Jump to content

Recommended Posts

hi

 

i have a limited php5 hosting plan and i want to create a secure login script which just displays a user id on the screen when they login.

 

so its as simple as

 

1: login

2: user id displayed

 

the user id is really important that its kept secret and no one can hack in and find out anothers user id

 

i am stuck on the best way to make a secure login script

 

ive looked around and seen injection examples such as

 

    Session Hijacking

    SQL Injections

    Cross Site Scripting
    Network Eavesdropping
    Brute Force Attacks

 

but i wonder what the best way is to cover all the above bases and anything that i might not have listed

 

i dont expect a script, all im looking for is some help on extra things i can do to secure and protect to the max

 

also, i wonder if you have any suggestions on the best way to secure my database and protect anyone from getting access and changing details

 

is it a good idea to store the user id on another server? to help extra protection?

 

thankyou

Link to comment
https://forums.phpfreaks.com/topic/286277-secure-php-login/
Share on other sites

Since you say security of the user ID is important, you'll for sure want to use SSL. From there, to make it easy for you, try one of the php frameworks that has built in authentication aka Auth. I wrote a codeigniter app called Community Auth a while back. It would be overkill, but would definitely work.

Link to comment
https://forums.phpfreaks.com/topic/286277-secure-php-login/#findComment-1469332
Share on other sites

Since you say security of the user ID is important, you'll for sure want to use SSL. From there, to make it easy for you, try one of the php frameworks that has built in authentication aka Auth. I wrote a codeigniter app called Community Auth a while back. It would be overkill, but would definitely work.

 

Thanks for the tip, any suggestion on who should supply the SSL?

 

Any ideas on others things mentioned?

Link to comment
https://forums.phpfreaks.com/topic/286277-secure-php-login/#findComment-1469351
Share on other sites

Verisign, Comodo, or your web host for the SSL. If you just want to learn about website authentication in general, you're doing the right thing. There's lots to learn.

 

Owasp: https://www.owasp.org/index.php/Authentication_Cheat_Sheet

 

Read this: http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication

 

The thing is, it's fairly complicated to design your own authentication. You're not likely to get it right unless you have lots of time. I started working on mine about 5 years ago. It has evolved and had major changes multiple times. Looking back, v1 was an absolute mess. It has been very valuable though, because I've learned a lot, so I say do it.

Link to comment
https://forums.phpfreaks.com/topic/286277-secure-php-login/#findComment-1469397
Share on other sites

In addition to what's already been suggested you can add PHPIDS (www.phpids.org) to your application.

 

If you are able to install things on the server (VPS / Dedicated) you could also install

mod_security - detects and blocks suspicious requests. (Some of the core rules in mod_security is taken from PHPIDS)

mod_evasive - blocks automated tools (not 100% but at least it blocks 99% of the skids out there) 

Link to comment
https://forums.phpfreaks.com/topic/286277-secure-php-login/#findComment-1470225
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.