On Sat, March 10, 2007 12:41 pm, Alain Roger wrote: > I'm continuing to work on securing my administration part of the > website. > based on previous posts and reading materials, I was thinking to use > the > following process : Think of HTTPS as like a bank vault in the basement of a branch bank. Anybody can walk in the door, but very very very few people can walk into the vault. > 1. user has to logon through a standard "http://" web page > 2. login and encrypted password are compared with what is stored in > database, if it is the same, the user reach point 3. if not, an error > message is displayed. > 3. after successful authentication, user is redirected to https:// > pages, a > session is opened in PHP and the sessionID is stored in database with > user > data. There is a steel wall between the non-HTTPS and the HTTPS pages/site/functionality. If you authenticate users outside the steel wall, you then have to pass them and their credentials THROUGH the steel wall. Better off to do all of 1, 2, and 3 inside HTTPS. Plus, the whole point of HTTPS is to stop network sniffers from over-hearing passwords and other sensitive data, and if you authenticate outside HTTPS, then you are sending the authentication credentials over the wire for anybody to hear, so what's the point? > 4. sessions holds encrypted password and every time that users do an > action, > sessionID is compared with the one in DB, as session encrypted > password is > compared with the one stored in DB. if everything match, action is > performed. if not sessions is ended and user is redirected to logon > page. Don't store the password into the session data, imho. If they authenticate, just store their username or user_id. If they don't authenticate, don't store anything in session. Valid username in session == authenticated user. > A. do you think is enough secured like that ? > B. i still do not understand how to be sure that user still use https > (SSL > protocol) ? Compare the output of <?php phpinfo();?> on the two pages, one with the 'S' and one without. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php