Login enable using IP check

nani_nisha06 · 10-10-2012, 11:41 AM

HI friends,

I have successfully created a login script for my webpage but now i need some help from you guys on security.

1) I want to enable MD5 for my password.
2) I want a script which allows a person to login from specific, If he is using out of raange from the specific he should be rejected.

so please help me getting this done.....also suggest me if cookie & sesstion ID generation is good thing???

Regards,

Nani

Fou-Lu · 10-10-2012, 02:52 PM

md5 is insecure. It has a high percentage of conflict. Use hash with sha256 at minimum instead.
Look into writing a CIDR calculator for this. CIDR will let you handle ranges and subnets for ip addresses and respond accordingly.

As for cookies and sessions, sessions are fine for security so long as the sessionid isn't compromised. Cookies are useless for anything more than basic preference settings.

nani_nisha06 · 10-10-2012, 06:45 PM

Quote:

Originally Posted by Fou-Lu

md5 is insecure. It has a high percentage of conflict. Use hash with sha256 at minimum instead.
Look into writing a CIDR calculator for this. CIDR will let you handle ranges and subnets for ip addresses and respond accordingly.

As for cookies and sessions, sessions are fine for security so long as the sessionid isn't compromised. Cookies are useless for anything more than basic preference settings.

Hi Fou-LU,

I have another basic Idea is as this application will be run over in my own company I want to arrange a access to the user whos is specificaly available in the IP range specified in the DB....

so any suggestions around this ??

Regards,
Nani

Fou-Lu · 10-10-2012, 07:02 PM

If I understand your question properly, that is what CIDR could be used for.
You give a CIDR an IP and a subnetmask or CIDR netmask/mask bits, then you ask it if a provided IP is considered valid within that block. This works perfectly for office domains.

I believe CIDR is directly implemented into Apache as well, so you can also use allow/deny overrides and CIDR notation.

nani_nisha06 · 10-10-2012, 07:09 PM

Quote:

Originally Posted by Fou-Lu

If I understand your question properly, that is what CIDR could be used for.
You give a CIDR an IP and a subnetmask or CIDR netmask/mask bits, then you ask it if a provided IP is considered valid within that block. This works perfectly for office domains.

I believe CIDR is directly implemented into Apache as well, so you can also use allow/deny overrides and CIDR notation.

Sure, will work on post my updates here....