging software that can track this sort of thing and your ISP won't release log files.


The basic idea here is getting the browser to remember the session ID. You can use a cookie for this. You can encrypt the session var any way you like and some people do.

The session id links to a specific user id.

Only 1 session per ID is allowed - no concurrent uses of same id.

The session vars do NOT hold the username or the password.


So far, this is all done with standard http protocol, not https.


I've not used https.

There are others ways of doing this sort of security, and it is pretty secure.

Regards,

Richard Quadling.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question