[nycphp-talk] I want to set up secure login to my website.
csnyder
chsnyder at gmail.com
Fri Jun 29 17:11:40 EDT 2007
On 6/29/07, PaulCheung <paulcheung at tiscali.co.uk> wrote:
>
> I would like to set up secure login to my website, which is still under
> development and I want visitors to login using their allocated User-ID and
> Password. Of course, if they pass authentication they are in and if not they
> are 100% completely denied all access to the website. What I am trying to
> avoid is anybody penetrating security because they know its inner workings.
> I would also like to understand the coding behind this type of
> authentication as used on the Internet as opposed to an Intranet Can
> anybody point me in the right direction?
Securing an internet site is not so different from securing an
intranet site. Use a PHP session. If the user isn't logged-in (no
userid in the session) then show or process the login form and exit().
session_start();
if ( empty($_SESSION['userid']) ) {
if ( !empty($_POST['username'] ) {
// authenticate user based on POST
...
$_SESSION['userid'] = $userid;
header("Location: /");
}
// show login form
...
exit();
}
You'll want to use SSL (HTTPS) since the packets will be traveling
over the public network.
You might want to include a mechanism for limiting the number of login
attempts that can be made, so that a casual attacker can't use "brute
force" to guess passwords. Doing this is harder than it sounds; see
mod_security for one approach. http://www.modsecurity.org/
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list