secure login system?

[AHarvey]

Hi all,

I am currently looking at building a secure website for some of our business needs, however it will to first load a login screen that will have multiple users & passwords.

I want to learn PHP/SQL anyway so I thought, what the heck

very little knowledge of PHP & SQL, I know programming basics etc.

Does anyone have a link to a basic guide for creating a login system that is secure and explains things simply?

I've found several already, firstly a PHP that stored passwords in a php folder which obviously isn't that secure, and a couple of others that dont really explain anything!

 

[PiKe]

md5()

 

[daz]

Things to consider:-

Sanitising user input before doing anything with it
Hashing (and salting passwords) - not storing them in plain text
Sessions

 

[gord]

tizag.com

 

[philjohn]

md5()

no, md5, like sha1, has collision problems.

We use salted SHA-512 in the database implementation of our pluggable authentication library.

 

[UK|AL]

If you use md5 or even most hashing algorithms, salt it before you hash it. Protects against rainbow tables etc.

 

[suarve]

Hi all,

I am currently looking at building a secure website for some of our business needs, however it will to first load a login screen that will have multiple users & passwords.

I want to learn PHP/SQL anyway so I thought, what the heck

very little knowledge of PHP & SQL, I know programming basics etc.

Does anyone have a link to a basic guide for creating a login system that is secure and explains things simply?

I've found several already, firstly a PHP that stored passwords in a php folder which obviously isn't that secure, and a couple of others that dont really explain anything!

If you want to do it properly and have multiple users then your best storing user names and passwords in a database.

Your basic script will most likely follow these steps (assume user has just entered user and pass into a form):

- Get posted form values and clean input.
- Execute SQL query based on inputted user and pass (E.g. select user, pass from tblUsers where pass='hsdghksa' and user='shdfiuds')
- If exactly one match correct details (Set something like a session variable at this stage) direct to protected page/area
- If no match, incorrect details, display message etc.

If I was you, I'd personally try making your own. I always seem to understand and remember how to do stuff this way

 

[robmiller]

Salt and hash passwords; check any stored (i.e. session/cookie) logins on every page load, not just when setting them; only allow X login attempts per Y seconds/minutes; use HTTPS if possible.

That should cover most bases. I'm sure anyone here will explain individual things if you're having trouble with them.

md5()

sha1(salt + password)

 

[PiKe]

Depends how sensitive the information is you are protecting, you're not going to expend hours and hours to break in to a user area of a website, and because of that, MD5 works for me.

 

[JimAroo]

Also don't fall for the mistake of doing md5(md5(md5("password"))) it don't make a difference.

Yet i see lots of people doing this.

 

[gord]

Also don't fall for the mistake of doing md5(md5(md5("password"))) it don't make a difference.

Yet i see lots of people doing this.

Triple encoded! Setting up my server farm to brute your encryption right now!