#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0

    PHP and session/security management


    Hello all,

    I am new in this forum.
    I am developing a web portal and I need to develop a login/user management system.
    Could someone tell me which is the best method to manage a login/user management system in my web portal?
    Using MySQLi, password encryption, session or something else.
    I would like also to know if you could post me some reference, tutorial, example or other materials on web where I could retrieve some examples or ideas.

    Thank you at all in advance

    Bye bye

    Zipgem
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    there are many things to consider, so this isn't really something you could explain in a few sentences.

    I think the most important things are:
    • Always escape data before inserting it into an "executable" context. For databases, use prepared statements with the MySQLi library or the PDO interfaces. For HTML, use htmlentities() and make sure the user cannot inject JavaScript code
    • Use phpass for the password hashes. Do not use plain hashes (like MD5), encrypted passwords or even plaintext passwords. And don't store the hashes anywhere outside of the particular database field (not in the session, a cookie etc.)


    Some attacks like CSRF and things like resetting the password require special security measurements.

    And there's common sense, of course. For example, storing the user ID in a cookie obviously isn't a good idea.

    A good reference is the OWASP, especially the OWASP Top 10.
    Last edited by Jacques1; October 30th, 2012 at 10:03 AM.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0
    Hi Jacques1,

    thank you for the useful informations that you provide: I will take a look both phpass and OWASP.
    I don't want to use cookie but only session.
    Do you know some books that explain security and user management?

    Thanks again.

    br

    zipgem
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by zipgem
    I don't want to use cookie but only session.
    Well, there's nothing wrong with cookies. You just shouldn't use them for critical data.

    In fact, the session ID is usually stored in a cookie.



    Originally Posted by zipgem
    Do you know some books that explain security and user management?
    I don't know a book about that, but there are plenty of resources on the Internet.

IMN logo majestic logo threadwatch logo seochat tools logo