Jump to content

Recommended Posts

[!--quoteo(post=353243:date=Mar 9 2006, 02:02 PM:name=cfemocha)--][div class=\'quotetop\']QUOTE(cfemocha @ Mar 9 2006, 02:02 PM) [snapback]353243[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I've been creating login pages by matching its username and password with the database and just wondering how is secure log in form differ from the method I've been using?

How would I create a secure login/registration form?

any help is appreciated.
Thank you.
[/quote]

I would image that you would put the login pages on the https side of your server, so your login page might be [a href=\"https://www.yoursite.com/login.php\" target=\"_blank\"]https://www.yoursite.com/login.php[/a] as I believe everything that's done over https is encrypted.

The other problem you would have though, is that the data stored in the database wouldnt be encrypted, so you would probably need to find an encryption script to encrypt the password before it stores in the the database, then decrypt the password when someone tries to login.

So basically the https would mean the data transfered from the users browser to your server would be encrypted, and the password in the database would be encrypted also.
Link to comment
https://forums.phpfreaks.com/topic/4528-secure-log-in/#findComment-15772
Share on other sites

Thank you so much for the reply.
I might be asking silly questions here but I have my login page in [b]http[/b]://www.mysite.com/login.php NOT [b]https[/b], what do i need to do to have it move to https?
Also, if i encrypted all user data then does that mean I can't have a "remind password" function for users?

I see sometimes websites send out new generated passwords for users that forget their passwords instead of sending them their old ones, is this method more secure?
Link to comment
https://forums.phpfreaks.com/topic/4528-secure-log-in/#findComment-16067
Share on other sites

The method is indeed more secure.

Most sites with any security knowledge at all would be set up to hold the password in the database with an irreversible hashed value (using md5 / sha1 or some other encryption method). Yes these can be bruteforced or dictionary attacked but it's much safer than storing passwords in plain text.

Conveniently PHP has both an md5() and a sha1() function built in.

A new password has to be generated when a user has forgotten theirs as the one stored is hashed and cannot be decrypted.

The usual process for it is for the site to generate a new random password, email out a plain text version to the users stored email address, hash the password and insert it into the db.

You will have most likely noticed that the emails almost always reccomend that the user change their password once they have logged in with the newly generated once.
Link to comment
https://forums.phpfreaks.com/topic/4528-secure-log-in/#findComment-16069
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.