Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Dec 2005
    Posts
    56
    Thanks
    0
    Thanked 0 Times in 0 Posts

    usersystem security

    what do you guys and gals suggest i use to achieve maxium security on my usersystem script? is there anything i can to check my own scripts for vulnerability?

    i am currently
    checking for empty fields
    using sessions and cookies
    using stripslashes
    filtering out html characters
    encrypting passwords using sha and md5
    generating a code user needs to enter to complete registration

  • #2
    Regular Coder
    Join Date
    Dec 2005
    Posts
    346
    Thanks
    1
    Thanked 0 Times in 0 Posts
    This shouldn't take long to code, but you could log the user's IP address & enter that into the database table like ip_of_last_login. When the user logs out for the day & comes back later do the following....

    Check the user's current IP address against what his last login. If the IP address if the same then good the user can login. If the IP address has changed & doesn't match his last IP then generate a Access PIN & e-mail it to the e-mail address on file. The user then will have to get the Access PIN from his e-mail account on record to enter his account.

    I could possibly help you out on coding if you need...sounds like you know what you are doing already thou.

  • #3
    Senior Coder
    Join Date
    Nov 2002
    Location
    North-East, UK
    Posts
    1,265
    Thanks
    0
    Thanked 0 Times in 0 Posts
    but you could log the user's IP address & enter that into the database table like ip_of_last_login. When the user logs out for the day & comes back later do the following....

    Check the user's current IP address against what his last login. If the IP address if the same then good the user can login. If the IP address has changed & doesn't match his last IP then generate a Access PIN & e-mail it to the e-mail address on file. The user then will have to get the Access PIN from his e-mail account on record to enter his account.
    And what abount users with dynamic IPs? You are saying that they have to revalidate their account every time they want to login.

  • #4
    Regular Coder
    Join Date
    Dec 2005
    Posts
    346
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by degsy
    And what abount users with dynamic IPs? You are saying that they have to revalidate their account every time they want to login.
    He said he wanted security...it isn't to re validate his account. That design theory is to validate the user is the legit user & not somebody else.

    What would you suggest degsy? Cookies wouldn't work since they can be erased. Simple usernames & passwords don't work since they can be hacked & loged.

    The only other thing I could think of is to have one of those interactive keyboards/screens that would allow you to use the mouse to click to type in your password, but I don't know if that is supported in every browser. It is were you click on the link & then a window pops up with a picture of the keyboard & you click each letter to type in the password, but that can be hacked too. I don't think there is anyway to make your site 100% safe for users.

  • #5
    Senior Coder
    Join Date
    Nov 2002
    Location
    North-East, UK
    Posts
    1,265
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If the IP address has changed & doesn't match his last IP then generate a Access PIN & e-mail it to the e-mail address on file. The user then will have to get the Access PIN from his e-mail account on record to enter his account.
    You are basically asking the user to revalidate their account if you are generating a new PIN. If the user has an ISP that uses Dynamic IPs or if the user is using different PCs/ISPs then this would result in revalidating before every login.


    So, infact, all that you know is that the user logging has access to the email account that the PIN has been sent to.

    IP logging is good, but it cannot be relied on.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •