Join 132,694 Programmers for FREE! Get instant access to thousands of experts, tutorials, code snippets, and more! There are 1,304 people online right now. Registration is fast and FREE... Join Now!
I'm making a site that uses user-logins and I'm concerned about security. I'm using PHP and hashing for the passwords. Is this secure enough? Or should I use HTTPS for the site?
The https will ensure that the traffic from the viewers browser to & from the website will be encrypted. This will protect that data in transmission from packet sniffers. The MD5 secure passwords will ensure that if the web servers storage is breached or the database is viewed by someone, that the data stored within is encrypted. So they both have their place & should both be used.
The https will ensure that the traffic from the viewers browser to & from the website will be encrypted. This will protect that data in transmission from packet sniffers. The MD5 secure passwords will ensure that if the web servers storage is breached or the database is viewed by someone, that the data stored within is encrypted. So they both have their place & should both be used.
That's what I thought about https, but I wanted to be sure. I know that javascript client-side password controls are a no-no, but I was also told in class that ASP.NET passwords were server-side and therefore ok - is that the case? I wondered if PHP password controls were safe in that regard.
But it looks like using https isn't a bad idea anyway.
PHP doesn't really have any built in password controls, so they are as secure as you make them. PHP is server side like ASP, but that in itself doesn't really mean anything for security.
PHP is server side like ASP, but that in itself doesn't really mean anything for security.
I effing KNEW it. It didn't make sense to me that a server-side scripting language somehow kept everything on the server. My web apps instructor is where I got that from. She told us that Javascript password controls were unprotected, but that ASP.NET controls were fine because they were server-side. Well, that's one more .NET person that doesn't really know what's going on...
Ok, I've got SSL, SSH and HTTPS. Other than bad dev practice, are there any other security issues I need to be concerned about?
I am going to disagree here, at least from the PHP view. I'm not 100% on ASP, but a server side language is just that. The PHP engine will prepare the html content for the viewers browser. Therefor PHP variables simply put, will not exist once the output is prepared. Case in point.
php
<?php $pass=1234; // Can the browser see this? No echo $pass; // Now it can ?>
php
<?php $pass=1234; // Can the browser see this? No if($_POST['pass']=="1234") { echo "Correct"; } else { die("Invalid"); } ?>
The clients computer simply does not see the code, since the html is created based on the results. The password in the PHP code is completely safe from the viewers browser.
First of all, you have to be sure that all of your scripts (PHP), which can compromise your site when "the bad one" attacks it , are safe and you can trust them.
You should look for this book: "Essential PHP Security" by Chris Shiflett.
PHP is server side like ASP, but that in itself doesn't really mean anything for security.
I effing KNEW it. It didn't make sense to me that a server-side scripting language somehow kept everything on the server. My web apps instructor is where I got that from. She told us that Javascript password controls were unprotected, but that ASP.NET controls were fine because they were server-side. Well, that's one more .NET person that doesn't really know what's going on...
Ok, I've got SSL, SSH and HTTPS. Other than bad dev practice, are there any other security issues I need to be concerned about?
You might have misunderstood me. To clarify, there is no such thing as client side security, so if you are comparing it to javascript controls, then yes it is more secure. However, having the authentication code on the server by itself does not make your application secure. A poorly written server side script is still just as insecure, it just might take 5 seconds to break it instead of 1.
She told us that Javascript password controls were unprotected, but that ASP.NET controls were fine because they were server-side. Well, that's one more .NET person that doesn't really know what's going on...
Unfortunately not knowing whats going on isn't a .Net thing, it's not even language specific. I'm a ".Net person" and I know what's going on. As has been pointed out, ASP.NET is a server-side language just like PHP, neither is more secure than the other. I will say, however, that I feel the .Net Framework has more built-in libraries for encryption and security than does PHP, but without taking specific measures neither is really "secure"
15 Sep, 2008 - 12:00 AM
| 