Secure login on Web site and database #login
Edit
by Chrisanthi Karademirtzoglou - 8 years ago (2017-05-16)
My site has been hacked many times
| My site has been hacked many times from diferent IPs and I would like a more secure login form in backend and frontend. I am still working on this site that is under construction and I will feel more safe if I can use a secure login solution. |
- 1 Clarification request
1.
by Oleg Zorin - 8 years ago (2017-05-23) Reply
Secure login (including password storing) solution - it's a great idea, but...
Probably problem little bit wider than you thought. There are several ways to get access to your site:
-
Someone has login and password. It's normal situation - each registered user has login and password.
-
Someone stole you database and decrupt password hash.
First thing you should to do is change database password.
Second - check all you queries to database, use PDO with placeholders (prepare-execute statements).
-
Someone has FTP access to you site. If someone has FTP access, he could easily stole your DB, but much more better is to implode some code, which authorize anyone as administrator.
So, first thing - change FTP password.
Second - check you code on "bad code" injections. Use Git or something.
-
Someone use system exploit. If you use some third party CMS or framework - update it till last version. If it is you own system - test it carefully.
As you said your site is under construction. So, is it possible to work on local server? And only after product release (including all tests) upload it on hosting.
Ask clarification
1 Recommendation
This class can register and login users in a database with PDO. It can:
- Register users sending confirmation email
- The user accounts have a unique email, password, first and last name are stored in database table using PDO. It was tested to work with at least MySQL, PostgreSQL and SQLite.
- The user password is hashed before storing using password_hash function
- Activate account with verification code sent by email
- Perform secure login authentication using sessions and password_hash again to check the password
- It can block users after a configurable limit number of login attempts
- Logout users ending sessions
| by Manuel Lemos 26695 - 8 years ago (2017-05-18) Comment
This package can be used precisely for that, provide a secure registration and login system with records stored in a database. |