Welcome Guest, Not a member yet? Register   Sign In
Authentication
#51

(06-17-2017, 09:11 AM)desbest Wrote:
(06-17-2017, 09:01 AM)Paradinight Wrote: Storing the password and username in cookie is bad, because if someone steal the user table, the person has no problem to login. A login token is more secure.

A login token is stored on the server too. Something on the user's computer has to MATCH up with what's on the server, to authenticate the user. The only way to bypass this, is to have a PGP system written in javascript, where the authentication is not on the server but instead in the web browser on the user's machine. Mozilla tried to make this by making BrowserID.

If someone steals the user table or the database through an sql injection, they can login anyway, regardless of whether I store the username and password as a cookie or not. Sony didn't store the user id and password as a cookie on their user's computer, but they still got hacked with an sql injection by Lulzsec and got their database leaked online for everyone to download on torrent websites. What credentials they stored on the user's computer was irrelevant, if someone knows how to do an sql injection, they will. It's just a matter of entering a line of code on a computer program to test for a vulnerability.

Here's another thing, mysqli_real_escape and pdo/mysqli prepared statements aren't foolproof, there are ways to bypass them too. It's like countries having border control. The border control gets tougher and tougher, there are more and more rules of what gets caught, but as always, some people or some hackers manage to sneak through because the security people don't know all the rules and techniques. They don't know what the blackhat hackers know. If I knew how to do it, I would know how to hack into 90% or more websites online, so do you think I would tell you how to do it and give away my secrets? Seriously?

i give up.
Reply
#52

Desbest, people are trying to help you and they're not wrong when they say your code needs serious improvement.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply




Theme © iAndrew 2016 - Forum software by © MyBB