8 Replies - 958 Views - Last Post: 16 September 2008 - 08:26 AM

#1 Galaxy_Stranger   User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 101
  • Joined: 07-February 06

Apache, PHP and HTTPS

Posted 15 September 2008 - 01:00 AM

I'm making a site that uses user-logins and I'm concerned about security. I'm using PHP and hashing for the passwords. Is this secure enough? Or should I use HTTPS for the site?
Is This A Good Question/Topic? 0
  • +

Replies To: Apache, PHP and HTTPS

#2 no2pencil   User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6659
  • View blog
  • Posts: 30,976
  • Joined: 10-May 07

Re: Apache, PHP and HTTPS

Posted 15 September 2008 - 01:15 AM

These are two different levels of encryption.

The https will ensure that the traffic from the viewers browser to & from the website will be encrypted. This will protect that data in transmission from packet sniffers. The MD5 secure passwords will ensure that if the web servers storage is breached or the database is viewed by someone, that the data stored within is encrypted. So they both have their place & should both be used.
Was This Post Helpful? 0
  • +
  • -

#3 Galaxy_Stranger   User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 101
  • Joined: 07-February 06

Re: Apache, PHP and HTTPS

Posted 15 September 2008 - 06:59 PM

View Postno2pencil, on 15 Sep, 2008 - 01:15 AM, said:

These are two different levels of encryption.

The https will ensure that the traffic from the viewers browser to & from the website will be encrypted. This will protect that data in transmission from packet sniffers. The MD5 secure passwords will ensure that if the web servers storage is breached or the database is viewed by someone, that the data stored within is encrypted. So they both have their place & should both be used.


That's what I thought about https, but I wanted to be sure. I know that javascript client-side password controls are a no-no, but I was also told in class that ASP.NET passwords were server-side and therefore ok - is that the case? I wondered if PHP password controls were safe in that regard.

But it looks like using https isn't a bad idea anyway.
Was This Post Helpful? 0
  • +
  • -

#4 mocker   User is offline

  • D.I.C Regular
  • member icon

Reputation: 51
  • View blog
  • Posts: 466
  • Joined: 14-October 07

Re: Apache, PHP and HTTPS

Posted 15 September 2008 - 08:35 PM

PHP doesn't really have any built in password controls, so they are as secure as you make them. PHP is server side like ASP, but that in itself doesn't really mean anything for security.

This is a good tutorial for a login that includes most security issues
http://www.devshed.c...P-Login-Script/

https works with the actual transfer from the user to the client, so its another level of security that php by itself can't do.
Was This Post Helpful? 0
  • +
  • -

#5 Galaxy_Stranger   User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 101
  • Joined: 07-February 06

Re: Apache, PHP and HTTPS

Posted 16 September 2008 - 02:29 AM

View Postmocker, on 15 Sep, 2008 - 08:35 PM, said:

PHP is server side like ASP, but that in itself doesn't really mean anything for security.


I effing KNEW it. It didn't make sense to me that a server-side scripting language somehow kept everything on the server. My web apps instructor is where I got that from. She told us that Javascript password controls were unprotected, but that ASP.NET controls were fine because they were server-side. Well, that's one more .NET person that doesn't really know what's going on...

Ok, I've got SSL, SSH and HTTPS. Other than bad dev practice, are there any other security issues I need to be concerned about?
Was This Post Helpful? 0
  • +
  • -

#6 no2pencil   User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6659
  • View blog
  • Posts: 30,976
  • Joined: 10-May 07

Re: Apache, PHP and HTTPS

Posted 16 September 2008 - 02:34 AM

I am going to disagree here, at least from the PHP view. I'm not 100% on ASP, but a server side language is just that. The PHP engine will prepare the html content for the viewers browser. Therefor PHP variables simply put, will not exist once the output is prepared. Case in point.

<?php
$pass=1234; // Can the browser see this?  No
echo $pass; // Now it can
?>



<?php
$pass=1234; // Can the browser see this?  No
if($_POST['pass']=="1234") {
  echo "Correct";
}
else {
  die("Invalid");
}
?>



The clients computer simply does not see the code, since the html is created based on the results. The password in the PHP code is completely safe from the viewers browser.
Was This Post Helpful? 0
  • +
  • -

#7 gothik12   User is offline

  • D.I.C Head
  • member icon

Reputation: 6
  • View blog
  • Posts: 207
  • Joined: 10-November 07

Re: Apache, PHP and HTTPS

Posted 16 September 2008 - 07:10 AM

First of all, you have to be sure that all of your scripts (PHP), which can compromise your site when "the bad one" attacks it , are safe and you can trust them.

You should look for this book: "Essential PHP Security" by Chris Shiflett.
Was This Post Helpful? 0
  • +
  • -

#8 mocker   User is offline

  • D.I.C Regular
  • member icon

Reputation: 51
  • View blog
  • Posts: 466
  • Joined: 14-October 07

Re: Apache, PHP and HTTPS

Posted 16 September 2008 - 08:01 AM

View PostGalaxy_Stranger, on 16 Sep, 2008 - 02:29 AM, said:

View Postmocker, on 15 Sep, 2008 - 08:35 PM, said:

PHP is server side like ASP, but that in itself doesn't really mean anything for security.


I effing KNEW it. It didn't make sense to me that a server-side scripting language somehow kept everything on the server. My web apps instructor is where I got that from. She told us that Javascript password controls were unprotected, but that ASP.NET controls were fine because they were server-side. Well, that's one more .NET person that doesn't really know what's going on...

Ok, I've got SSL, SSH and HTTPS. Other than bad dev practice, are there any other security issues I need to be concerned about?


You might have misunderstood me. To clarify, there is no such thing as client side security, so if you are comparing it to javascript controls, then yes it is more secure. However, having the authentication code on the server by itself does not make your application secure. A poorly written server side script is still just as insecure, it just might take 5 seconds to break it instead of 1.
Was This Post Helpful? 0
  • +
  • -

#9 PsychoCoder   User is offline

  • Google.Sucks.Init(true);
  • member icon

Reputation: 1659
  • View blog
  • Posts: 19,853
  • Joined: 26-July 07

Re: Apache, PHP and HTTPS

Posted 16 September 2008 - 08:26 AM

View PostGalaxy_Stranger, on 16 Sep, 2008 - 02:29 AM, said:

She told us that Javascript password controls were unprotected, but that ASP.NET controls were fine because they were server-side. Well, that's one more .NET person that doesn't really know what's going on...


Unfortunately not knowing whats going on isn't a .Net thing, it's not even language specific. I'm a ".Net person" and I know what's going on. As has been pointed out, ASP.NET is a server-side language just like PHP, neither is more secure than the other. I will say, however, that I feel the .Net Framework has more built-in libraries for encryption and security than does PHP, but without taking specific measures neither is really "secure"
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1