Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: Login security advice  (Read 4619 times)

0 Members and 1 Guest are viewing this topic.

RS232

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 37
Login security advice
« on: March 09, 2004, 01:42:49 pm »

This is my thought

I's like to use https to transmit username/passwords in secure way from client to server, but at the same time I don't want to encrypt all the data transmitted by my webserver (encryption means increase the traffic and a picture of 60K could easly become 120 if encrypted). So ....
here my idea
when you want to login, coppermine redirect you to a https page where you can input login+password.
If the credential are accepted, coppermine sets a session (cookie or whatelse you use) and come back to the standard http album list.

What do you think?
RS232
Logged

hyperion

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 1317
  • - retired -
Login security advice
« Reply #1 on: March 09, 2004, 11:48:41 pm »

If you would be willing to create this as a mod, I'm am sure there are people out there who could use it.  

However, integrating it into the CPG distribution could be problematic as not everyone has access/is willing to pay for secure connections.
Logged
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(http://www.mozilla.org/products/firefox/buttons/getfirefox_small.png)

RS232

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 37
Login security advice
« Reply #2 on: March 10, 2004, 11:33:01 am »

Unfortunately I'm very busy and I'm not able to write any code -(
I'd love to help!

https can be setup with a "fake" certificate, in this way you don't have the authentication of the source (you could have it but you have to pay) but at least (most important) you encrypt the username+password sent across the wire.

-)
rs232
Logged

jason

  • Contributor
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Posts: 78
Login security advice
« Reply #3 on: March 10, 2004, 12:13:21 pm »

to accomplish this, it would seem that you need to :
  • when login.php is loaded, it should check for the ssl session...if not exists then it should redirect itself to it
Code: [Select]
$SERVER_SSL_PORT = 443;
$SERVER_HTTP_PORT = 80;

$port = $_SERVER['SERVER_PORT'];

switch ($port) {
    case $SERVER_SSL_PORT:
        // code/call to continue
        break;

    case $SERVER_HTTP_PORT:
        // code/call to redirect
        break;
}


  • the cookie session should be set to secure


something along the lines of
Code: [Select]
setcookie($CONFIG['cookie_name'] . '_pass', md5($HTTP_POST_VARS['password']), time() + $cookie_life_time, $CONFIG['cookie_path'],,1);

  • the form needs to rewrite the referer to include simply http and not https


not entirely sure on the exact implementation of this part, but would seem simple enough.

[/list:u]
Logged
jason
Pages: [1]   Go Up
 

Page created in 0.02 seconds with 20 queries.