Jump to content
Sign in to follow this  
son

Security

Recommended Posts

Hi there,

 

Have coded a simply members login area where members can change their email address, password (to logon to area), phone number and upload some text info. Nothing fancy really (no file upload etc).

 

Now am concerned to make the area as secure as I can and whilst you need to be logged in to access any of the pages within the area I wonder what else I can do. I have three main questions.

 

1. On lots of large websites you have to enter your password to change details. Would it be good advice to do this for all four update pages (email address, password, phone, information)? Or would that be overkill?

2. Shall I request that the whole area is under https rather than just http?

3. What else is good practice to safeguard the area and/or what tools can you use to test security issues?

 

In addition, I decided to go only for one email field rather than add the customary confirmation email field. My browers always fill in the details anyway, so in a way there is no point to this. What is your take on this?

 

Any comments appreciated:-)

 

Son

Share this post


Link to post
Share on other sites

Yes, anytime the user wants to change their password they should have to input their old password. This way, if somebody gets into the account through session hi-jacking they can't lock the user out of their own account. The same goes for e-mail, because the e-mail can be used to send account recovery information.

 

It's preferable to use HTTPS for login. If you're managing sensitive information such as credit card numbers, home address or personal identity information you absolutely must use HTTPS.

 

Testing for security issues is complicated. A large company would hire a professional hacker (ethical hacking is actually a job).

 

Asking for them to confirm their e-mail address is not a security issue, it's more to protect the user from human error. If they put their e-mail address wrong then they'll never get an activation e-mail or recovery e-mail from the website.

Share this post


Link to post
Share on other sites

Thanks for your feedback Ingolme. Whilst no home address etc will go for your advice and have them enter password to change password and email address. Will also check for https. Might also consider the two email option.

 

Appreciate your input:-)

 

Son

Share this post


Link to post
Share on other sites

I implemented the changes to the area, but just now thought if it might also be an idea to log the IP addresses of users just in case some dodgy entity finds a way in. Would tha be a good idea and if so, should I do this only for the login or any updates entered? Really would like to do all I can to avoid issues with security etc.

 

Son

Share this post


Link to post
Share on other sites

Often a session will be destroyed when the IP address changed. You don't need to store the IP address in the database, just store it in the PHP session. If the session does not have an IP address stored then store the user's current IP address. If the session has an IP address in it then compare it to the user's IP address, if it is different then delete all data from the session and require the user to log in again. That's one way to prevent session hi-jacking.

  • Like 1

Share this post


Link to post
Share on other sites

Sorry for delay in responding. Caught a nasty bug...

 

Thanks for feedback. Will look into this. Very helpful:-)

 

Son

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...