» Quick Links
You can make money on these forums
We Share profits with you
Google
Google Adsense
Google Adwords
YPN
Yahoo
MSN Search
Web Directories
Web Hosting
Web Hosting Offers
Hosting News
Suggestions
Link Building
Domain Names
PHP Forums
MySQL Forums
» More Links
OSP News
Reseller Hosting
Shared Hosting
Dedicated Servers
Google Adsense
Search Engine Marketing
Link Development
Affiliate Marketing
» Advertising
Multiple DC PR Check

Free SEO Tools


Go Back   Webmaster Forums > Website Developement / Programming > PHP Programming and Tips
Reload this Page Security Safe PHP Session Setup

PHP Programming and Tips Discuss about PHP programming and Share Tips. Ask questions about Scripting and Errors.

Reply
 
Thread Tools Display Modes
  #1  
Old 08-03-2006, 05:58 PM
waugh waugh is offline
Junior Member
  
Join Date: Aug 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
waugh is on a distinguished road
Default Security Safe PHP Session Setup
I am working on a totally new from scratch Member Login system, and am looking for the overall best PHP Session Authenticating setup to use.

CURRENT SETUP
1. Visitor comes to login

2. The login page creates a md5(rand()) number set as a token

3. Visitor gets a SESSION[token] set as the random token from step 2.

4. A hidden form field gets created with the token as the value.

5. Visitor enters username/password -> submits data

6. If the Hidden Field Token and the Session Token Match (it continues)

7. It then checks validation, making sure the member does exists, email and password was legitly typed, and if so (it continues)

8. Once it confirmed the member existed, and no SQL Injections are put in, it verify's the member username/password - if okay (it continues)

9. It creates a NEW token and replaces the current SESSION token, because it was s -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --
Reply With Quote
Revenue Sharing Ads ( ?):
  #2  
Old 08-03-2006, 06:01 PM
rutherford rutherford is offline
OSP Starters
  
Join Date: Jun 2006
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
rutherford is on a distinguished road
Default
One thing I would have to say would help for setting the session token would be a combination of the following.

Username or UserID
IP
time()

That is what I have always used and never had an issue.

Hope I was of some help
Have a nice time -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --
Reply With Quote
  #3  
Old 08-03-2006, 06:03 PM
zac zac is offline
OSP Starters
  
Join Date: Mar 2006
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
zac is on a distinguished road
Default
If the user is behind a proxy or a server farm, their IP can and will change on each page request. One thing that stays pretty consistant is their User Agent string. If this changes mid session then it either isn't them anymore, or they are using something like Opera that allows these switches. Either way you can make 'em log in again -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trend Micro Introduces InterScan Messaging Security outsourcingplans Web Hosting News 0 10-11-2006 04:39 AM
PHP security fraank PHP Programming and Tips 2 09-12-2006 12:31 PM
PHP session hacking webspider PHP Programming and Tips 3 08-23-2006 02:39 PM
Getting MySQL & PHP to communicate JCH MySQL Forums 0 05-29-2006 02:52 PM
stop indexing PHP SESSION IDs danielle Yahoo 4 03-26-2006 06:34 AM


All times are GMT. The time now is 11:27 PM.

Contact Us - Webmaster Forums - Archive - Top