Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Making A Secure Login

Tags:

php

mysql

password-protection

I have been trying to make a secure login for my site that I am developing.

I just cant get it to work, I use MySQL databases with PHP.

I can make the form to add the user and their info to the database but I can't seem to make it work with the login.

What type of encryption is used with HTML <input type="password">?

How do I keep the User logged in throughout their visit to my site?

I how do I securely check if it is the right password that matches the username?

I have been doing PHP for maybe a year now, I just haven't learned this part yet so it would be nice to know.

like image 910
techy Avatar asked Jul 13 '09 14:07

techy

2 Answers

What type of encryption is used with html < input type=password >??

None. The input is just masked to protect against "Looking at the monitor" attacks.

If you want security, transmit your data over HTTPS (HTTP with SSL).

How do I keep the User logged in throughout their visit to my site?

Most people use cookies.

I how do i securely check if it is the right password that matches the username??

Securely?

Don't use a shared server. Follow the normal steps for keeping data on that server secure. Store passwords as hashes, not as plain text.

Check?

Convert the submitted password to the matching hash, then compare as normal. Assuming you store the data in a database, just SELECT FROM users WHERE user=? AND password=? and count the number of rows you get back.

like image 181
Quentin Avatar answered Oct 01 '22 06:10

Quentin

I'll address the password protection portion of your question.

There is no built in encryption with the password input type. The browser will submit it as plain text just like everything else. There are two ways to protect the password.

The first is to set up a challenge/response system but this will require Javascript to work. Basically you take the user's password, apply a hashing function if that's the way it's stored on the server, then you take a server challenge token and salt the password value for a new hash. The server will take it's value of the password and apply the challenge as well. If they match the password is correct and there is no way for anyone to know what the actual password was. This requires javascript because the hash must be produced on the client side if this approach is to be effective.

Another, more simple option, is to require HTTPs for the log in portion of the site.

like image 27
Spencer Ruport Avatar answered Oct 01 '22 07:10

Spencer Ruport
Sign in to Comment

Related questions

PHP, getting $value out of a specific $key in associative multidimensional array
How to add CarbonInterval instance in Carbon instance
PHP how to use range() for float numbers
Change cart totals title text on cart page in Woocommerce
Difference between feature test and integration testing [duplicate]
cURL error 77: error setting certificate verify locations: CAfile
Get all product categories in WooCommerce
PHP's SPL: Do its interfaces involving arrays cover all array properties?
Searching for the best PHP nested sets class (PEAR class excluded)
Fatal error: Unsupported operand types in ..?
How to programmatically determine the document root in PHP?
Converting a development team from FTP to a Versioning System
Is this code secure?
PHP Attaching an image to an email
How do I limit PHP apps to their own directories and their own php.ini?
PHP equivalent of send and getattr?
Checking for valid MySQL result resource
PHP Zend Framework Generator
PHP Uploading Files
Connect to MySQL with hashed password?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!