|
Posted by Erwin Moller on June 6, 2008, 5:09 am
Please log in for more thread options Harris Kosmidhs schreef:
> Erwin Moller wrote:
>> Harris Kosmidhs schreef:
>>> Hello,
>>
>> Hi,
>>
>>>
>>> while I'm developing sites for some time I never coded a login form
>>> with security in mind.
>>>
>>> I was wondering what guidelines there are.
>>>
>>> For my point of view I'm thinking of using md5 passwords (it's an one
>>> way function right?) in db. Is this a correct approach?
>>
>> What is it you want to protect against excactly?
>> If you want the avoid the man-in-the-middle eavesdropping on you: Then
>> you need https, as you described.
>>
>> If you are afraid the username/password you store in your database is
>> hacked somehow, then it can make sense to store them with an md5 hash,
>> which is one-way encryption indeed.
>> So that means you, as admin of the database, cannot tell what the
>> password is since you only see the md5 hash.
>> You can check of course if a provided password 'translates' to the
>> stored md5.
>>
>> Personally, I stopped storing my passwords with a md5 hash in database.
>> I figured that if somebody can enter my database at will, my site is
>> hopelessly cracked beyound repair anyway. ;-)
>>
>
> And what's your approach now? Clean passwords as text db fields?
Yes.
>
>>
>>>
>>> Then, if I'm permitted by the server admin I want to use https. Is it
>>> as simple as puting the login form in the httpdocs of the https
>>> server an when login is successful then I just set a session
>>> variable? Will I then be able to read this from a page under http?
>>
>> You have NO shared session between you http and https pages.
>> So if you need that, you must build that yourself somehow.
>> (You can propagate the sessionid from http to https via a form, and
>> let the receiving script use that sessionid for its https session. But
>> be carefull and always remember that your client can set ANY value for
>> PHPSESSID easily). Always try to hack your own site with all the
>> knowledge you have about its internals.
>>
>
> What should look like what I have to build? Let's say you press "log
> in". It load the (https) login.php which finds out you are a user. Then?
> A header('http://example.org/loginnext.php?id=$userid') ??
> Is there a way not to pass id with GET but with POST without user
> submitting the form himself?
Well, I was assuming that both the http-domain AND the https domain were
on the same server.
If that is not the case, things will get more complicated, because
you'll have to build a system that uses a common session-storage for
different machines (using a database instead of serialized
session-array, which is default).
The important thing is (when using a common sessionstorageplace) to pass
around the sessionid.
eg, from http to https:
<form action="https://www.example.com/myhttps.php" method="post">
<input type="hidden" name="httpsessid" value="GJHGA577FKJ98FGKJ3">
<input type="submit">
</form>
From www.example.com/myhttps.php you can now pick up the passed
httpsessid from $_POST["httpsessid"] and use that one to pick up the
session under that name.
There are a lot of ins and outs, depending on your serverconfig, so be
sure you test everything you try.
I would advise you to first read through the relevant pages on php.net
so you have a firm understanding of how sessions work before building this.
Be sure how to name a session (PHPSESSID), how to overrule a name, when
sesisons are autostarted, etc etc.
Good luck.
Regards,
Erwin Moller
>
> thanks
| 
XML Sitemap