cfemocha Posted March 9, 2006 Share Posted March 9, 2006 I've been creating login pages by matching its username and password with the database and just wondering how is secure log in form differ from the method I've been using?How would I create a secure login/registration form?any help is appreciated.Thank you. Quote Link to comment https://forums.phpfreaks.com/topic/4528-secure-log-in/ Share on other sites More sharing options...
littlened Posted March 9, 2006 Share Posted March 9, 2006 [!--quoteo(post=353243:date=Mar 9 2006, 02:02 PM:name=cfemocha)--][div class=\'quotetop\']QUOTE(cfemocha @ Mar 9 2006, 02:02 PM) [snapback]353243[/snapback][/div][div class=\'quotemain\'][!--quotec--]I've been creating login pages by matching its username and password with the database and just wondering how is secure log in form differ from the method I've been using?How would I create a secure login/registration form?any help is appreciated.Thank you.[/quote]I would image that you would put the login pages on the https side of your server, so your login page might be [a href=\"https://www.yoursite.com/login.php\" target=\"_blank\"]https://www.yoursite.com/login.php[/a] as I believe everything that's done over https is encrypted.The other problem you would have though, is that the data stored in the database wouldnt be encrypted, so you would probably need to find an encryption script to encrypt the password before it stores in the the database, then decrypt the password when someone tries to login. So basically the https would mean the data transfered from the users browser to your server would be encrypted, and the password in the database would be encrypted also. Quote Link to comment https://forums.phpfreaks.com/topic/4528-secure-log-in/#findComment-15772 Share on other sites More sharing options...
cfemocha Posted March 10, 2006 Author Share Posted March 10, 2006 Thank you so much for the reply. I might be asking silly questions here but I have my login page in [b]http[/b]://www.mysite.com/login.php NOT [b]https[/b], what do i need to do to have it move to https?Also, if i encrypted all user data then does that mean I can't have a "remind password" function for users?I see sometimes websites send out new generated passwords for users that forget their passwords instead of sending them their old ones, is this method more secure? Quote Link to comment https://forums.phpfreaks.com/topic/4528-secure-log-in/#findComment-16067 Share on other sites More sharing options...
lessthanthree Posted March 10, 2006 Share Posted March 10, 2006 The method is indeed more secure.Most sites with any security knowledge at all would be set up to hold the password in the database with an irreversible hashed value (using md5 / sha1 or some other encryption method). Yes these can be bruteforced or dictionary attacked but it's much safer than storing passwords in plain text.Conveniently PHP has both an md5() and a sha1() function built in.A new password has to be generated when a user has forgotten theirs as the one stored is hashed and cannot be decrypted.The usual process for it is for the site to generate a new random password, email out a plain text version to the users stored email address, hash the password and insert it into the db.You will have most likely noticed that the emails almost always reccomend that the user change their password once they have logged in with the newly generated once. Quote Link to comment https://forums.phpfreaks.com/topic/4528-secure-log-in/#findComment-16069 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.