No Support => Feature requests => Topic started by: RS232 on March 09, 2004, 01:42:49 pm

Title: Login security advice
Post by: RS232 on March 09, 2004, 01:42:49 pm
This is my thought

I's like to use https to transmit username/passwords in secure way from client to server, but at the same time I don't want to encrypt all the data transmitted by my webserver (encryption means increase the traffic and a picture of 60K could easly become 120 if encrypted). So ....
here my idea
when you want to login, coppermine redirect you to a https page where you can input login+password.
If the credential are accepted, coppermine sets a session (cookie or whatelse you use) and come back to the standard http album list.

What do you think?
Title: Login security advice
Post by: hyperion on March 09, 2004, 11:48:41 pm
If you would be willing to create this as a mod, I'm am sure there are people out there who could use it.  

However, integrating it into the CPG distribution could be problematic as not everyone has access/is willing to pay for secure connections.
Title: Login security advice
Post by: RS232 on March 10, 2004, 11:33:01 am
Unfortunately I'm very busy and I'm not able to write any code -(
I'd love to help!

https can be setup with a "fake" certificate, in this way you don't have the authentication of the source (you could have it but you have to pay) but at least (most important) you encrypt the username+password sent across the wire.

Title: Login security advice
Post by: jason on March 10, 2004, 12:13:21 pm
to accomplish this, it would seem that you need to :
Code: [Select]

$port = $_SERVER['SERVER_PORT'];

switch ($port) {
    case $SERVER_SSL_PORT:
        // code/call to continue

        // code/call to redirect

something along the lines of
Code: [Select]
setcookie($CONFIG['cookie_name'] . '_pass', md5($HTTP_POST_VARS['password']), time() + $cookie_life_time, $CONFIG['cookie_path'],,1);

not entirely sure on the exact implementation of this part, but would seem simple enough.