 |
 | Secure PHP Login |  |
|
pastaman
|
|
Hi everyone,
I searched the forums for this topic but I couldn't find exactly what I was looking for so I decided to create this thread. I just have a couple questions: 1) I have a login form that sends its information to login.php. How do I use https? I tried simply setting the form action to https://mydomain.com/login.php but it's giving me an error. Is there something I need to activate before doing this? 2) Assuming the login information is valid, I create a php session and store things like the username, etc in $_SESSION[]. Then I redirect the user to home.php. Should I still be using https or can I go back to http once the user is logged in? What are the advantages/disadvantages? I find site security to be a pretty confusing topic and I just wanted to make sure I'm doing things right which is why I came here to ask for some help. Thanks a lot, any input is much appreciated! |
|||||||||||
|
|||||||||||||
 |
| |
|
nathacof
Forum Admin
|
|
I would imagine that you would want your users to submit that form from a secure page. Therefore the action as well as the submit form should both be https urls. depending how paranoid you are you can redirect all visitors to the secure URL regardless of how they navigate to your site. oh and by the way if you haven't already done so you'll need to purchase a SSL certificate, or use the shared SSL provided by HostMySite. |
||||||||||||
|
||||||||||||||
|
| |
|
Macai
|
|
Probably the most "secure" way to handle this is to, after the initial submission of the username and password, have your script assign your user a randomly generated "session id." Store that session id in a session table, along with an account id, IP Address, and expiration timestamp of the session, and then send it to the browser as a cookie.
From there, you try to find the matching session id and IP. Not only would someone using the same IP have to guess the session id (and who's going to guess "17bd3333" or something?), but can't access it from any IP address other than the one they connected to. |
|||||||||||
|
|||||||||||||
|
| |
|
nathacof
Forum Admin
|
|
PHP has built in session functionality.
http://us.php.net/manual/en/ref.session.php So, starting a session would do that automatically. |
|||||||||||
|
|||||||||||||
|
| |
|
Macai
|
|
You may as well, in my opinion, code your own system. |
|||||||||||||
|
|||||||||||||||
|
| |
|
nathacof
Forum Admin
|
|
Hello Macai,
According to http://us.php.net/manual/en/session.installation.php:
Session support is indeed built-in to PHP, and coding your own system would be highly discouraged from the members of the PHP community since this functionality is built-in, and widely adopted. I think leveraging the work of countless open source programmers is more intelligent than writing your own code. So basically you could just start the session, and store the session ID along with connection information and expiry date in the 'session' table, if you are looking for something with this kind of functionality. For limited session support this might be a bit of overkill however. |
||||||||||||
|
||||||||||||||
|
 | Secure PHP Login | |
|
||
|
|
|