...

View Full Version : usersystem security



ralitza
05-06-2006, 06:13 PM
what do you guys and gals suggest i use to achieve maxium security on my usersystem script? is there anything i can to check my own scripts for vulnerability?

i am currently
checking for empty fields
using sessions and cookies
using stripslashes
filtering out html characters
encrypting passwords using sha and md5
generating a code user needs to enter to complete registration

lansing
05-06-2006, 09:13 PM
This shouldn't take long to code, but you could log the user's IP address & enter that into the database table like ip_of_last_login. When the user logs out for the day & comes back later do the following....

Check the user's current IP address against what his last login. If the IP address if the same then good the user can login. If the IP address has changed & doesn't match his last IP then generate a Access PIN & e-mail it to the e-mail address on file. The user then will have to get the Access PIN from his e-mail account on record to enter his account.

I could possibly help you out on coding if you need...sounds like you know what you are doing already thou.

degsy
05-08-2006, 02:52 PM
but you could log the user's IP address & enter that into the database table like ip_of_last_login. When the user logs out for the day & comes back later do the following....

Check the user's current IP address against what his last login. If the IP address if the same then good the user can login. If the IP address has changed & doesn't match his last IP then generate a Access PIN & e-mail it to the e-mail address on file. The user then will have to get the Access PIN from his e-mail account on record to enter his account.And what abount users with dynamic IPs? You are saying that they have to revalidate their account every time they want to login.

lansing
05-08-2006, 10:29 PM
And what abount users with dynamic IPs? You are saying that they have to revalidate their account every time they want to login.He said he wanted security...it isn't to re validate his account. That design theory is to validate the user is the legit user & not somebody else.

What would you suggest degsy? Cookies wouldn't work since they can be erased. Simple usernames & passwords don't work since they can be hacked & loged.

The only other thing I could think of is to have one of those interactive keyboards/screens that would allow you to use the mouse to click to type in your password, but I don't know if that is supported in every browser. It is were you click on the link & then a window pops up with a picture of the keyboard & you click each letter to type in the password, but that can be hacked too. I don't think there is anyway to make your site 100% safe for users.

degsy
05-09-2006, 01:51 PM
If the IP address has changed & doesn't match his last IP then generate a Access PIN & e-mail it to the e-mail address on file. The user then will have to get the Access PIN from his e-mail account on record to enter his account.
You are basically asking the user to revalidate their account if you are generating a new PIN. If the user has an ISP that uses Dynamic IPs or if the user is using different PCs/ISPs then this would result in revalidating before every login.


So, infact, all that you know is that the user logging has access to the email account that the PIN has been sent to.

IP logging is good, but it cannot be relied on.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum