Jump to content

Recommended Posts

I wanted to create a simpe secured login form. after hours of googling i found tat using these will help

1.PDO statements.

2.session_hijackin soultions

3.password protection with salt

 

My questions...

1.what else more should i add??

2.i want to know if i want to use ajax here, will that make my site less-secured? if so, how do i use send data to check to db via ajax in a secured way??

 

 

Help plssss........... huge, loads of thanks in advances...

Link to comment
https://forums.phpfreaks.com/topic/274772-php-secured-login-form-ajax/
Share on other sites

For clarification on what each process that you stated actually is for:

 

1. PDO prepared statements eliminate the need to sanitize user input before using it in a statment since the driver does this for you. (Takes care of SQL injection).

 

2. Do not store sensitive data in sessions, I usually only store a hashed unique user id in a session which I use to get all the necessary user data from a database.

 

3. Adding salts to hashing algorithms makes it very difficult for someone trying to gain access to the original data using a brute force or rainbow table method.

 

Validation should always be executed on the server primarily. It is suitable to have javascript validation only as an added layer on top of server side validation. If you rely solely on javascript to perform validation, a user can simply disable javascript on their machine, thus disabling your validation handling.

  • Like 1

This one is a massive topic. Just to extend upon what AK has said:

 

2. Another point worth mentioning here would be that storing other information when a user successfully logs in can protect against session hijacking such as IP and browser information. These come with their limitations and it'll never be full proof due to HTTP connections being stateless ( request -> response done ). Anyway, you could store the logged in users IP then compare this IP every time the user visits a secure page, this will prevent session hijacking, but if it happens in the same building behind NAT you're screwed.

 

3. I'm not sure how salts prevent brute force I'll have to look into that one, however, they certainly prevent rainbow table I've read that somewhere before. Essentially, with salts you're protecting users passwords if your security is compromised and allowed some naught boy/girl access to your users passwords.

 

Another thing to bear in mind is CSRF. Without some mechanism in place to verify that the AJAX request was indeed sent from a page on your server it would leave the login entry point open to brute force attacks. Normally this can be plugged with some random string imbedded into a hidden field which is submitted with the username and password.

 

If you're really concerned about security then one of the simplest solutions is to implement an SSL cert so all requests run over HTTPS, man in the middle see ya later.

 

Hope that helps

Edited by exeTrix
  • Like 1
  • 2 years later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.