Login security advice Login security advice
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Login security advice

Started by RS232, March 09, 2004, 01:42:49 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

RS232

March 09, 2004, 01:42:49 PM
This is my thought

I's like to use https to transmit username/passwords in secure way from client to server, but at the same time I don't want to encrypt all the data transmitted by my webserver (encryption means increase the traffic and a picture of 60K could easly become 120 if encrypted). So ....
here my idea
when you want to login, coppermine redirect you to a https page where you can input login+password.
If the credential are accepted, coppermine sets a session (cookie or whatelse you use) and come back to the standard http album list.

What do you think?
RS232

hyperion

#1
March 09, 2004, 11:48:41 PM
If you would be willing to create this as a mod, I'm am sure there are people out there who could use it.  

However, integrating it into the CPG distribution could be problematic as not everyone has access/is willing to pay for secure connections.
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.mozilla.org%2Fproducts%2Ffirefox%2Fbuttons%2Fgetfirefox_small.png&hash=9f6d645801cbc882a52f0ee76cfeda02625fc537)

RS232

#2
March 10, 2004, 11:33:01 AM
Unfortunately I'm very busy and I'm not able to write any code -(
I'd love to help!

https can be setup with a "fake" certificate, in this way you don't have the authentication of the source (you could have it but you have to pay) but at least (most important) you encrypt the username+password sent across the wire.

-)
rs232

jason

#3
March 10, 2004, 12:13:21 PM
to accomplish this, it would seem that you need to :
  • when login.php is loaded, it should check for the ssl session...if not exists then it should redirect itself to it

Code Select
$SERVER_SSL_PORT = 443;
$SERVER_HTTP_PORT = 80;

$port = $_SERVER['SERVER_PORT'];

switch ($port) {
    case $SERVER_SSL_PORT:
        // code/call to continue
        break;

    case $SERVER_HTTP_PORT:
        // code/call to redirect
        break;
}

  • the cookie session should be set to secure

something along the lines of
Code Select
setcookie($CONFIG['cookie_name'] . '_pass', md5($HTTP_POST_VARS['password']), time() + $cookie_life_time, $CONFIG['cookie_path'],,1);

  • the form needs to rewrite the referer to include simply http and not https

not entirely sure on the exact implementation of this part, but would seem simple enough.

[/list:u]
jason
Print
Go Up Pages1
User actions