Important alert: (current site time 7/15/2013 4:11:47 AM EDT)
|
|
|
|
|
This article is about the security in login systems, tell how to prevent intruders, create a high level system in php and identify unique computers sessions.
|
| |
Terms of Agreement:
By using this article, you agree to the following terms...
- You may use
this article in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
- You MAY NOT redistribute this article (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
- You may link to this article from another website, but ONLY if it is not wrapped in a frame.
- You will abide by any additional copyright restrictions which the author may have placed in the article or article's description.
|
Hi;
Here I am again with this update for this point about the security of login system.
Well we are getting the point… most of the login systems works with a session created in the server side (session_start();) and in the browser (($_COOKIE[""];) and in the most login systems I saw, I found a bug.
The php server in session creates a temp file in server side but at the same time creates a cookie in most cases with the name PHPSESSID the one have a hash identifier, this one communicates with the server to get the global variable $_session[‘’];
Well here is the bug, if we hack this cookie created by the login system and the php server session we can get into the system, may be also if we copy this cookies from a logged computer and used in another computer you are able to be inside the login system.
Well for have a secure login system needs to have a captcha in the login form, and in the system needs first to compare the user name and password are correct then save a temp data about the browser, isp, and ip adding a unique id, created by a random and timestamp info, this unique id also is going to be saved in the browser by a cookie and other cookies to save in browser the username and password.
This is for prevent if an intruder creates or copies the cookies for have a logged session. If the intruder takes the session cookie of a logged computer this is not going to get logged because is going to identify the browser or the isp or the ip is different, if the intruder also copies the proxy and have same browser the system is going to compare the user name and password cookies if there are not the same is not going to get logged, then if the intruder is going to create the cookies, your system is the only one can create this unique id and if is not the same this tells that the cookies are not the real ones and the intruder is not going to login.
Well this is an idea or a way to create a secure login system, if you want more information about this you can visit this site: www.dimworks.org
|
|
Other 10 submission(s) by this author
| |
Report Bad Submission
|
Your Vote
|
| |
Other User Comments
|
There are no comments on this submission.
|
Add Your Feedback
Your feedback will be posted below and an email sent to
the author. Please remember that the author was kind enough to
share this with you, so any criticisms must be stated politely, or they
will be deleted. (For feedback not related to this particular article, please
click here instead.)
To post feedback, first please login.
|
|
