|
|
|
|
| |
In this article Martin explains how to create a secure PHP login script that will allow safe authentication. Features remember-me function using cookies, validates logins on each request to prevent session stealing.
How Does This Work
This is a short explanation why I have chosen these authentication methods.
Users with shell access to the web server can scan valid session id's if the default /tmp directory is used to store the session data.
The protection against this kind of attack is the IP check.
Somebody who has a site (on a shared host with you) can generate valid session for your site.
This is why the checkSession method is used and the session id is recorded in the database.
Somebody may sniff network traffic and catch the cookie.
The IP check should eliminate this problem too.
Preparation
You need first to decide what information to store about members, the examples provided will assume almost nothing to make it easier to read.
I will use the PHP 4.1 super global arrays like $_SESSION, $_GET, etc. If you want to make it work on an earlier version of PHP you will have to substitute these with $GLOBALS['HTTP_SESSION_VARS'].
Read More... |
|
| |
| Exploring Session Security In PHP Web Applications Categories : PHP, Security, Sessions, Web Applications | | | Writing A Port Scanner In PHP Categories : PHP, HTTP, Security | | | PHP5: Designing And Using Interfaces Categories : PHP, Object Oriented, Interfaces, PHP Classes, Security | | | User Authentication With patUser (part 2) Categories : PHP, Authentication, Security | | | Working with Permissions in PHP, Part 1 Categories : PHP, Security | | | Protecting PHP Scripts with HTTP Authorization Categories : PHP, HTTP, Security, Authentication | | | Building a Generic RSS Class With PHP Categories : PHP, XML, Rich Site Summary (RSS), PHP Classes | | | Counting - Creating a GIF based counter using PHP and MySQL Categories : Beginner Guides, PHP, To PHP, To MySQL, MySQL | | | Apache, PHP, and PostgreSQL on RedHat Linux Categories : Apache, PHP, Databases, PostgreSQL, Linux | | | Send SMS Thru HTTP Categories : PHP, SMS, HTTP | | | Implementing Ad Support Into Your Site With PHPAdsNew Categories : PHP, Complete Programs | | | Simple Connection to Informix with PHP Categories : PHP, Informix, Databases | | | Create an LDAP Address Book with PHP Categories : PHP, LDAP | | | How TO Install PHP, Apache and MySQL on Linux or Unix Categories : PHP, MySQL, Apache, Installation, Beginner Guides | | | Parsing XML With DOMXML And PHP Categories : XML, PHP | |
| | |
|
|