Welcome Guest, Not a member yet? Register   Sign In
Authentication
#47

(This post was last modified: 06-17-2017, 06:14 AM by ciadmin.)

(06-17-2017, 04:34 AM)desbest Wrote:
(06-17-2017, 04:08 AM)Paradinight Wrote: You code is garbage:
- saveing pw in cookie
- no sql protection
- printing error message
- missing password_needs_rehash


Angry

Something has to be stored on the user's computer so the website can recognise whether the user is logged in or not. And whatever is stored on the computer has to MATCH what is on the server that is assigned to the user. It doesn't matter if it's a password or a random string that's not a password, because it has to match up to what's on the server assigned to the user anyway.

You might want me to validate ip addresses for in case cookies are stolen, but if someone has a dynamic ip address, they'll experience the bother of being repeatedly logged out. For extra security, when logging in, the user's ip address can be checked against other ip addresses's that have logged in for that user in the past.

I'll repeat again, the sql escaping functions that php provides programmers in their programming language, such as mysqli_real_escape_string, has been broken and can be exploited very easily by doing a quick search on Stack Overflow, so you should rely on a server firewall to protect against sql injections. It's like having a front door to your house made of paper if you rely on php's sql escaping functions.

The error message is printed because on all my websites there is an email form for the user to email the admin (me), so if for some rare and strange reason they cannot register to the website not only do they see a generic you could not sign up because of an error they see the exact error so they can email me the error if i used sentry all php errorts would go to my email automatically but it is good to print the error for that reason as well just to be safe

the password already is rehashed using bycrpt as it is using a default strength of three four or five one of the three the bcrypt algorithm has not been cracked and it takes an exponential time to brute force due to the fact that generating a password in bcrypt has a cost unlike mdfive or shaone and by the wayn rehasing passwords doesnt make it any less likely to be cracked

1. https://paragonie.com/blog/2015/04/secur...ersistence <- read it and learn from it.
2. Printing the mysql error is very bad and very dangerous.
3. https://stackoverflow.com/questions/5741...ape-string <- do you mean this?
Reply


Messages In This Thread
Authentication - by ufhy - 08-22-2016, 11:42 AM
RE: Authentication - by albertleao - 08-22-2016, 11:49 AM
RE: Authentication - by PaulD - 08-22-2016, 11:51 AM
RE: Authentication - by prezire - 08-22-2016, 03:17 PM
RE: Authentication - by PaulD - 08-22-2016, 03:47 PM
RE: Authentication - by allan - 10-24-2016, 03:36 AM
RE: Authentication - by pathusutariya - 12-11-2016, 11:17 PM
RE: Authentication - by ciadmin - 12-12-2016, 12:37 AM
RE: Authentication - by qury - 01-11-2017, 03:23 AM
RE: Authentication - by iason - 01-13-2017, 08:35 AM
RE: Authentication - by Narf - 01-13-2017, 11:26 AM
RE: Authentication - by enlivenapp - 01-13-2017, 10:31 PM
RE: Authentication - by skunkbad - 01-13-2017, 06:00 PM
RE: Authentication - by albertleao - 01-13-2017, 07:18 PM
RE: Authentication - by enlivenapp - 01-13-2017, 10:27 PM
RE: Authentication - by Paradinight - 01-14-2017, 08:56 AM
RE: Authentication - by enlivenapp - 01-14-2017, 09:06 AM
RE: Authentication - by Paradinight - 01-14-2017, 10:48 AM
RE: Authentication - by enlivenapp - 01-14-2017, 11:09 AM
RE: Authentication - by prezire - 01-17-2017, 06:37 AM
RE: Authentication - by skunkbad - 01-17-2017, 03:57 PM
RE: Authentication - by byazrail - 01-19-2017, 11:42 PM
RE: Authentication - by andersonsalas - 01-20-2017, 08:46 AM
RE: Authentication - by Narf - 01-20-2017, 08:52 AM
RE: Authentication - by andersonsalas - 01-20-2017, 10:10 AM
RE: Authentication - by prezire - 01-24-2017, 04:52 AM
RE: Authentication - by Narf - 01-24-2017, 06:43 AM
RE: Authentication - by ivantcholakov - 01-24-2017, 08:03 AM
RE: Authentication - by prezire - 01-24-2017, 06:44 PM
RE: Authentication - by skunkbad - 01-24-2017, 11:14 PM
RE: Authentication - by Narf - 01-25-2017, 02:34 AM
RE: Authentication - by prezire - 01-25-2017, 05:52 AM
RE: Authentication - by Narf - 01-25-2017, 08:55 AM
RE: Authentication - by InsiteFX - 01-26-2017, 06:20 AM
RE: Authentication - by Sezu - 01-27-2017, 12:51 AM
RE: Authentication - by baselbj - 02-21-2017, 12:45 AM
RE: Authentication - by Hamed - 05-25-2017, 07:12 AM
RE: Authentication - by skunkbad - 05-25-2017, 02:25 PM
RE: Authentication - by prezire - 05-30-2017, 03:07 PM
RE: Authentication - by PaulD - 05-31-2017, 10:36 AM
RE: Authentication - by desbest - 06-16-2017, 05:57 PM
RE: Authentication - by Paradinight - 06-16-2017, 11:47 PM
RE: Authentication - by Diederik - 06-16-2017, 11:53 PM
RE: Authentication - by desbest - 06-17-2017, 03:46 AM
RE: Authentication - by Paradinight - 06-17-2017, 04:08 AM
RE: Authentication - by desbest - 06-17-2017, 04:34 AM
RE: Authentication - by Paradinight - 06-17-2017, 04:51 AM
RE: Authentication - by desbest - 06-17-2017, 08:28 AM
RE: Authentication - by Paradinight - 06-17-2017, 09:01 AM
RE: Authentication - by desbest - 06-17-2017, 09:11 AM
RE: Authentication - by Paradinight - 06-17-2017, 09:19 AM
RE: Authentication - by albertleao - 06-17-2017, 09:52 AM



Theme © iAndrew 2016 - Forum software by © MyBB