On 3/10/07, Alain Roger <raf.news@xxxxxxxxx> wrote:
Hi, I'm continuing to work on securing my administration part of the website. based on previous posts and reading materials, I was thinking to use the following process : 1. user has to logon through a standard "http://"; web page 2. login and encrypted password are compared with what is stored in database, if it is the same, the user reach point 3. if not, an error message is displayed. 3. after successful authentication, user is redirected to https:// pages, a session is opened in PHP and the sessionID is stored in database with user data. 4. sessions holds encrypted password and every time that users do an action, sessionID is compared with the one in DB, as session encrypted password is compared with the one stored in DB. if everything match, action is performed. if not sessions is ended and user is redirected to logon page. A. do you think is enough secured like that ?
To be even more secure, do the login part also through SSL (https://) B. i still do not understand how to be sure that user still use https (SSL
protocol) ? for point B, my first task in PHP page, is to check if port is 443. But i'm not sure that it is correct.
It looks like it is correct, but maybe some silly webserver would allow http:// over port 443. thanks a lot for your feedback.
-- Alain ------------------------------------ Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5.1.1
