Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

what is the best technique to secure a restricted area ??

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

what is the best technique to secure a restricted area ??

Postby ameenov » Thu Nov 24, 2005 7:18 am

Hi all
I'm using ths sessions to protect my restricted area ..
My technique is:
1- make login page ..
2- check the username and the password inputed by the user against the username and the hashed password in the database .. if they are not the same go back to the login page if they are the same SET sessions with the userid and username ..

and if I wanted to protect a page I will do this in the page

Code: Select all
if (isset($_SESSION['userid'])) {

/// show the content of the page
}
else {
/// go to login page
}


Is that technique safe enough?
I was told that it is not safe in if you are using shared host!!

Can anyone suggest me the best secure technique I can use?
Last edited by ameenov on Fri Nov 25, 2005 4:50 am, edited 2 times in total.
User avatar
ameenov
New php-forum User
New php-forum User
 
Posts: 70
Joined: Mon Jun 13, 2005 2:03 am
Location: Bahrain

Postby php-vikas » Thu Nov 24, 2005 9:01 am

It may be better techinc then SESSION to protect data, but I dose not heared about it so I will vote for SESSION.
php-vikas
New php-forum User
New php-forum User
 
Posts: 164
Joined: Mon Apr 14, 2003 12:25 am
Location: India

Postby ruturajv » Thu Nov 24, 2005 7:40 pm

in a shared host... hmm
best way is to send your passwords over http as md5, and then check the md5 for match..
and only then set the session, further, you can set a cookie of some IP+UserAgent hash and cross check it everytime with the session
User avatar
ruturajv
php-forum Super User
php-forum Super User
 
Posts: 1280
Joined: Sat Mar 22, 2003 9:42 am
Location: Mumbai, India

Postby ameenov » Fri Nov 25, 2005 5:14 am

Hi again
php-vikas & ruturajv thank you for your response..

It may be better techinc then SESSION to protect data, but I dose not heared about it so I will vote for SESSION.


For sure I'm going to use SESSION since I'm using it to protect an adin area.
What do you mean of (protect data)?

----------------------------------------------


in a shared host... hmm
best way is to send your passwords over http as md5, and then check the md5 for match..
and only then set the session, further, you can set a cookie of some IP+UserAgent hash and cross check it everytime with the session


About SESSIONS and the shared host
http://phpsec.org/projects/guide/5.html

How can I send my password over http as md5 since I using a form to let users to login? can you explain your point more?
I liked the idea of saving the IP+UserAgent and cross check it everytime with the session. :)

Still waiting for more information about the best technique to handle sessions and secure it ..
User avatar
ameenov
New php-forum User
New php-forum User
 
Posts: 70
Joined: Mon Jun 13, 2005 2:03 am
Location: Bahrain

Postby php-vikas » Fri Nov 25, 2005 8:30 pm

Hi ameenov,


By md5 rururaj means that whenever you store the password entered by the user at the time of registration in the database, dont store it as entered by the user while store the md5 value of the password entered by the user. md5 value is always 32 character long string.

Suppose user entered 'vikas' as password then password stored in the database would be like 'fdjfhjfhdjfhd4783857485gjjkfgf' if you use md5 function on password field before inserting it into the database.

Now when user would login into the database if would use the same password as entered by him 'vikas' but when you check it in the database you will check the md5 value of 'vikas' not the 'vikas'.

I hope I am able to clarify you.
php-vikas
New php-forum User
New php-forum User
 
Posts: 164
Joined: Mon Apr 14, 2003 12:25 am
Location: India

Postby Ben » Tue Nov 29, 2005 6:48 pm

Hey guys,
in my opinion a session based login system is a nice and secure way to ensure that the protected area is save.

You have to think about the problem that occurs if the client does not accept cookies or the session.use-cookies is set to "0". Then the session id is added to the URI. If an user bookmarks such an URI it is possible that another user on the same system can reach the protected area by calling the bookmarked page within the session.gc_maxlifetime.

Hm. With guarantee but I think that this is correct. If there is an error in my posting, please correct me.

I use this login system (with some more security controls):
--> http://forum.developers-guide.net/showthread.php?t=54#2

It is an german tutorial, but the linked posting just displays the complete code.

Maybe someone can use this as a base to develop an own and maybe better one ;).
If you find errors, security issues or something in this direction .. please do not wait to tell me about.

Nice discussion. Don't stop :)

Regards, Ben.
Ben
New php-forum User
New php-forum User
 
Posts: 41
Joined: Mon Jul 26, 2004 2:37 pm
Location: Remagen / Germany

Postby ameenov » Wed Nov 30, 2005 3:58 am

I want to edit this post.. but I can't
User avatar
ameenov
New php-forum User
New php-forum User
 
Posts: 70
Joined: Mon Jun 13, 2005 2:03 am
Location: Bahrain

my reply attached

Postby ameenov » Wed Nov 30, 2005 10:23 pm

I was trying to post from almost a week but I couldn't!
Now, I realized why ?!!
It is because I wrote a code to show it to you.. but it doesn't accept.
and showes me an erorr message (The post mode not specified)..

any when why I upload the code and you can download it..


Hi ameenov,


By md5 rururaj means that whenever you store the password entered by the user at the time of registration in the database, dont store it as entered by the user while store the md5 value of the password entered by the user. md5 value is always 32 character long string.

Suppose user entered 'vikas' as password then password stored in the database would be like 'fdjfhjfhdjfhd4783857485gjjkfgf' if you use md5 function on password field before inserting it into the database.

Now when user would login into the database if would use the same password as entered by him 'vikas' but when you check it in the database you will check the md5 value of 'vikas' not the 'vikas'.

I hope I am able to clarify you.



Hi php-vikas again, thank you for your response ..
for sure it is clear to me right now, I got you point because I using the same idea in my scripts

Look to my code.. I'm already applying your point..

http://www.mailsam.com/ameen/reply.txt
User avatar
ameenov
New php-forum User
New php-forum User
 
Posts: 70
Joined: Mon Jun 13, 2005 2:03 am
Location: Bahrain

Postby ameenov » Sat Dec 03, 2005 1:41 am

Ben wrote:Hey guys,
in my opinion a session based login system is a nice and secure way to ensure that the protected area is save.

You have to think about the problem that occurs if the client does not accept cookies or the session.use-cookies is set to "0". Then the session id is added to the URI. If an user bookmarks such an URI it is possible that another user on the same system can reach the protected area by calling the bookmarked page within the session.gc_maxlifetime.

Hm. With guarantee but I think that this is correct. If there is an error in my posting, please correct me.

I use this login system (with some more security controls):
--> http://forum.developers-guide.net/showthread.php?t=54#2

It is an german tutorial, but the linked posting just displays the complete code.

Maybe someone can use this as a base to develop an own and maybe better one ;).
If you find errors, security issues or something in this direction .. please do not wait to tell me about.

Nice discussion. Don't stop :)

Regards, Ben.


Hi Ben,
I looked at the link and I understand the code very well.
Because I am using the same technique ..
I can tell it is a very easy and most used by many programmers but I don't think it is very professional.
That's why i'm asking for a better technique.
:)
User avatar
ameenov
New php-forum User
New php-forum User
 
Posts: 70
Joined: Mon Jun 13, 2005 2:03 am
Location: Bahrain


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron