Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Login security advice  (Read 4595 times)

0 Members and 1 Guest are viewing this topic.

RS232

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 37
Login security advice
« on: March 09, 2004, 01:42:49 pm »

This is my thought

I's like to use https to transmit username/passwords in secure way from client to server, but at the same time I don't want to encrypt all the data transmitted by my webserver (encryption means increase the traffic and a picture of 60K could easly become 120 if encrypted). So ....
here my idea
when you want to login, coppermine redirect you to a https page where you can input login+password.
If the credential are accepted, coppermine sets a session (cookie or whatelse you use) and come back to the standard http album list.

What do you think?
RS232
Logged

hyperion

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 1317
  • - retired -
Login security advice
« Reply #1 on: March 09, 2004, 11:48:41 pm »

If you would be willing to create this as a mod, I'm am sure there are people out there who could use it.  

However, integrating it into the CPG distribution could be problematic as not everyone has access/is willing to pay for secure connections.
Logged
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(http://www.mozilla.org/products/firefox/buttons/getfirefox_small.png)

RS232

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 37
Login security advice
« Reply #2 on: March 10, 2004, 11:33:01 am »

Unfortunately I'm very busy and I'm not able to write any code -(
I'd love to help!

https can be setup with a "fake" certificate, in this way you don't have the authentication of the source (you could have it but you have to pay) but at least (most important) you encrypt the username+password sent across the wire.

-)
rs232
Logged

jason

  • Contributor
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Posts: 78
Login security advice
« Reply #3 on: March 10, 2004, 12:13:21 pm »

to accomplish this, it would seem that you need to :
  • when login.php is loaded, it should check for the ssl session...if not exists then it should redirect itself to it
Code: [Select]
$SERVER_SSL_PORT = 443;
$SERVER_HTTP_PORT = 80;

$port = $_SERVER['SERVER_PORT'];

switch ($port) {
    case $SERVER_SSL_PORT:
        // code/call to continue
        break;

    case $SERVER_HTTP_PORT:
        // code/call to redirect
        break;
}


  • the cookie session should be set to secure


something along the lines of
Code: [Select]
setcookie($CONFIG['cookie_name'] . '_pass', md5($HTTP_POST_VARS['password']), time() + $cookie_life_time, $CONFIG['cookie_path'],,1);

  • the form needs to rewrite the referer to include simply http and not https


not entirely sure on the exact implementation of this part, but would seem simple enough.

[/list:u]
Logged
jason
Pages: [1]   Go Up
 

Page created in 0.021 seconds with 19 queries.