Jump to content

Archived

This topic is now archived and is closed to further replies.

klitscher

user login encryption philosophy

Recommended Posts

I have read and am using the code in the PHP Freaks Tutorial on using mcrypt to encrypt and decrypt strings. I have a couple of questions on the philosophy of encryption.

I have password protected pages on a site that will start a session once a correct username and password combination has been entered (these values are located in a mysql table). I am currently doing this:

1. username and password are entered and compared with values in mysql table
2. If they match, a session is started, and the username and password are encrypted and stored in the session
3. by surfing to a different password protected page, the session data are retrieved and decrypted and compared with the values in the mysql table. If they match, the page is included, if not, the login page is presented.

My questions are:

Is this the appropriate (and most secure) way to be using encryption for user authentication?

How do I go about storing (and accessing/including)the encryption key, and database accessing information off of a 'publicly' viewed place on the server?

Any thoughts, comments, suggestions, and links will be much appreciated. Thanks in advance.

Ken

Share this post


Link to post
Share on other sites
Does anyone have any suggestions on what to do, or can lead me somewhere else to get help? Thanks.

Ken

Share this post


Link to post
Share on other sites
You should use cookies to verify when the user is logged in. I don't know much about storing encryption keys.

Share this post


Link to post
Share on other sites
[!--quoteo(post=356092:date=Mar 17 2006, 07:33 PM:name=cerin)--][div class=\'quotetop\']QUOTE(cerin @ Mar 17 2006, 07:33 PM) [snapback]356092[/snapback][/div][div class=\'quotemain\'][!--quotec--]
You should use cookies to verify when the user is logged in. I don't know much about storing encryption keys.
[/quote]

What's the benefit of using cookies over using sessions?

Share this post


Link to post
Share on other sites
Well this goes pretty far as to hiding $_SESSION values

[code]

// To set the var

$_SESSION['var']=base64_encode('haaaaaxxxx!');

// To Access

$var=base64_decode($_SESSION['var']);

[/code]

Share this post


Link to post
Share on other sites
[!--quoteo(post=356102:date=Mar 17 2006, 08:41 PM:name=High_-_Tek)--][div class=\'quotetop\']QUOTE(High_-_Tek @ Mar 17 2006, 08:41 PM) [snapback]356102[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Well this goes pretty far as to hiding $_SESSION values

[code]

// To set the var

$_SESSION['var']=base64_encode('haaaaaxxxx!');

// To Access

$var=base64_decode($_SESSION['var']);

[/code]
[/quote]

Thanks High_-_Tek.

That is something similar to what I'm doing...my question was more geared towards the best theory of what to encrypt when. I think I have something figured out.

As for my other question, I've decided to password protect a directory using .htaccess and put the encryption key and database login info in that directory. Then I include the files using the file system location with:
[code]

require_once("/home/username/public_html/private/encrypt.php");

[/code]

If someone has other thoughts though, I am game. Thanks.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.