Back to security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm continuing to work on securing my administration part of the website.
based on previous posts and reading materials, I was thinking to use the
following process :

1. user has to logon through a standard "http://"; web page
2. login and encrypted password are compared with what is stored in
database, if it is the same, the user reach point 3. if not, an error
message is displayed.
3. after successful authentication, user is redirected to https:// pages, a
session is opened in PHP and the sessionID is stored in database with user
data.
4. sessions holds encrypted password and every time that users do an action,
sessionID is compared with the one in DB, as session encrypted password is
compared with the one stored in DB. if everything match, action is
performed. if not sessions is ended and user is redirected to logon page.

A. do you think is enough secured like that ?
B. i still do not understand how to be sure that user still use https (SSL
protocol) ?

for point B, my first task in PHP page, is to check if port is 443. But i'm
not sure that it is correct.

thanks a lot for your feedback.

--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5.1.1

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux