what is the best technique to secure a restricted area ??

[ameenov]

Hi all
I'm using ths sessions to protect my restricted area ..
My technique is:
1- make login page ..
2- check the username and the password inputed by the user against the username and the hashed password in the database .. if they are not the same go back to the login page if they are the same SET sessions with the userid and username ..

and if I wanted to protect a page I will do this in the page

Code: Select all

if (isset($_SESSION['userid'])) {

/// show the content of the page
}
else {
/// go to login page
}

Is that technique safe enough?
I was told that it is not safe in if you are using shared host!!

Can anyone suggest me the best secure technique I can use?

[php-vikas]

It may be better techinc then SESSION to protect data, but I dose not heared about it so I will vote for SESSION.

[ruturajv]

in a shared host... hmm
best way is to send your passwords over http as md5, and then check the md5 for match..
and only then set the session, further, you can set a cookie of some IP+UserAgent hash and cross check it everytime with the session

[ameenov]

Hi again
php-vikas & ruturajv thank you for your response..

It may be better techinc then SESSION to protect data, but I dose not heared about it so I will vote for SESSION.

For sure I'm going to use SESSION since I'm using it to protect an adin area.
What do you mean of (protect data)?

----------------------------------------------

in a shared host... hmm
best way is to send your passwords over http as md5, and then check the md5 for match..
and only then set the session, further, you can set a cookie of some IP+UserAgent hash and cross check it everytime with the session

About SESSIONS and the shared host
http://phpsec.org/projects/guide/5.html

How can I send my password over http as md5 since I using a form to let users to login? can you explain your point more?
I liked the idea of saving the IP+UserAgent and cross check it everytime with the session.

Still waiting for more information about the best technique to handle sessions and secure it ..

[php-vikas]

Hi ameenov,


By md5 rururaj means that whenever you store the password entered by the user at the time of registration in the database, dont store it as entered by the user while store the md5 value of the password entered by the user. md5 value is always 32 character long string.

Suppose user entered 'vikas' as password then password stored in the database would be like 'fdjfhjfhdjfhd4783857485gjjkfgf' if you use md5 function on password field before inserting it into the database.

Now when user would login into the database if would use the same password as entered by him 'vikas' but when you check it in the database you will check the md5 value of 'vikas' not the 'vikas'.

I hope I am able to clarify you.

[Ben]

Hey guys,
in my opinion a session based login system is a nice and secure way to ensure that the protected area is save.

You have to think about the problem that occurs if the client does not accept cookies or the session.use-cookies is set to "0". Then the session id is added to the URI. If an user bookmarks such an URI it is possible that another user on the same system can reach the protected area by calling the bookmarked page within the session.gc_maxlifetime.

Hm. With guarantee but I think that this is correct. If there is an error in my posting, please correct me.

I use this login system (with some more security controls):
--> http://forum.developers-guide.net/showthread.php?t=54#2

It is an german tutorial, but the linked posting just displays the complete code.

Maybe someone can use this as a base to develop an own and maybe better one ;).
If you find errors, security issues or something in this direction .. please do not wait to tell me about.

Nice discussion. Don't stop

Regards, Ben.

[ameenov]

I want to edit this post.. but I can't

[ameenov]

I was trying to post from almost a week but I couldn't!
Now, I realized why ?!!
It is because I wrote a code to show it to you.. but it doesn't accept.
and showes me an erorr message (The post mode not specified)..

any when why I upload the code and you can download it..

Hi ameenov,


By md5 rururaj means that whenever you store the password entered by the user at the time of registration in the database, dont store it as entered by the user while store the md5 value of the password entered by the user. md5 value is always 32 character long string.

Suppose user entered 'vikas' as password then password stored in the database would be like 'fdjfhjfhdjfhd4783857485gjjkfgf' if you use md5 function on password field before inserting it into the database.

Now when user would login into the database if would use the same password as entered by him 'vikas' but when you check it in the database you will check the md5 value of 'vikas' not the 'vikas'.

I hope I am able to clarify you.

Hi php-vikas again, thank you for your response ..
for sure it is clear to me right now, I got you point because I using the same idea in my scripts

Look to my code.. I'm already applying your point..

http://www.mailsam.com/ameen/reply.txt

[ameenov]

Hey guys,
in my opinion a session based login system is a nice and secure way to ensure that the protected area is save.

You have to think about the problem that occurs if the client does not accept cookies or the session.use-cookies is set to "0". Then the session id is added to the URI. If an user bookmarks such an URI it is possible that another user on the same system can reach the protected area by calling the bookmarked page within the session.gc_maxlifetime.

Hm. With guarantee but I think that this is correct. If there is an error in my posting, please correct me.

I use this login system (with some more security controls):
--> http://forum.developers-guide.net/showthread.php?t=54#2

It is an german tutorial, but the linked posting just displays the complete code.

Maybe someone can use this as a base to develop an own and maybe better one ;).
If you find errors, security issues or something in this direction .. please do not wait to tell me about.

Nice discussion. Don't stop

Regards, Ben.

Hi Ben,
I looked at the link and I understand the code very well.
Because I am using the same technique ..
I can tell it is a very easy and most used by many programmers but I don't think it is very professional.
That's why i'm asking for a better technique.