user login encryption philosophy
Posted 17 March 2006 - 08:47 PM
I have password protected pages on a site that will start a session once a correct username and password combination has been entered (these values are located in a mysql table). I am currently doing this:
1. username and password are entered and compared with values in mysql table
2. If they match, a session is started, and the username and password are encrypted and stored in the session
3. by surfing to a different password protected page, the session data are retrieved and decrypted and compared with the values in the mysql table. If they match, the page is included, if not, the login page is presented.
My questions are:
Is this the appropriate (and most secure) way to be using encryption for user authentication?
How do I go about storing (and accessing/including)the encryption key, and database accessing information off of a 'publicly' viewed place on the server?
Any thoughts, comments, suggestions, and links will be much appreciated. Thanks in advance.
Posted 18 March 2006 - 02:19 AM
Posted 18 March 2006 - 02:33 AM
Posted 18 March 2006 - 03:38 AM
What's the benefit of using cookies over using sessions?
Posted 18 March 2006 - 03:41 AM
// To set the var $_SESSION['var']=base64_encode('haaaaaxxxx!'); // To Access $var=base64_decode($_SESSION['var']);
Posted 18 March 2006 - 04:43 AM
Well this goes pretty far as to hiding $_SESSION values
// To set the var $_SESSION['var']=base64_encode('haaaaaxxxx!'); // To Access $var=base64_decode($_SESSION['var']);[/quote]
That is something similar to what I'm doing...my question was more geared towards the best theory of what to encrypt when. I think I have something figured out.
As for my other question, I've decided to password protect a directory using .htaccess and put the encryption key and database login info in that directory. Then I include the files using the file system location with:
If someone has other thoughts though, I am game. Thanks.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users