[Resolved] security

qrt123

I have search for information about making a secure login for a webpage, and therefor read a lot of threads in this forum.

Lots of replys speaks for the SSL solution as the only real secure method, because it prevents sniffing data from client to server.

Okay. But in fact, what are the chances that the traffic between a normal user and an ordinary website will be 'sniffed'.
You know what I mean?

I am working on a website, a poll system for a range of products, and it will be build on a user system with a login. Nothing secret, the login is only for statistics, who voted on what, and so on.
SSL is not an option for me.
But these replys gives an impression that it is impossible to make a fairly secure loginsystem without SSL.

Is that right?

Sincerely
qrt123

laserlight

In other words, you dont need real security, so you can afford not to use it.

But these replys gives an impression that it is impossible to make a fairly secure loginsystem without SSL.

That depends on what level of security one needs.
One does not need to create an unbreakable system (and cannot really do so anyway), just a system that is as unbreakable as need be.

qrt123

Hi Laserlight

Thanks for Your reply.
You are right. No need for top level security here.
But, I don't have the background for knowing the different levels of security, if You get my meaning.

Lets say, if SSL is 95% or so (I know 100% is imposible), how much is a simpel system with username and password, MD5, sessions and the username and password stored in a database?
You know what I mean? There is lots of examples of that in this forum.

In short terms, I know I can't keep hardcore hackers out, but I would like to feel confident, that everybody else should have a very hard time trying, hopefully without succes.

Now, is that possible without SSL?

Sincerely
Qrt123

drawmack

First of all SSL is not really secure in and of itself, eventhough many people act as though it were.

SSL does nothing to protect against session fixation attacks. Also SSL does nothing to avoid cookie theft on a shared system environment.

For what you're talking about I would say something as simple as using a custom session package that makes basic fixation and highjacking not work will be enough.

qrt123

Thanks for Your reply Drawmack.

I think it kind of put things a little in perspective.
A basic solution with use of sessions, is also what I had in mind.

But, could You explain more detailed what You mean with:

using a custom session package that makes basic fixation and highjacking not work will be enough.

I don't quite know what 'basic fixation and hijacking' is.

Thanks in advance
qrt123

laserlight

Search for "session fixation" and "session hijacking" online.

drawmack

Originally posted by qrt123
I don't quite know what 'basic fixation and hijacking' is.

And after you've taken laserlight's advice go to the code critique section and check out my security minded sessions thread.

qrt123

Hi again.

Thanks for Your help.

Found these two articles about session fixation and session hijacking.
Helped a lot.

http://www.php-mag.net/itr/online_artikel/psecom,id,513,nodeid,114.html

http://shiflett.org/articles/security-corner-feb2004

Sincerely
qrt123