Re: [PHP] Back to security

Sat, 10 Mar 2007 13:13:03 -0800 

At 6:47 PM +0100 3/10/07, Tijnema ! <[EMAIL PROTECTED]> wrote:

On 3/10/07, Alain Roger <[EMAIL PROTECTED]> wrote:


Hi,

I'm continuing to work on securing my administration part of the website.
based on previous posts and reading materials, I was thinking to use the
following process :

1. user has to logon through a standard "http://"; web page
2. login and encrypted password are compared with what is stored in
database, if it is the same, the user reach point 3. if not, an error
message is displayed.
3. after successful authentication, user is redirected to https:// pages,
a
session is opened in PHP and the sessionID is stored in database with user
data.
4. sessions holds encrypted password and every time that users do an
action,
sessionID is compared with the one in DB, as session encrypted password is
compared with the one stored in DB. if everything match, action is
performed. if not sessions is ended and user is redirected to logon page.

A. do you think is enough secured like that ?



To be even more secure, do the login part also through SSL (https://)




Indeed; there's little point securing the house (the admin website) 
if you leave the keys outside (transmit the password in plaintext via 
standard HTTP).




B. i still do not understand how to be sure that user still use https (SSL

protocol) ?

for point B, my first task in PHP page, is to check if port is 443. But
i'm
not sure that it is correct.



It looks like it is correct, but maybe some silly webserver would allow
http:// over port 443.




Under Apache, you can check the Apache environment variable HTTPS 
(eg; via $_SERVER['HTTPS']). If it exists and equals 'on' you're ok 
regardless of port. Also would suggest using Apache mod_ssl 
SSLRequireSSL for the directories that should be SSL-secured.


        steve

--
+--------------- my people are the people of the dessert, ---------------+
| Steve Edberg                                http://pgfsun.ucdavis.edu/ |
| UC Davis Genome Center                            [EMAIL PROTECTED] |
| Bioinformatics programming/database/sysadmin             (530)754-9127 |
+---------------- said t e lawrence, picking up his fork ----------------+

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php























					Reply via email to