Jump to content

Security


son

Recommended Posts

Hi there,

 

Have coded a simply members login area where members can change their email address, password (to logon to area), phone number and upload some text info. Nothing fancy really (no file upload etc).

 

Now am concerned to make the area as secure as I can and whilst you need to be logged in to access any of the pages within the area I wonder what else I can do. I have three main questions.

 

1. On lots of large websites you have to enter your password to change details. Would it be good advice to do this for all four update pages (email address, password, phone, information)? Or would that be overkill?

2. Shall I request that the whole area is under https rather than just http?

3. What else is good practice to safeguard the area and/or what tools can you use to test security issues?

 

In addition, I decided to go only for one email field rather than add the customary confirmation email field. My browers always fill in the details anyway, so in a way there is no point to this. What is your take on this?

 

Any comments appreciated:-)

 

Son

Link to comment
Share on other sites

Yes, anytime the user wants to change their password they should have to input their old password. This way, if somebody gets into the account through session hi-jacking they can't lock the user out of their own account. The same goes for e-mail, because the e-mail can be used to send account recovery information.

 

It's preferable to use HTTPS for login. If you're managing sensitive information such as credit card numbers, home address or personal identity information you absolutely must use HTTPS.

 

Testing for security issues is complicated. A large company would hire a professional hacker (ethical hacking is actually a job).

 

Asking for them to confirm their e-mail address is not a security issue, it's more to protect the user from human error. If they put their e-mail address wrong then they'll never get an activation e-mail or recovery e-mail from the website.

Link to comment
Share on other sites

Thanks for your feedback Ingolme. Whilst no home address etc will go for your advice and have them enter password to change password and email address. Will also check for https. Might also consider the two email option.

 

Appreciate your input:-)

 

Son

Link to comment
Share on other sites

I implemented the changes to the area, but just now thought if it might also be an idea to log the IP addresses of users just in case some dodgy entity finds a way in. Would tha be a good idea and if so, should I do this only for the login or any updates entered? Really would like to do all I can to avoid issues with security etc.

 

Son

Link to comment
Share on other sites

Often a session will be destroyed when the IP address changed. You don't need to store the IP address in the database, just store it in the PHP session. If the session does not have an IP address stored then store the user's current IP address. If the session has an IP address in it then compare it to the user's IP address, if it is different then delete all data from the session and require the user to log in again. That's one way to prevent session hi-jacking.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...