Here u are going to know how u can make a hi level security login system. in client and server sides security, using coding in PHP and cookies and sessions.
Terms of Agreement:
By using this article, you agree to the following terms...
You may use
this article in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
You MAY NOT redistribute this article (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
You may link to this article from another website, but ONLY if it is not wrapped in a frame.
You will abide by any additional copyright restrictions which the author may have placed in the article or article's description.
most of the login systems works with a session created in the browser (client side) saving a cookie with the info that u want to pass and remember over the system.
well the most of this systems can be corrupted maybe creating a hacked session and hacked cookie, that have the administrator settings and with that can enter in your secured section with your login system.
well for to make very hard to break, crack or hack this, You need to make a secure sync with server and client. first you need the part of user and password that need to be encrypted (maybe with md5) with a session corresponding due to date and time stamp. example:
$_SESSION["pass"] = md5($_COOKIE["REMCURPAS"]);
$_SESSION["id"] = $_COOKIE["REMCURUS"];
$_SESSION["time"] = $_COOKIE["TIMEST"];
well how i tell you before that the code can be hacked making a hacked session in a hacked browser and that will be easy to hack your secured side of your system.
the good part is that you need a temp file or mysql table where you are going to save the sessions with a encrypted random code that with this you are going to check and sync any time the session is used.
this is, create a random code maybe with a 128bit level and then encrypted and saved into the file or table and in the session created in the browser.
this random code is going to make a verify that the session was created by your software and not by a hacked session in a hacked browser.
the other points of security are the user levels are going to be stipulated not in the session. they need to be inside server sync user name and then taking the user level info.
and a verify function in the error attempts password to block the account.
i wrote this article because y have seen a lot of codes in here that have that security problem.
Your method is not effective, rather its bogus. First thing, sessions are created on servers and not client side. There are two methods to transport session (i) Through URL (very secure) (ii) Through Cookies. Life cycle of session is based on how it is utilized by client side. PHP is capable of transforming links transparently. Please see: http://www.acros.si/papers/session_fixation.pdf (If this comment was disrespectful, please report it.)
The author is saying that instead of saving username and password information in a cookie, the server should issue a hash value representing the user's session. The hash value will then be used to look up in a database which user it corresponds to and the time period that it is valid. It is virtually impossible for an intruder to generate a hash value that corresponds to a valid session in your database, and even if someone steals a person's cookie he will not be able to decrypt that person's password, or change the session's timestamp. (If this comment was disrespectful, please report it.)
Add Your Feedback
Your feedback will be posted below and an email sent to
the author. Please remember that the author was kind enough to
share this with you, so any criticisms must be stated politely, or they
will be deleted. (For feedback not related to this particular article, please
click here instead.)