Jump to content

Login security

mika

By mika
in PHP Coding Help

 Share

Recommended Posts

mika Newbie

mika

Posted
Posted

Can someone please help to find the most important login precautions in terms of security. For example, I'think the most important is:

1. string escaping, prevent SQL injections

2.

3.

...

 

I know It's hard to find and consider all of them, that's why I'd like to have a list of the most important.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

String escaping and SQL sanitation has nothing to do with user authentication; it is necessary for any interaction with a database.

 

User authentication is hard, and easy to do incorrectly. Use existing secure solutions. Look at the code to see what they are doing, and why they are doing it.

 

With that said, these are the most important in my opinion (in no particular order):

1. Password storage

2. Persistent logins

3. Active sessions

4. User permissions

Link to comment
Share on other sites
laffin Newbie

laffin

Posted
Posted

All those fall within the 3 steps for security

 

Storage Areas, I have seen many ppl who validate a login with a cookie, however since cookies are stored on client side, this makes them very vulnerable to editing. Use a Session base system to authenticate the user. Don't store any sensetive information in a cookie. (Sessions can use built in or one of the custom session handlers out on the net).

 

Its just a matter of not leaving much for the user to alter.

 

Link to comment
Share on other sites
mika Newbie

mika

Posted
  • Author
Posted

All those fall within the 3 steps for security

 

Storage Areas, I have seen many ppl who validate a login with a cookie, however since cookies are stored on client side, this makes them very vulnerable to editing. Use a Session base system to authenticate the user. Don't store any sensetive information in a cookie. (Sessions can use built in or one of the custom session handlers out on the net).

 

Its just a matter of not leaving much for the user to alter.

 

 

 

Are PHP sessions safe? Session ID is automatically sent to the server via session cookies. Is there any safer and at the same time efficent method? Is sending session IDs via url more secure? I believe it is not very practical.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

There's nothing wrong with using cookies. Just make it so if someone tries to spoof the cookie, they don't get away with it.

 

PHP session's are safe if you take precautions. If you're on a shared server, store them in a database and not on the file system (it stores in the file system by default). This is because on a shared server other users could theoretically access the session data. Read up on session hijacking and how to avoid it. This is a good read.

Link to comment
Share on other sites
floridaflatlander Regular Member

floridaflatlander

Posted
Posted

As a note I posted this about a db to hold session data in not long ago. http://www.phpfreaks.com/forums/index.php?topic=350129.msg1652266#msg1652266, also if you're not logging the user out when they log out or when they close their browser like I am then I would see where a db would be a better idea. I also went to the link scootstah had above and it was a big help.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.