Jump to content


Photo

user login encryption philosophy


  • Please log in to reply
5 replies to this topic

#1 klitscher

klitscher
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 17 March 2006 - 08:47 PM

I have read and am using the code in the PHP Freaks Tutorial on using mcrypt to encrypt and decrypt strings. I have a couple of questions on the philosophy of encryption.

I have password protected pages on a site that will start a session once a correct username and password combination has been entered (these values are located in a mysql table). I am currently doing this:

1. username and password are entered and compared with values in mysql table
2. If they match, a session is started, and the username and password are encrypted and stored in the session
3. by surfing to a different password protected page, the session data are retrieved and decrypted and compared with the values in the mysql table. If they match, the page is included, if not, the login page is presented.

My questions are:

Is this the appropriate (and most secure) way to be using encryption for user authentication?

How do I go about storing (and accessing/including)the encryption key, and database accessing information off of a 'publicly' viewed place on the server?

Any thoughts, comments, suggestions, and links will be much appreciated. Thanks in advance.

Ken

#2 klitscher

klitscher
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 18 March 2006 - 02:19 AM

Does anyone have any suggestions on what to do, or can lead me somewhere else to get help? Thanks.

Ken

#3 cerin

cerin
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 18 March 2006 - 02:33 AM

You should use cookies to verify when the user is logged in. I don't know much about storing encryption keys.

#4 klitscher

klitscher
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 18 March 2006 - 03:38 AM

[!--quoteo(post=356092:date=Mar 17 2006, 07:33 PM:name=cerin)--][div class=\'quotetop\']QUOTE(cerin @ Mar 17 2006, 07:33 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
You should use cookies to verify when the user is logged in. I don't know much about storing encryption keys.
[/quote]

What's the benefit of using cookies over using sessions?



#5 High_-_Tek

High_-_Tek
  • Members
  • PipPipPip
  • Advanced Member
  • 72 posts

Posted 18 March 2006 - 03:41 AM

Well this goes pretty far as to hiding $_SESSION values


// To set the var

$_SESSION['var']=base64_encode('haaaaaxxxx!');

// To Access

$var=base64_decode($_SESSION['var']);



#6 klitscher

klitscher
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 18 March 2006 - 04:43 AM

[!--quoteo(post=356102:date=Mar 17 2006, 08:41 PM:name=High_-_Tek)--][div class=\'quotetop\']QUOTE(High_-_Tek @ Mar 17 2006, 08:41 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Well this goes pretty far as to hiding $_SESSION values


// To set the var

$_SESSION['var']=base64_encode('haaaaaxxxx!');

// To Access

$var=base64_decode($_SESSION['var']);

[/quote]

Thanks High_-_Tek.

That is something similar to what I'm doing...my question was more geared towards the best theory of what to encrypt when. I think I have something figured out.

As for my other question, I've decided to password protect a directory using .htaccess and put the encryption key and database login info in that directory. Then I include the files using the file system location with:

require_once("/home/username/public_html/private/encrypt.php"); 


If someone has other thoughts though, I am game. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users