Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming login system user security
login system user security
  • El Forum
    Guest
  •  
#1
03-28-2009, 08:13 AM

[eluser]webscriptz.be[/eluser]
Hi everybody,

I'm attempting to create a custom user login system with CI for a rather large application. Because of the fact that is will be used by others and that i will be responsable I want to use additional security, and i want your take on it.

What i was thinking to do::

1. SALT string of 512 chars
2. login system:
I ask username - password - pincode (8 digits max)
3. password construction for encryption:
plain encryption with sha1of pincode
SALT + password + sha1(pincode) + SALT
4. password encryption with Cyper AES (as CI uses it by default)

anybody other ideas of protection? or would you like it as a user/owner?
  • El Forum
    Guest
  •  
#2
03-29-2009, 02:24 AM

[eluser]Mackstar[/eluser]
It sounds like you have it covered, any more than this is a little overkill... As long as it only is possible for 1 way conversion and you have a little salt in there then it should be pretty safe.

I even suggest you will not need SALT in there twice as I don't see the benefit or it. I would also question how an extra pin-code would affect usability. But that is your call.

Just also make sure of there the password is being saved as misuse of your password saving function could be a leaking point if others have access to your program. Also being careful how much info you keep in the session when logged in. Making sure mysql injection issues and session hi-jacking issues are covered.

You need to make sure no Javascript or malicious php code can entered into forms etc...

But I think you probably know that stuff..

Cheers

Richard
  • El Forum
    Guest
  •  
#3
03-29-2009, 08:00 AM

[eluser]webscriptz.be[/eluser]
thanks for pointing you the salt !

even the pincode won't be used in it, that pincode will just be an extra security measure which is friendly to users, more then a captcha because your browser can keep it with him.

as for the encryption i've generated myself a 1024 char salt, overkill but still can't make it to easy to get by for a hacker.

The session, hmmm, i was thinking of cookies but that's a 4 kb limit so sessions it is encrypted and will check browser and ip data against session hijacking.
  • El Forum
    Guest
  •  
#4
03-31-2009, 03:49 AM

[eluser]webscriptz.be[/eluser]
I'm maybe thinking about another protection like RC6 or something
  • El Forum
    Guest
  •  
#5
03-31-2009, 07:11 AM

[eluser]The Wizard[/eluser]
Hello
your protection is over-protected Smile its good and it should be sufficient.
you also could do some logic for it like for example have a secret key
generated for every user. that could be of use if you for example
want to sent the user to another site maybe with the same cookie
since the cookie is only domain wide he would need the key and stuff
like that




Theme © iAndrew 2016 - Forum software by © MyBB