Security?

[the_oliver]

Hi,

 

I realize this is a topic that people ask regualy, but i read a particular solution a while ago, but cant find it!

 

I want to make a site as 'secure as possible'!  At present i have a login comparing to a database, using md5 passwords.  It is also connected to using SSL.

 

The solution i saw i think involved a cookie changing every time a new page was requested, or something along those lines.  Does this sound like a good solution, or is there a better?  How would i go about doing this?

 

Many Thanks.

[dooper3]

If you are using an apache server with the mod_rewrite module you can use it to convert php requests and other page requests to search engine friendly URLs and also hide the file extension (like .php) at the same time from potential hackers, so yoursite.com/viewprofile.php?id=17 could be changed to yoursite.com/profiles/17 or anything you want really! Just google mod_rewrite to find tutorials on it.

[the_oliver]

good ideas.  Thanks.  But what about athenticating the user etc....

[Balmung-San]

For user authentication, there's not much you can really do that I can think of. You'd want to run the login over HTTPS. As well, make sure you check that you're using HTTPS in the page that does the actual login work. A check to $_SERVER['HTTPS'] would allow you to do that. Mkae sure it's the first thing you do, and exit out right afterwards.

 

As well, the best way to secure your actual script is to use the paranoia model. Assume that all users are out to destroy, disrupt, exploit, etc. No exceptions.