A VERY secure login script.

Beffic

Ok so I feel that my website will be getting bigger soon and I will have some problems with the hackers and cheaters. So I was planning on making a brand new login script that is much more secure. But my question is how would you make it secure.

That is why I am coming to PHPBuilder for help on some ideas and little script pieces on how to make a very secure login script.

All help would be GREATLY appreciated. Thanks.

dagon

how long is a piece of strong?

Shrike

A piece of strong is inversely proportionate to a piece of weak.

bradgrafelman

Well first thing I'd suggest is to go out get yourself a good certificate (e.g. from VeriSign) and make sure all login traffic goes across SSL connections only.

Then, make sure your password encrypting/hashing algorithm is strong (e.g. not MD5) and that you have a good salt (e.g. it includes unusual characters).

Finally, make sure that you're NOT on shared hosting and that you trust the sysadmins who are administering your dedicated server.

Since you're talking about "VERY" secure, I'm going to assume that you've already taken care of things such as SQL injection and all that jazz.

laserlight

Then, make sure your password encrypting/hashing algorithm is strong (e.g. not MD5) and that you have a good salt (e.g. it includes unusual characters).

For the hash function, you could look into the hash extension. Also, remember that each user should have his/her own salt.

In addition to what bradgrafelman mentioned, I suggest using sessions. After a user has logged in, issue a new session id. This makes session fixation more difficult. Store session ids in cookies instead of propagating them via the query string. This makes it less likely that a user will accidentally disclose his/her session id to a third party.

zabmilenko

Also consider how long they are "logged in" for... Can the user walk away, leave a page up for 5 minutes, come back, and still use that session? Can you copy a cookie file between two machines (shared ip or not) and spoof?

There are lots of steps you could take for server side security, but is the client side just as important in your implementation?