+- Support Forums (https://www.supportforums.net)
+-- Forum: Categories (https://www.supportforums.net/forumdisplay.php?fid=87)
+--- Forum: Coding Support Forums (https://www.supportforums.net/forumdisplay.php?fid=18)
+---- Forum: PHP The Hypertext Preprocessor (https://www.supportforums.net/forumdisplay.php?fid=21)
+---- Thread: [PHP] Secure Logins? (/showthread.php?tid=11515)
Pages:
1
2
[PHP] Secure Logins? - `P R O D I G Y™ - 08-25-2010
How exactly should login data be handled other than mysql_escape_string, what parts need to be cookied stored, etc?
RE: [PHP] Secure Logins? - ndee - 08-25-2010
It really depends on the script. It it's a forum, then it's something, if it's an user panel, it's another thing.
RE: [PHP] Secure Logins? - Iarkey - 08-26-2010
store the username and some sort of session key that expires every X minutes and only works if the current ip matches last login ip.
RE: [PHP] Secure Logins? - Proof - 08-26-2010
(08-26-2010, 09:44 AM)Iarkey Wrote: store the username and some sort of session key that expires every X minutes and only works if the current ip matches last login ip.
Use a cookie.
in the log in block put this
PHP Code:
$x = 3600; // time to expire
setcookie("IP", $_SERVER['REMOTE_ADDR'], time()+$x);
you can check if they match by doing this
PHP Code:
if($_COOKIE['IP'] == $_SERVER['REMOTE_ADDR']){
//do stuff
}else
die();
RE: [PHP] Secure Logins? - Iarkey - 08-26-2010
(08-26-2010, 01:49 PM)Proof Wrote: Use a cookie.Then someone can just steal the cookie D:
in the log in block put this
PHP Code:$x = 3600; // time to expire
setcookie("IP", $_SERVER['REMOTE_ADDR'], time()+$x);
you can check if they match by doing this
PHP Code:if($_COOKIE['IP'] == $_SERVER['REMOTE_ADDR']){
//do stuff
}else
die();
RE: [PHP] Secure Logins? - Proof - 08-26-2010
(08-26-2010, 03:24 PM)Iarkey Wrote: Then someone can just steal the cookie D:
You can steal a session if you're on the same server... I think it goes the same for a cookie. You can also add more parameters to it.
RE: [PHP] Secure Logins? - Iarkey - 08-26-2010
(08-26-2010, 03:52 PM)Proof Wrote: You can steal a session if you're on the same server... I think it goes the same for a cookie. You can also add more parameters to it.you want to check the client uses the same ip as the one you assigned the cookie too.
RE: [PHP] Secure Logins? - Proof - 08-26-2010
(08-26-2010, 04:15 PM)Iarkey Wrote: you want to check the client uses the same ip as the one you assigned the cookie too.
Either I'm not understanding you or you didn't read it..
PHP Code:
if($_COOKIE['IP'] == $_SERVER['REMOTE_ADDR']){
//do stuff
}else
die();
RE: [PHP] Secure Logins? - Iarkey - 08-26-2010
(08-26-2010, 05:30 PM)Proof Wrote: Either I'm not understanding you or you didn't read it..wouldn't you just be able to edit the ip in the cookie to yours?
PHP Code:if($_COOKIE['IP'] == $_SERVER['REMOTE_ADDR']){
//do stuff
}else
die();
RE: [PHP] Secure Logins? - Proof - 08-26-2010
(08-26-2010, 06:22 PM)Iarkey Wrote: wouldn't you just be able to edit the ip in the cookie to yours?
I guess you register a random md5 hash and then put it in the DB and check if it matches up each time a page loads.