klitscher Posted March 17, 2006 Share Posted March 17, 2006 I have read and am using the code in the PHP Freaks Tutorial on using mcrypt to encrypt and decrypt strings. I have a couple of questions on the philosophy of encryption. I have password protected pages on a site that will start a session once a correct username and password combination has been entered (these values are located in a mysql table). I am currently doing this:1. username and password are entered and compared with values in mysql table2. If they match, a session is started, and the username and password are encrypted and stored in the session3. by surfing to a different password protected page, the session data are retrieved and decrypted and compared with the values in the mysql table. If they match, the page is included, if not, the login page is presented.My questions are:Is this the appropriate (and most secure) way to be using encryption for user authentication?How do I go about storing (and accessing/including)the encryption key, and database accessing information off of a 'publicly' viewed place on the server?Any thoughts, comments, suggestions, and links will be much appreciated. Thanks in advance.Ken Quote Link to comment Share on other sites More sharing options...
klitscher Posted March 18, 2006 Author Share Posted March 18, 2006 Does anyone have any suggestions on what to do, or can lead me somewhere else to get help? Thanks.Ken Quote Link to comment Share on other sites More sharing options...
cerin Posted March 18, 2006 Share Posted March 18, 2006 You should use cookies to verify when the user is logged in. I don't know much about storing encryption keys. Quote Link to comment Share on other sites More sharing options...
klitscher Posted March 18, 2006 Author Share Posted March 18, 2006 [!--quoteo(post=356092:date=Mar 17 2006, 07:33 PM:name=cerin)--][div class=\'quotetop\']QUOTE(cerin @ Mar 17 2006, 07:33 PM) [snapback]356092[/snapback][/div][div class=\'quotemain\'][!--quotec--]You should use cookies to verify when the user is logged in. I don't know much about storing encryption keys.[/quote]What's the benefit of using cookies over using sessions? Quote Link to comment Share on other sites More sharing options...
High_-_Tek Posted March 18, 2006 Share Posted March 18, 2006 Well this goes pretty far as to hiding $_SESSION values[code]// To set the var$_SESSION['var']=base64_encode('haaaaaxxxx!');// To Access$var=base64_decode($_SESSION['var']);[/code] Quote Link to comment Share on other sites More sharing options...
klitscher Posted March 18, 2006 Author Share Posted March 18, 2006 [!--quoteo(post=356102:date=Mar 17 2006, 08:41 PM:name=High_-_Tek)--][div class=\'quotetop\']QUOTE(High_-_Tek @ Mar 17 2006, 08:41 PM) [snapback]356102[/snapback][/div][div class=\'quotemain\'][!--quotec--]Well this goes pretty far as to hiding $_SESSION values[code]// To set the var$_SESSION['var']=base64_encode('haaaaaxxxx!');// To Access$var=base64_decode($_SESSION['var']);[/code][/quote]Thanks High_-_Tek. That is something similar to what I'm doing...my question was more geared towards the best theory of what to encrypt when. I think I have something figured out.As for my other question, I've decided to password protect a directory using .htaccess and put the encryption key and database login info in that directory. Then I include the files using the file system location with:[code]require_once("/home/username/public_html/private/encrypt.php"); [/code]If someone has other thoughts though, I am game. Thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.