Digital Paint Discussion Board
Development => General Development => Topic started by: jitspoe on June 12, 2006, 07:24:58 PM
-
I'm going to need to create a web frontend for managing clans and whatnot with the global login system. I've never done anything related to logins or security with PHP, so I'm a bit in the dark here. A quick google search turns up this: http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/ Would that be sufficient? Better yet, is there some kind of already-functional base code I could work off of?
-
when i was learning php and needed to figure out how to do a login syste, http://evolt.org/node/60265 helped me alot
you can probally just modify it. for any help you can ask me, or im sure jesse wouldent mind =]
-
That example, like most I've seen, sends the password in plaintext. It doesn't "encrypt" it until it reaches the server. That's really almost pointless. All it does is prevent somebody with just access to the database from obtaining your password. Anybody with a packet sniffer anywhere along the lines can nab it.
The only way I can think of to prevent that is a) use https, or b) use some javascript encryption algorithm. They both accomplish the same thing, more or less, but https is kind of a pain because it makes browsers pop up all kinds of security info. Though... some might find that useful. *shrug*
-
Just have a company sign your SSL certificate.
For comparison goto http://whichssl.com/index.html
Javascript encryption works too, and is cheap ;). Include a js md5 function from somewhere online. "Salt" the string that you're encrypting with md5() in the javascript, then salt the incoming md5 with something secret within the web-app.
-
Oy! I built my entire website from scratch with PHP/JavaScript... it's like this topic was made for me! Anyway, for JavaScript encryption, check out some of these links:
http://home.versatel.nl/MAvanEverdingen/Code/
http://www.movable-type.co.uk/scripts/TEAblock.html
http://pajhome.org.uk/crypt/md5/
http://www.fourmilab.ch/javascrypt/
http://www.blingo.com/search?q=javascript+encryption&sourceid=firefox&s=0&s=0
P.S.
I like coding PHP. Hint, hint.
-
I like exploiting php, so once you're done I'll put it to the test for ya. :)
-
While MD5 is probably sufficient, Javascript RSA (http://www.ohdave.com/rsa/) almost seems too clever to pass up.
-
very nice, but for ease, i would use md5. Also, php designer 2005 or notepad++ would help you code it :)
-
I would suggest Programmer's Notepad (http://pnotepad.org)
-
I would suggest vi, but I'm just a *nix sexually promiscuous person...
<--edit--> word filter in pink, Jits, your filters are hilarious, lol
also, gedit can be very sweet when you enable some plugins and kill the wordwrap
-
Hehe, I don't think the editor makes that much of a difference (unless it has something really handy like MSVC's intellisense).
I'm not sure if this is exactly what Bain was suggesting or not, but here's what I'm thinking if we go the MD5 route:
- Password hash stored on the server as MD5(salt+pass).
- When generating the login page, the server creates a random string (I think you can handle this with a session, but I'm not sure -- never used sessions before).
- User enters password into form, javascript hashes password as MD5(random+MD5(salt+pass)).
- Server compares that to MD5(random+stored_hash).
While probably not as secure as RSA, it should be sufficient enough to stop people from sniffing a reusable MD5 hash and logging in. The only downside is that the salt string can't be kept secret.
-
do you need javascript to hash the md5? $md5() does it correct?
-
$md5() does it in PHP on the server.
-
While probably not as secure as RSA, it should be sufficient enough to stop people from sniffing a reusable MD5 hash and logging in. The only downside is that the salt string can't be kept secret.
You could have the 'salt string' be a random number based off of the current date, GMT.
-
This new login system could use GUID's like those of Quake 3, Wolf:ET, and various other games, this could be hashed and used in the login too.
-
I know something about PHP, and alot about sessions.
I can help if u need...
-
Jits, try to make the login like temporarily ip based, or have some really strong cookie setup, otherwise people might just send other players links to cookie grabbers and then they'd have their cookie.
(http://img161.imageshack.us/img161/5298/pdmtses00489tg.jpg)
-
$md5() does it in PHP on the server.
No. $md5() does it in mIRC, md5() does it in PHP.
-
Whoa, mirc has an md5 function?
TinMan: Don't cookies have to be from the same domain to work? Or is that security only available in certain browsers?
-
It's a browser-specific security setting I believe, and setting the domain for a cookie is only an optional step in writing a PHP cookie (you can assign domainless cookies). Using PHP's session functions (http://us2.php.net/manual/en/ref.session.php) over a home baked cookie the best way to go.
-
Well this (http://www.criticalsecurity.net/index.php?showtopic=7137) is a common way that cookies are dropped from the client's browser, so read into it this for seeing how the cookies are stolen and how they can be used, also, check out some more stuff on the Critical Security forums (http://www.criticalsecurity.net/), they probably have lots of info that will be helpful on making your login script.
-
I post on cs wow.
If you just keep the login page and the authed areas simple everything should be ok, less variables mean less chance to inject code and perform XSS to steal the cookies.
-
I need to buff up on my stuff and get back to my HTS challenges sometime toon, lol
http://www.hackthissite.org/user/view/th3t1nm4n (http://www.hackthissite.org/user/view/th3t1nm4n)
-
Well you can try - some of the realistic ones are down now I think.
-
im confused on challange 4...
-
http://www.criticalsecurity.net/index.php?showtopic=8 (http://www.criticalsecurity.net/index.php?showtopic=8)
There's a firefox extension called "Web Developer" or something like that which is useful for the live html editing missions.