Re: Back to security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 6:47 PM +0100 3/10/07, Tijnema ! <tijnema@xxxxxxxxx> wrote:

On 3/10/07, Alain Roger <raf.news@xxxxxxxxx> wrote:


Hi,

I'm continuing to work on securing my administration part of the website.
based on previous posts and reading materials, I was thinking to use the
following process :

1. user has to logon through a standard "http://"; web page
2. login and encrypted password are compared with what is stored in
database, if it is the same, the user reach point 3. if not, an error
message is displayed.
3. after successful authentication, user is redirected to https:// pages,
a
session is opened in PHP and the sessionID is stored in database with user
data.
4. sessions holds encrypted password and every time that users do an
action,
sessionID is compared with the one in DB, as session encrypted password is
compared with the one stored in DB. if everything match, action is
performed. if not sessions is ended and user is redirected to logon page.

A. do you think is enough secured like that ?



To be even more secure, do the login part also through SSL (https://)
Indeed; there's little point securing the house (the admin website) if you leave the keys outside (transmit the password in plaintext via standard HTTP). 



B. i still do not understand how to be sure that user still use https (SSL

protocol) ?

for point B, my first task in PHP page, is to check if port is 443. But
i'm
not sure that it is correct.



It looks like it is correct, but maybe some silly webserver would allow
http:// over port 443.
Under Apache, you can check the Apache environment variable HTTPS (eg; via $_SERVER['HTTPS']). If it exists and equals 'on' you're ok regardless of port. Also would suggest using Apache mod_ssl SSLRequireSSL for the directories that should be SSL-secured. 

	steve

--
+--------------- my people are the people of the dessert, ---------------+
| Steve Edberg                                http://pgfsun.ucdavis.edu/ |
| UC Davis Genome Center                            sbedberg@xxxxxxxxxxx |
| Bioinformatics programming/database/sysadmin             (530)754-9127 |
+---------------- said t e lawrence, picking up his fork ----------------+

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux