Hey i have to make a site pretty darn secure, i am a bit paranoid cause if something goes wrong , its my neck.
so far i have a class that simply checks the user and pass which is hashed against a db, then a session with the username to keep track of it.

is that enough or is a temporary table holding the sessions better? any sugestions?
i found this script on the net , but i am confused on how to use it in my class, can anyone help me out. thanks
here is the link
http://www.dreamincode.net/code/snippet1947.htm
I sort of get wha it does but not well enough to incorporate it in my script.
thanks

Quote:

i am a bit paranoid cause if something goes wrong , its my neck.

Depends on what value you have put on your neck!!

Taking advice from a forum is no more secure than copy and pasting a script from an anonymous site. I could write anything i want and tell you where to paste it.Then your neck becomes mine!!!!

Learn the language then you can write your own!!!

hey, wasn't asking for a script, I already wrote one , I am asking for tips, the script at dream code just confused me because I am not sure how it would work for me.The very best way to learn php is to understand scripts and then u make ur own.So you not gona give me a hand?

A few things:

1. Even the government gets hacked! The easiest way to hack a system is to hack a user. You should never have yourself in a situation where "your neck is on the line" provided you act in a professional fashion with due diligence.
2. Asking on a forum isn't a bad thing provided you take the advice and critically analyze it for honesty.
3. @david Flaming isn't help.
4. Sessions are, by default, stored in an unsecured location, so you don't want to use the default session storage. Instead, look at storing sessions in a database.
5. I don't like to say "go search", but in your case I think it might be helpful. This should get you started: http://www.google.com/#hl=en&q=php+s...fp=KxYPMM6r3XA and, at least, I'm giving you the keywords to search for,
6. For added security, sessions should require cookies and not be passed through URLs. Look at adding in an PHP configuration option to enable session.use_only_cookies and disable session.use_trans_sid.
7. For much more security, though the coding is a bit more intense, you could not use sessions at all. Instead, consider creating a one-time-use cookie which is changed on each page call to a new, randomly-generated cookie code which you then store to validate the next page call. If the code doesn't match the one code set which allows the next page call, then require the user to login again. This will screw up people who use multiple windows/tabs, but does add security.

Hope that helps to get you started!

@jeremy

it wasnt a flame

If your put in a position where your not a developer but have to carry the can if something goes wrong then this is not right

Cutting a pasting from the web is fine but when you dont know what your doing and there is risk associated with it then it becomes a live grenade

By using the time to learn rather than looking for scripts pays dividends

A forum is a place to learn, David. Notice how I didn't provide the code, but guidance instead? That will allow the OP to go and learn with an organized plan.

BUT, let's not hijack the thread for this.

@Necaxa -- Did that give you sufficient guidance to look at properly creating such a secure login?

hey thanks jeremy, and also to "cough cough david...." ok i did my research, seems like encrypting sessions and like jeremy said, in Db. but also found that sending encrypted data through javascript is not a bad idea. thanks

Quote:

Originally Posted by Necaxa

also found that sending encrypted data through javascript is not a bad idea. thanks

Only if you're using public key cryptography!

yeah, do you know anyhting about openssl? like how to use it and so on?

I wrote an email encryptor using GPG that I have in my code repository, but not sure if it works as I never implemented it anywhere. Sorry.

The class you linked to is pretty good. It uses session fingerprinting to prevent hijacking (though it is rather limited at only using the user agent). Another thing you may want to change in that script if you're using PHP 5.1.0 or newer:

Code:

session_regenerate_id(true);

This will delete the old session. Before PHP 5.1.0 regenerating sessions was useless because a copy of the old session was still on the server.