caster001 Posted November 23, 2006 Share Posted November 23, 2006 Hi Everyone,I was hoping to get some feedback on how secure this method might be for a login.I have the user login with the username and password, thenthat gets checked against md5 encrypted data on a database, if true, store the session_id in the databasethen store that username and password in the session, then everytime on a user page compare the session data with the database stuff and if not true, then return the person to the login, destroying that session, all working under a constant URL checker to make sure the page is hitting the "https" address for the page encryption... What's everyone's thoughts? Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/ Share on other sites More sharing options...
CheesierAngel Posted November 23, 2006 Share Posted November 23, 2006 I wouldn't store the username and password into the session but instead only the userId.(or even a combination of userId and sessionId)This way you can check with your database either the user is logged in or out. Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129142 Share on other sites More sharing options...
caster001 Posted November 23, 2006 Author Share Posted November 23, 2006 cool, so..bad idea on the session username and password,but can't someone spoof the userid or the session_id..or is that not a problem since it would be kept in the database? Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129144 Share on other sites More sharing options...
ataria Posted November 23, 2006 Share Posted November 23, 2006 cool, so..bad idea on the session username and password,but can't someone spoof the userid or the session_id..or is that not a problem since it would be kept in the database?put the password in it aswell.and, on every page..do a check to see if the uid has that password.say, user 1, password = joke.if they change the cookie to user '2' and you do the check, it won't match up.[unless they have the same password, but, low chance] Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129151 Share on other sites More sharing options...
caster001 Posted November 23, 2006 Author Share Posted November 23, 2006 Alright, I think I get that.just quickly clarifying on this, I haven't as yet looked into cookies, just the whole session deal...I know they're not the same, but just with the session_id and user_id being unique...do I have to necessarily do anything with cookies...or yes I do and I'm just being a lazy twat and should learn about cookies anyway? Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129160 Share on other sites More sharing options...
ataria Posted November 23, 2006 Share Posted November 23, 2006 Personally. I like cookies.I think they're easier to use, and you know they are always going to be there [unless the user deletes it]There is nothing harmful with having it..And, if you want to protect it from CGers (getting the username and password in one shot).you can simply make another column 'checkid'md5 it, and, use that instead of the password. Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129161 Share on other sites More sharing options...
CheesierAngel Posted November 23, 2006 Share Posted November 23, 2006 Cookies are not as reliable as they look like.There are alot browser that do not allow the use of cookies for ex. Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129163 Share on other sites More sharing options...
caster001 Posted November 23, 2006 Author Share Posted November 23, 2006 (in ref to 'cheesierangel's post, yeah I considered the whole cookie browser compatibility all the stuff like that, but I think I might go with sessions for now, but I like how php works, so no doubt I'll have to learn it eventually...sooner rather than later)you're going to have to forgive me for being a bit...well, empty headed on this one, but, when you say...create another column..do you mean in the database, and checkid, there's a command for that..or you're just recommending what I should call it?Lol, sorry..still learning :D Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129165 Share on other sites More sharing options...
ataria Posted November 23, 2006 Share Posted November 23, 2006 but, when you say...create another column..do you mean in the database, andcheckid, there's a command for that..or you're just recommending what I should call it?In the database, and, a recommendation. Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129166 Share on other sites More sharing options...
caster001 Posted November 23, 2006 Author Share Posted November 23, 2006 awesome..thanks :) Link to comment https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129168 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.