RE: Secure Login Form
- From: <benoni.martin@xxxxxxxxxxxxx>
- Date: Thu, 17 Jan 2008 13:14:12 +0100
I developped an extranet/internet website for my former companys, and
here is what I can advise you:
- Always use https for sending login/password,
- If possible, use a an X.509 issued bys a known company (verisign,
Thwate, etc) as it,
- If necessary, use a client certificate as well (you will probably need
to pay them ...),
- Never store a clear-text password in a DB as many companies do, but as
someone else suggested, just store their hashes (SHA-1, SHA-256, ...)
I set this up with ASP/MS SQL Server by the way ...
"I was thinking of using a random number generator to assign the codes.
I am assuming this will also mean that I need a secure way of checking
the database for the code and returning the data? Should https be
implemented here?" ... Hum, this should be performed on the server's
side, and just send back the proposed code to the user (via https of
Don't forget to handle the "Oh God, I forgot my password, what can I do
?", preventing from automatic brute-force attacks with spiders,
registring who do what (depending on your country, you will have to
inform authorities that you log client data !) and so on ...
PS: You can get in touch offline if you need more information.
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jonathan Askew JBASKEW
Sent: mercredi 16 janvier 2008 22:29
Subject: Secure Login Form
First of all, I have very limited experience with web development and
programming. That being said, I have been tasked with creating a secure
login form. What I need to accomplish is the following:
1.the user registers their user name and password, and then provides an
access code to prove they have bought the product and should have access
2. The user then enters their username/password into the form in order
3. Upon returning to the site, the username and password should be
remembered and the user should not have to enter these again.
I have been looking at various ways to create the login from (php,
looking at the page source. Since I am a new to web development, I do
feel confident enough to create my own form. Each user needs to have
own unique username/pass combo as well. Can anyone suggest some examples
point me to a resource to get me started?
Also, this site has not been built yet and this is the first thing they
want done. I need some ideas for generating the access code and then
keeping track of which code has been assigned to which user. I was
of using a random number generator to assign the codes. I am assuming
will also mean that I need a secure way of checking the database for the
code and returning the data? Should https be implemented here?
Thanks in advance for any advice offered. Being new to these
I thought I should run everything by those more seasoned.
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
- Secure Login Form
- From: Jonathan Askew JBASKEW
- Secure Login Form
- Prev by Date: RE: restricting mobile users internet access
- Next by Date: Re: RE: Firewalls and PCI
- Previous by thread: Re: Secure Login Form
- Next by thread: Re: Secure Login Form