Secure login and security page check best practices with PHP -

-

would peoples views on following:

  • is good/best practice query database every secure page on website salted , encrypted code check between session / cookie , database value?

or

  • is good/best practice rely on salted , encrypted sessions , cookies (where both key , value both salted , encrypted)?

so user id , access level either picked out of database on every secure page or encrypted session / cookie value pair.

conclusion

this have chosen do:

login

  1. validate username & md5(password) in db , correct
  2. start session
  3. session store encrypted key & value pairs for: user_id, admin, access_level
  4. create access key joining remote ip & remote user agent & config encription key, encrypt each, join strings , encrypt again
  5. store value in both db , session key encrypted
  6. user logged in

for page validation:

i choose 2 levels of page user access validation:

  1. low priority secure tasks eg details listings, upload image, select queries mostly
  2. high priority secure tasks eg delete & update

low priority page check:

  1. simply check existence of encrypted session keys , values user_id, access_level & existence of access_key

high priority page check:

  1. query db session access_key match , re-set session values user_id, access_level

additional:

i add ip recording feature track ips in db login attempts , if login fails ip on 10 times, ip gets banned.

certainly not cookies. session cookie should meaningless pseudo-random blob of gobbledygook. gobbledygook id of session stored server side. session data can stored in database or in filesystem (which default php sessions). authenticate user once stored credentials, open session him , store user id , whatever else need in session. user identified , authenticated meaningless session cookie , data belongs it. no more, no less.

there argument made checking whether data in session still in sync database though. say, user has "access levels" , store in session when user authenticates. change user's access level in database; session still have old copy of data , user still able access levels may not allowed anymore. it's how want verify data against canonical database store.


Comments

Post a Comment

Popular posts from this blog

c++ - How to add Crypto++ library to Qt project -

-
Image
i downloaded crypto++ source , compiled cryptlib project in visual studio 2013, , added generated .lib file qt project, made .pro file this: qt += core gui qt += sql greaterthan(qt_major_version, 4):qt += widgets target = untitled template = app sources += main.cpp\ mainwindow.cpp headers += mainwindow.h \ databasecontrol.h \ test.h forms += mainwindow.ui win32:config(release, debug|release): libs += -l$$pwd/ -lcryptlib else:win32:config(debug, debug|release): libs += -l$$pwd/ -lcryptlibd else:unix: libs += -l$$pwd/ -lcryptlib includepath += $$pwd/ dependpath += $$pwd/ win32-g++:config(release, debug|release): pre_targetdeps += $$pwd/libcryptlib.a else:win32-g++:config(debug, debug|release): pre_targetdeps += $$pwd/libcryptlibd.a else:win32:!win32-g++:config(release, debug|release): pre_targetdeps += $$pwd/cryptlib.lib else:win32:!win32-g++:config(debug, debug|release): pre_targetdeps += $$pwd/cryptlibd.lib else:unix: pre_targetdeps += $$pw
Read more

jQuery Mobile app not scrolling in Firefox -

-
i have mobile app built in jquery mobile. scrolling fine in chrome & safari, fails scroll in firefox on desktop. have other instances of same app, different features, , works across browsers. life of me, cannot figure this, please help! located here: http://re-brand.us/dsus/index.html seems bug in firefox: bug log . able scroll using keyboard not trackpad on mac. are using mac? i'll keep looking see if can find way around it.
Read more

How to use vim as editor in Matlab GUI -

-
i using matlab r2013b. using gui, command windows , editor in split screen. in matlab preferences > editor/debugger > editor. there option set custom editor instead of matlab editor. set local editor /usr/bin/vim , not able open files @ anymore. there possibility use vim editor in split screen mode? i aware of !vim file.m , not solution looking for, works satisfactory in -nodisplay mode. rather want keep split screen mode. i did not find solution 100% satisfying, using tmux intermediate solution. allows 2 use split screen 2 terminals. in 1 of can open matlab -nodesktop in terminal mode, , in other 1 vim . possible switch between both split screens. you can use functionality of gui matlab typing things commandhistory , who et cetera.
Read more