baycouples

What is the best way of password protection that you think is the most secure when it comes to keeping your users logged in to the site?

- Cookies session tracking
- Session ID passed from page to page through ID?
- htaccess protection

baycouples

Did tech. question scare everybody?

GrouchyAdmin

You can't use session tracking, because that will be destroyed when they close the browser. Cookies allow you to set a cookie until 2038, and htaccess does no tracking other than in your access logs.

If you want to ensure they stay logged in for the duration of the single session, obviously, session length cookies are the best.

Otherwise, I don't really understand the question.

__________________

DjSap

cookie/database is the most commonly used I would think, then again I'm more focused on the design aspect...

__________________
Blog Themes, TGP Design, Writing Services, Grunt Work
ICQ: 66871495

baycouples

Yeah but cookies have to have some sort of a de-cryption on the server and that is a security risk. Why not htaccess password protection? Is there any risk there?

AgentCash

The main risk with standard .htaccess password protection is from cracking. Next up with both cookies & query sting session variables would be XSS (cross-site scripting) & ref logging allowing an attacker to steal a session. You can't bind the session to the IP address as an IP address can change during a session.

I would use a form based login, with a captcha if crackers were hitting the site. Maybe bind the useragent to the session & if I was really paranoid make all internal links POSTed form based submits.

That's off the top of my head, and I'm pretty tired, but at a glance it seems that would be pretty secure.

GrouchyAdmin

Protip: Using both the current time of login and captcha text as salt makes it quite difficult to 'crack' someone's key.

I usually use two seperate keys - the original login, and one that's set on access. If there's more than time_len difference, I force a logout. It keeps people feeling a little secure (if it takes you more than fifteen minutes to rub one out to a single picture before you decide to move on, it's not my problem.)

__________________

VexXxed

Sparta
Strongbox
Pennywize

__________________

squishypimp

check out sparta from www.toomuchmedia.com

__________________

teksonline

heh, captcha, havnt seen many site that wasnt bypassable to date.

go try to bypass nats captcha for example, all you have to do is look at one code copy that code to your server bot, and it will work for all attempts

I had to bypass it to download content zips from a nats sponsor to server and
they forced captcha, LAME THING TO DO!!!

Alky

http://sam.zoy.org/pwntcha/

there are plenty of captcha's that are VERY tough to beat.

Nathan

Hi,

small note.. he is talking about the CAPTCHA used on the NATS access template displayed on false login attempts. Not the captcha in SPARTA.

The reason why what he does works is by design, when we added the CAPTCHA in v2 (I think it was v2) we wanted to make transition as easy as possible and show people that its possible to use a captcha if wanted. We did not lockup the login system to force captcha checking.

In SPARTA the process works a lot different and is not bypassable unless it is specifically disabled in the configuration.

teksonline

btw the term Captcha should be thrown out the window

Please refer to it as "turing"

Not only is captcha, a meaningless word that don't exist, it's a stupid word
and very hard to type.

baycouples

Cracking? It's a one way MD5 encryption!!!

Alky

i think he mean't brute force http attempts.