PHP_CHILD Posted February 21, 2013 Share Posted February 21, 2013 I wanted to create a simpe secured login form. after hours of googling i found tat using these will help 1.PDO statements. 2.session_hijackin soultions 3.password protection with salt My questions... 1.what else more should i add?? 2.i want to know if i want to use ajax here, will that make my site less-secured? if so, how do i use send data to check to db via ajax in a secured way?? Help plssss........... huge, loads of thanks in advances... Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted February 21, 2013 Share Posted February 21, 2013 For clarification on what each process that you stated actually is for: 1. PDO prepared statements eliminate the need to sanitize user input before using it in a statment since the driver does this for you. (Takes care of SQL injection). 2. Do not store sensitive data in sessions, I usually only store a hashed unique user id in a session which I use to get all the necessary user data from a database. 3. Adding salts to hashing algorithms makes it very difficult for someone trying to gain access to the original data using a brute force or rainbow table method. Validation should always be executed on the server primarily. It is suitable to have javascript validation only as an added layer on top of server side validation. If you rely solely on javascript to perform validation, a user can simply disable javascript on their machine, thus disabling your validation handling. 1 Quote Link to comment Share on other sites More sharing options...
exeTrix Posted February 21, 2013 Share Posted February 21, 2013 (edited) This one is a massive topic. Just to extend upon what AK has said: 2. Another point worth mentioning here would be that storing other information when a user successfully logs in can protect against session hijacking such as IP and browser information. These come with their limitations and it'll never be full proof due to HTTP connections being stateless ( request -> response done ). Anyway, you could store the logged in users IP then compare this IP every time the user visits a secure page, this will prevent session hijacking, but if it happens in the same building behind NAT you're screwed. 3. I'm not sure how salts prevent brute force I'll have to look into that one, however, they certainly prevent rainbow table I've read that somewhere before. Essentially, with salts you're protecting users passwords if your security is compromised and allowed some naught boy/girl access to your users passwords. Another thing to bear in mind is CSRF. Without some mechanism in place to verify that the AJAX request was indeed sent from a page on your server it would leave the login entry point open to brute force attacks. Normally this can be plugged with some random string imbedded into a hidden field which is submitted with the username and password. If you're really concerned about security then one of the simplest solutions is to implement an SSL cert so all requests run over HTTPS, man in the middle see ya later. Hope that helps Edited February 21, 2013 by exeTrix 1 Quote Link to comment Share on other sites More sharing options...
nfaaiq Posted May 3, 2015 Share Posted May 3, 2015 Please read for secure ajax login. http://www.scriptut.com/php/ajax-login-password-encryption/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.