Login security advice Login security advice
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Login security advice

Started by RS232, March 09, 2004, 01:42:49 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

RS232

March 09, 2004, 01:42:49 PM
This is my thought

I's like to use https to transmit username/passwords in secure way from client to server, but at the same time I don't want to encrypt all the data transmitted by my webserver (encryption means increase the traffic and a picture of 60K could easly become 120 if encrypted). So ....
here my idea
when you want to login, coppermine redirect you to a https page where you can input login+password.
If the credential are accepted, coppermine sets a session (cookie or whatelse you use) and come back to the standard http album list.

What do you think?
RS232

hyperion

#1
March 09, 2004, 11:48:41 PM
If you would be willing to create this as a mod, I'm am sure there are people out there who could use it.  

However, integrating it into the CPG distribution could be problematic as not everyone has access/is willing to pay for secure connections.
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.mozilla.org%2Fproducts%2Ffirefox%2Fbuttons%2Fgetfirefox_small.png&hash=9f6d645801cbc882a52f0ee76cfeda02625fc537)

RS232

#2
March 10, 2004, 11:33:01 AM
Unfortunately I'm very busy and I'm not able to write any code -(
I'd love to help!

https can be setup with a "fake" certificate, in this way you don't have the authentication of the source (you could have it but you have to pay) but at least (most important) you encrypt the username+password sent across the wire.

-)
rs232

jason

#3
March 10, 2004, 12:13:21 PM
to accomplish this, it would seem that you need to :
  • when login.php is loaded, it should check for the ssl session...if not exists then it should redirect itself to it

Code Select
$SERVER_SSL_PORT = 443;
$SERVER_HTTP_PORT = 80;

$port = $_SERVER['SERVER_PORT'];

switch ($port) {
    case $SERVER_SSL_PORT:
        // code/call to continue
        break;

    case $SERVER_HTTP_PORT:
        // code/call to redirect
        break;
}

  • the cookie session should be set to secure

something along the lines of
Code Select
setcookie($CONFIG['cookie_name'] . '_pass', md5($HTTP_POST_VARS['password']), time() + $cookie_life_time, $CONFIG['cookie_path'],,1);

  • the form needs to rewrite the referer to include simply http and not https

not entirely sure on the exact implementation of this part, but would seem simple enough.

[/list:u]
jason
Print
Go Up Pages1
User actions