#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    3
    Rep Power
    0

    Understanding Login & Form submission


    I am new at PHP. I have created a form to collect data and it works well. What I would like to implement is a login system and from what I've gathered reading the posts on this site is that I should definitely use an existing library as it relates to security.

    The problem is that the tutorials for bcrypt and phpass seem to still be a little above my head and I'm not grasping the series of steps I need to complete to full implement the solution.

    I have a users table with username, salt, password, etc. Once I create my login page (html) what are the components that I need to understand to tie my form to the script? I am not opposed to reading and learning, I'm just struggling getting off the starting block on this project.

    My last assumption is that in order to keep the data submitted safe I should incorporate an SSL, correct?

    I appreciate your help and guidance.

    Regards,
    Doug
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    a user authentication system is a very bad project for a beginner -- assuming you actually wanna use it afterwards.

    It's relatively easy to write an insecure user authentication system, but it's damn hard to implement a good one which protects the security and privacy of all parties. Even professional programmers constantly get this wrong, because there are simply too many mistakes you can make and too many details you can overlook.

    I've written down a concept for an authentication system which shows all the things you have to take care of. And that's only a high-level description.

    Doing this correctly requires a lot of experience and a very solid understanding of web security. If you're new to PHP, you simply don't have that yet. And since you said that bcrypt is already too complicated for you, it's definitely too early for implemententing user authentication.

    Start with non-critical scripts that don't promise security to anybody.



    Originally Posted by longship
    My last assumption is that in order to keep the data submitted safe I should incorporate an SSL, correct?
    All transportation should be encrypted with TLS (the successor of SSL) at all times -- unless there's a very good reason against it.

    Only encrypting parts of the website is very problematic, because it may enable an attacker to circumvent the encryption altogether. For example, if you have a link to a secure page embedded in an insecure page, then an attacker could simply replace that link with a plain HTTP link. Most users won't notice. The same goes for redirects from HTTP to HTTPS.

    The only way to be halfway secure is to use HTTPS at all times -- with the right algorithms, of course.

    Comments on this post

    • longship agrees
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    3
    Rep Power
    0
    Thank you very much for your reply. My goal is to replace some paper forms with an electronic forms submission. Let me ask this, would it be better for me to implement this solution locally on a server and the remote locations are connected to the server via vpn? Would that solve the security issues? I basically have 6 locations with one location having the central server.
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    I accidentally banned longship while attempting to ban a spammer (the forum software does weird things when it encounters already-banned accounts). Longship should be back online soon, but this conversation may be...delayed a bit.

    Longship, you should [almost] never install multiple copies of a web based product to handle multiple locations/offices/whatever. Make one system in one place, and everyone can log into it from there. Definitely read the login security tutorial in the stickies, and look at the sample apps people like Northie have put together.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    3
    Rep Power
    0
    Originally Posted by ManiacDan
    Longship, you should [almost] never install multiple copies of a web based product to handle multiple locations/offices/whatever. Make one system in one place, and everyone can log into it from there. Definitely read the login security tutorial in the stickies, and look at the sample apps people like Northie have put together.
    I don't think I explained myself clearly. I have a central office and five remote locations that would be populating and sending the form. If those 6 locations were connected via VPN to the server hosting the web form does that solve my security issue? There is really no need to access this form outside of the VPN.

    If that is the case I can get them up and running while continuing to develop my PHP knowledge for future enhancements.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,990
    Rep Power
    375
    what happens if someone in those 6 locations get angry at the company & try to mess with your forms?
  12. #7
  13. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    Keep it centralized, definitely. Using a VPN is a security thing up to you, but I recommend it if they're normally on the VPN anyway.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.

IMN logo majestic logo threadwatch logo seochat tools logo