Jump to content

user login encryption philosophy


klitscher

Recommended Posts

I have read and am using the code in the PHP Freaks Tutorial on using mcrypt to encrypt and decrypt strings. I have a couple of questions on the philosophy of encryption.

I have password protected pages on a site that will start a session once a correct username and password combination has been entered (these values are located in a mysql table). I am currently doing this:

1. username and password are entered and compared with values in mysql table
2. If they match, a session is started, and the username and password are encrypted and stored in the session
3. by surfing to a different password protected page, the session data are retrieved and decrypted and compared with the values in the mysql table. If they match, the page is included, if not, the login page is presented.

My questions are:

Is this the appropriate (and most secure) way to be using encryption for user authentication?

How do I go about storing (and accessing/including)the encryption key, and database accessing information off of a 'publicly' viewed place on the server?

Any thoughts, comments, suggestions, and links will be much appreciated. Thanks in advance.

Ken
Link to comment
Share on other sites

[!--quoteo(post=356092:date=Mar 17 2006, 07:33 PM:name=cerin)--][div class=\'quotetop\']QUOTE(cerin @ Mar 17 2006, 07:33 PM) [snapback]356092[/snapback][/div][div class=\'quotemain\'][!--quotec--]
You should use cookies to verify when the user is logged in. I don't know much about storing encryption keys.
[/quote]

What's the benefit of using cookies over using sessions?

Link to comment
Share on other sites

[!--quoteo(post=356102:date=Mar 17 2006, 08:41 PM:name=High_-_Tek)--][div class=\'quotetop\']QUOTE(High_-_Tek @ Mar 17 2006, 08:41 PM) [snapback]356102[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Well this goes pretty far as to hiding $_SESSION values

[code]

// To set the var

$_SESSION['var']=base64_encode('haaaaaxxxx!');

// To Access

$var=base64_decode($_SESSION['var']);

[/code]
[/quote]

Thanks High_-_Tek.

That is something similar to what I'm doing...my question was more geared towards the best theory of what to encrypt when. I think I have something figured out.

As for my other question, I've decided to password protect a directory using .htaccess and put the encryption key and database login info in that directory. Then I include the files using the file system location with:
[code]

require_once("/home/username/public_html/private/encrypt.php");

[/code]

If someone has other thoughts though, I am game. Thanks.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.