What's the best way to secure a web site ( user name/password )
I have a web site that had users table and 'login' page sends the user input to "authentication page" which checks if it's the right user and authenticates the user. Now one problem that I might be facing is, I am passing user info through the url (query string), but, how if someone changes the url, they can get into other users's data? How should I secure this? any ideas?
One soulution that I have is, passing the user info aftre hasing it (hash()) so that it's not that easy to hack/guess what info is being passed.
Just wondering if someone has a better way of doing this, any example, sample code will be helpful.
thanks much.
One soulution that I have is, passing the user info aftre hasing it (hash()) so that it's not that easy to hack/guess what info is being passed.
Just wondering if someone has a better way of doing this, any example, sample code will be helpful.
thanks much.
ASKER
I am using form just to sent the info to "authentication" page and then I am just redirecting (header) along with the query string which shows up in the URL. So, I am not using form in the "authentication" page. If that will be form, you are right, 'll definately use Post.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Even if you use post or get, you are still passing them unencrypted to the server.
What you could it is use some client side javascript and encrypt the username/pass so as not to pass it unecrypted to the http post/get. This will make things more difficult to hijack. Still not being the optimum solution.
Moreover you could sanitize and validate the passed data on the server side so as not to allow any sql injection taking place that i guess you are afraid off.
Finally for avoiding a bot script to repeatedly call your page trying to inject it you can add a captcha script to avoid bots.
You could also add a timed delay, and disable for instance 5 wrong tries of logging in puting a 1 minute delay. This will also prohibit any hijackers from contuing to try
What you could it is use some client side javascript and encrypt the username/pass so as not to pass it unecrypted to the http post/get. This will make things more difficult to hijack. Still not being the optimum solution.
Moreover you could sanitize and validate the passed data on the server side so as not to allow any sql injection taking place that i guess you are afraid off.
Finally for avoiding a bot script to repeatedly call your page trying to inject it you can add a captcha script to avoid bots.
You could also add a timed delay, and disable for instance 5 wrong tries of logging in puting a 1 minute delay. This will also prohibit any hijackers from contuing to try
POST does not add variables to the query string.
http://www.w3schools.com/php/php_post.asp