dweb Posted February 17, 2014 Share Posted February 17, 2014 hi i have a limited php5 hosting plan and i want to create a secure login script which just displays a user id on the screen when they login. so its as simple as 1: login 2: user id displayed the user id is really important that its kept secret and no one can hack in and find out anothers user id i am stuck on the best way to make a secure login script ive looked around and seen injection examples such as Session Hijacking SQL Injections Cross Site Scripting Network Eavesdropping Brute Force Attacks but i wonder what the best way is to cover all the above bases and anything that i might not have listed i dont expect a script, all im looking for is some help on extra things i can do to secure and protect to the max also, i wonder if you have any suggestions on the best way to secure my database and protect anyone from getting access and changing details is it a good idea to store the user id on another server? to help extra protection? thankyou Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted February 18, 2014 Share Posted February 18, 2014 Since you say security of the user ID is important, you'll for sure want to use SSL. From there, to make it easy for you, try one of the php frameworks that has built in authentication aka Auth. I wrote a codeigniter app called Community Auth a while back. It would be overkill, but would definitely work. Quote Link to comment Share on other sites More sharing options...
dweb Posted February 18, 2014 Author Share Posted February 18, 2014 Since you say security of the user ID is important, you'll for sure want to use SSL. From there, to make it easy for you, try one of the php frameworks that has built in authentication aka Auth. I wrote a codeigniter app called Community Auth a while back. It would be overkill, but would definitely work. Thanks for the tip, any suggestion on who should supply the SSL? Any ideas on others things mentioned? Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted February 18, 2014 Share Posted February 18, 2014 Verisign, Comodo, or your web host for the SSL. If you just want to learn about website authentication in general, you're doing the right thing. There's lots to learn. Owasp: https://www.owasp.org/index.php/Authentication_Cheat_Sheet Read this: http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication The thing is, it's fairly complicated to design your own authentication. You're not likely to get it right unless you have lots of time. I started working on mine about 5 years ago. It has evolved and had major changes multiple times. Looking back, v1 was an absolute mess. It has been very valuable though, because I've learned a lot, so I say do it. Quote Link to comment Share on other sites More sharing options...
oaass Posted February 23, 2014 Share Posted February 23, 2014 In addition to what's already been suggested you can add PHPIDS (www.phpids.org) to your application. If you are able to install things on the server (VPS / Dedicated) you could also install mod_security - detects and blocks suspicious requests. (Some of the core rules in mod_security is taken from PHPIDS) mod_evasive - blocks automated tools (not 100% but at least it blocks 99% of the skids out there) Quote Link to comment Share on other sites More sharing options...
happypete Posted February 23, 2014 Share Posted February 23, 2014 If you are new to PHP you probably wont have the skills to code you own secure login. You your try one like this: http://www.php-login.net/ or at least look at the code to see how it is done. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.