Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[PHP] Secure Logins?
#1
How exactly should login data be handled other than mysql_escape_string, what parts need to be cookied stored, etc?
Reply
#2
It really depends on the script. It it's a forum, then it's something, if it's an user panel, it's another thing.
Reply
#3
store the username and some sort of session key that expires every X minutes and only works if the current ip matches last login ip.
Reply
#4
(08-26-2010, 09:44 AM)Iarkey Wrote: store the username and some sort of session key that expires every X minutes and only works if the current ip matches last login ip.

Use a cookie.

in the log in block put this
PHP Code:
$x 3600// time to expire
setcookie("IP"$_SERVER['REMOTE_ADDR'], time()+$x); 

you can check if they match by doing this
PHP Code:
if($_COOKIE['IP'] == $_SERVER['REMOTE_ADDR']){
//do stuff
}else
die(); 
(11-23-2010, 08:40 PM)Guest Wrote: Alright, did the 'Support' get removed from SupportForums?
You're not a good Emotional Helper.
Reply
#5
(08-26-2010, 01:49 PM)Proof Wrote: Use a cookie.

in the log in block put this
PHP Code:
$x 3600// time to expire
setcookie("IP"$_SERVER['REMOTE_ADDR'], time()+$x); 

you can check if they match by doing this
PHP Code:
if($_COOKIE['IP'] == $_SERVER['REMOTE_ADDR']){
//do stuff
}else
die(); 
Then someone can just steal the cookie D:
Reply
#6
(08-26-2010, 03:24 PM)Iarkey Wrote: Then someone can just steal the cookie D:

You can steal a session if you're on the same server... I think it goes the same for a cookie. You can also add more parameters to it.
(11-23-2010, 08:40 PM)Guest Wrote: Alright, did the 'Support' get removed from SupportForums?
You're not a good Emotional Helper.
Reply
#7
(08-26-2010, 03:52 PM)Proof Wrote: You can steal a session if you're on the same server... I think it goes the same for a cookie. You can also add more parameters to it.
you want to check the client uses the same ip as the one you assigned the cookie too.
Reply
#8
(08-26-2010, 04:15 PM)Iarkey Wrote: you want to check the client uses the same ip as the one you assigned the cookie too.

Either I'm not understanding you or you didn't read it..

PHP Code:
if($_COOKIE['IP'] == $_SERVER['REMOTE_ADDR']){
//do stuff
}else
die(); 
(11-23-2010, 08:40 PM)Guest Wrote: Alright, did the 'Support' get removed from SupportForums?
You're not a good Emotional Helper.
Reply
#9
(08-26-2010, 05:30 PM)Proof Wrote: Either I'm not understanding you or you didn't read it..

PHP Code:
if($_COOKIE['IP'] == $_SERVER['REMOTE_ADDR']){
//do stuff
}else
die(); 
wouldn't you just be able to edit the ip in the cookie to yours?
Reply
#10
(08-26-2010, 06:22 PM)Iarkey Wrote: wouldn't you just be able to edit the ip in the cookie to yours?

I guess you register a random md5 hash and then put it in the DB and check if it matches up each time a page loads.
(11-23-2010, 08:40 PM)Guest Wrote: Alright, did the 'Support' get removed from SupportForums?
You're not a good Emotional Helper.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  PHP Framework List: An Ultimate Guide to 102 PHP Frameworks for Web Developers tk-hassan 0 943 07-27-2020, 11:26 PM
Last Post: tk-hassan
  PHP Video Tutorials (PHP For Beginners) Eleqtriq 4 3,671 10-10-2011, 01:00 PM
Last Post: Greyersting

Forum Jump:


Users browsing this thread: 5 Guest(s)