let's talk security

rockstarmike

im a vbman, always have, but ive given up on it.
im all about the php now, or i would be if i knew it well.

security for a site.
simple login/pass access thru a form
checks input against actual list of passes and logins

what should i do to there, as far as security upon accessing the site. i've never done security before.

im thinking after it checks the list, there will be a string numeric variable assigned to the login/pass pair.
say it is 123456
it's then entered as a variable transmitted from page to page.
in order to access any page in secured area, there must be the 123456 string that can be requested by the php
if it's not there
NOPE YOU ARENT AUTHORIZED PLEASE LOG IN

no?
cookies?
help? new to security, gotta get this up in maybe 2 weeks, and i need a general point in the right direction, and a few tips
id like it if you could just do that, point and tip, dont give me a string of code to just plug in, as i am learning php and would like to actually learn it
thanks for the help in advance
mikey

dannys

IMO, Sessions were built for this sort of thing. You can set a session var when a user logs in and then simply check for it on all of the protected pages.

http://php.net/session - more info and some examples

rockstarmike

aight thanks im looking into it
you know what ive noticed about php and php.net
comparitvly speaking to other server side languages, it really has the worst possible documentation in my opinion

dannys

Actually once I got used to it, I found the PHP Manual the best for any serverside language.

Ever tried finiding something useful about ASP on MSDN?
Ever tried finding anything at all on the Python and Ruby sites?

Heck, I don't think I've ever even been to the official Perl site! 🙂

Frag

I agree with danny. I've never found a documentation site better for any subject. You can search by function name, bug list, whole documentation, etc I love the site. Then you get the bonus of posting comments on pages that allow people to help explain something that maybe the page itself wasn't so clear on.

php.net rock IMHO.

Frag

rockstarmike

mmm, i guess im just not used to it
i found the msdn documentation for vbscript easy as hell

but i guess everyone has different opinions

rockstarmike

okay so this is what im getting from this
my layout should be something to the effect of

login page
login and pass form

validate it
check list of names and passwords, if it matches one, send the corresponding cookie? and redirect to corresponding page

actual pages
verify cookie...if cookie isnt there, redirect to login

aye?

edwardsbc

As long as you asked, you should always do one of two things when collecting user names and passwords:

1) use a SSL connection ([url]https://[/url]). All wire traffic is encrypted.

2) use some client side vodo (VBscript, Javascript) to hash (like MD5) the user password and some one-time token (data item) you supplied with the login page. Then compare that hash with the identical hash server side. No SSL required, but the password is never sent in the clear.