> -----Original Message----- > From: Liam Gibbs [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 8:20 PM > To: [EMAIL PROTECTED] > Subject: [PHP] PHP Security Leak > > I'm wondering if anyone has any ideas on how to make a > login site more secure. Since I'm not really sure if > I've explained myself well enough and don't really > know how else to say it, I'll just give examples and > then you guys can follow suit and mention some > oversights: > > I have a regular logon: username and password. What it > does is, when the user types in a name and pword, it > forwards to another PHP page (a 'middleman' page that > is there just to compare usernames and pwords), > validates by checking the SQL database, then header > forwards to the login page. A cookie is created, and > voila, you're allowed into what we'll call the > 'account pages'. Now, here's my 'security' (notice the > quotes): > 1. You can't log in when the URL includes a username > and/or a password (so that no one can make direct > links). > 2. Same with an account page: you're redirected to the > login page if you include a username and pword when > linking to an account page. > 3. The 'middleman' page also has this protection: you > cna't directly link to it with a username and pword in > the URL. Basically, users can't get into anything when > they include a username and pword in the URL. > 4. Obviously, you don't get access if your username > and password don't match anything in the database > (thought I'd mention it even though it goes without > saying). > 5. You can't login from a page that isn't on the > server. > > Is there any validation or security holes that I'm > overlooking? > >
at least this two: 1. Use SSL 2. Store passwords MD5 encrypted in the DB Sincerely, Maxim Maletsky Founder, Chief Developer www.PHPBeginner.com // where PHP Begins > > __________________________________________________ > Do You Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more > http://games.yahoo.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
