Creating a secure login on public website domain..?

[Chud37]

Hello,

 

I just wanted some tips really and what people thought on the subject.  For alot of my PHP applications I create a user control panel to manage the back end SQL databases.  However these have to be hosted on the server and therefore I was thinking that they probably are not that secure.

 

As far as I secure them so far I use a password system, sometimes with usernames and passwords; that is then taken through a form via POST method and then verified that way.  I am completly aware is not that secure at all, so I want to up my game.

 

I was thinking that maybe password protected directories would help? However last time I used them I was being asked for the username/password everytime I submitted a form which wasnt convenient.

 

And what about session variables to store the user info/data/verify login? Is that secure enough?

 

Please help!

 

Thanks!

 

~Chud37

[scootstah]

I'm not sure I follow. Are you storing the username and password in a php file?

[Chud37]

no, Im just asking for the most secure way of doing it, Im not asking for help on how i'm doing it at all.  But what is the general concensus out there for creating secure logins on PHP applications? how do others do it?

[scootstah]

With a database, using hashed passwords with salts.

[Chud37]

Alright, hash passwords are good and all.

 

But what about the actual login process? Are sessions acceptable, or is there another method?

[RobertP]

Php sessions should not store more then a key. This key should then be used on every page load to fetch the required page information from a database, mysql,sqlite,etc. If some how your sessions directory is compromised, then there is no data leaked that should not be.