[polska03]

I was wondering if anyone had a website or a good tutorial of creating a php login tutorial.I can't use https just because it is not economical for my site. I googled this for a few hours and a lot of tutorias sout there have lots of security faults and other user's even comment them about it. So I was just wondering if anyone knew of a good tutorial about secure logins with close to none flaws. If possible I would like to use both sessions and cookies. All my passwords are encyrpted in my database, but with php everything is sent in clear text which I would like to avoid and avoid things like session hijacking.
Cheers

[shezzy]

Highly unlikely you will find a single php script to do all this for you. I can, however, suggest a php framework I use that offers many security features involved in the login functionality you'll need like cross-site scripting attack prevention and Cross-site request forgery, and sql injection. These things are built into libraries for the Codeigniter framework. It uses the MVC design. For the login functionality you can create your own or use one like auth tank which is pretty nice out of the box and easy to configure. It also has captcha and recaptcha which is important as well.

Either way the community here won't supply you with anything but help for progress you've already made. So make some

Hope this helps.

Link for codeigniter tutorials: here

This post has been edited by shezzy: 26 August 2011 - 09:25 PM

[creativecoding]

Quote

I was wondering if anyone had a website or a good tutorial of creating a php login tutorial.

A quick Google search shows this: http://usercake.com/

Quote

I can't use https just because it is not economical for my site.

Why would you think that? HTTPS provides a lot of security and it gives your site a good-professional look.

Quote

I googled this for a few hours and a lot of tutorias sout there have lots of security faults and other user's even comment them about it.

I don't get how you could point out security flaws and not be able to write your own user system script.

Quote

All my passwords are encyrpted in my database

I really hope you mean hashed. If you don't, look at this.

Quote

but with php everything is sent in clear text which I would like to avoid

What do you mean by this?

Quote

avoid things like session hijacking.

Check out this.

[BetaWar]

creativecoding, on 27 August 2011 - 05:43 AM, said:

Quote

I can't use https just because it is not economical for my site.

Why would you think that? HTTPS provides a lot of security and it gives your site a good-professional look.

I would say that he is talking about getting the certificate stating that you actually are the website that you say your are (which is required for HTTPS and SSL these days). Sadly he is correct here; most of the time it isn't economical for a site to purchase a cert right out of the gate. They cost a lot of money and that is only for a year. When I can purchase a site for 2 years with all the bells and wistles as far as languages and databases for $160 yet it costs $100+ for a single year certificate it isn't really worth it unless you have money coming in from your site and actually have personal, private information being stored on it.

[polska03]

I was reading that it is possible to get certificates from opern source places like openCa.org to get free ssl. Is this true?

[aaron1178]

NO, do not do this

[RudiVisser]

polska03, on 27 August 2011 - 06:47 AM, said:

I was reading that it is possible to get certificates from opern source places like openCa.org to get free ssl. Is this true?

Free SSL certificates do exist yes, however they are generally not recognised for the browser or have a low encryption. For this reason it's not exactly too great as the browser will essentially see the site as being not encrypted due to the untrusted certificate authority that issued it (and some will also pop up a security warning saying it doesn't understand). However, at the very least, you know that the data is being encrypted, even if the user is presented with a warning.

Basically, getting a certificate from these providers is just like generating your own.

There are also some sites that offer trials of their paid certificates, for example InstantSSL's Free SSL which is a 90 day trial.

aaron1178, on 27 August 2011 - 07:13 AM, said:

NO, do not do this

Why not?

This post has been edited by RudiVisser: 27 August 2011 - 05:01 AM

[polska03]

yes why not, I am reading that sites like openCA.org are open source implemantations of the Certificate authority. I for one find it very dumb that people must pay to secure their site.

[polska03]

while on the topic of php security, I had a question regarding sql injection using php. If I stored everything in my sql server as a hash, letters and numbers only, and then inserted and retrieved information by hashing it first in php and sending that data to be compared to a mysql data element, would this prevent sql injection to a high certain degree?

[CTphpnwb]

Often you get what you pay for in computers as well as in life. A paid certificate is more likely to be secure than free certificate since the people you're paying have greater incentive to ensure that theirs is secure: They want you to keep coming back!

polska03, on 27 August 2011 - 02:55 PM, said:

while on the topic of php security, I had a question regarding sql injection using php. If I stored everything in my sql server as a hash, letters and numbers only, and then inserted and retrieved information by hashing it first in php and sending that data to be compared to a mysql data element, would this prevent sql injection to a high certain degree?

It could, but that will slow your server down. Better to use PDO or Mysqli prepared statements.

[RudiVisser]

Free vs Paid certificates (basic ones) are absolutely nothing to do with the encryption / security of them.

The reason that you pay for security certificates is because the Certificate Authorities are basically ensuring that your identity is valid. They're taking on a massive responsibility by saying that you are who you say you are, and they insure you/your visitors for certain amounts if anything would happen - This is why you pay for it.

Now then, anybody can be a CA, however there's only a few that are actually trusted by browsers. OpenCA.org is not a trusted one so it's not recommended to use them.

On injection, if you're looking to insert data to read back out, you obviously can't hash it - so hashing isn't a solution. If you're literally doing data comparison, then yes it's a good idea.

[JackOfAllTrades]

Pinned at the top of the forum is a post entitled PHP and Security Links. I would suggest you take a look.

[CTphpnwb]

RudiVisser, on 27 August 2011 - 03:04 PM, said:

The reason that you pay for security certificates is because the Certificate Authorities are basically ensuring that your identity is valid. They're taking on a massive responsibility by saying that you are who you say you are, and they insure you/your visitors for certain amounts if anything would happen - This is why you pay for it.

Yes, and the reason they're taking on that responsibility is that they're getting paid. Free sources aren't going to do that because they have no financial incentive to take on that risk.

Everybody wants free stuff but there are times when it's important to understand that free isn't always good, and this is one of them.

[polska03]

okay so I decided not to use https. So in terms of php security login I am still stuck. I have read all the posts and links provided I found the new function to regenerate sessions which I can use to try to prevent session hijacking. In terms of when the user enters their password in the login screen and that password gets gets put into a variable $password=$_POST['password'] and that vairable gets hashed and then gets compared to the hashed password value stored in the database. My concern is that before the password variable gets hashed it has to get sent to my apache server over the scary place called the internet in plain text because php is server side scripted. Is there anyway I can encrypt the password beofre it gets sent out, I understand this is what https does, but also using something like javascript to hash something would be pointless because an attacker can turn off the javascript. SO I will be encrypting the user's inputs and regenerating the sessions and of course escaping input to prevent sql injection. Besides these things, I can't come up with more things to secure the login page anymore and was wondering if anyone had anymore ideas?

[creativecoding]

Basically, you can't without HTTPS. But unless your running a bank or some other higher security/importance/value site, people don't really care nor will they spend the time trying to steal others passwords.

Plus session hijacking can only work through actually gaining access to the users machine (correct me if I'm wrong here), so basically the user is already effed if the attacker could hijack his/her session.