Tech. question

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • baycouples
    Confirmed User
    • Mar 2004
    • 1341

    #1

    Tech. question

    What is the best way of password protection that you think is the most secure when it comes to keeping your users logged in to the site?

    - Cookies session tracking
    - Session ID passed from page to page through ID?
    - htaccess protection
    Last edited by baycouples; 10-21-2006, 12:36 AM.
  • baycouples
    Confirmed User
    • Mar 2004
    • 1341

    #2
    Did tech. question scare everybody?

    Comment

    • GrouchyAdmin
      Now choke yourself!
      • Apr 2006
      • 12085

      #3
      You can't use session tracking, because that will be destroyed when they close the browser. Cookies allow you to set a cookie until 2038, and htaccess does no tracking other than in your access logs.

      If you want to ensure they stay logged in for the duration of the single session, obviously, session length cookies are the best.

      Otherwise, I don't really understand the question.

      Comment

      • DjSap
        Confirmed User
        • Jul 2002
        • 3869

        #4
        cookie/database is the most commonly used I would think, then again I'm more focused on the design aspect...
        Blog Themes, TGP Design, Writing Services, Grunt Work
        ICQ: 66871495

        Comment

        • baycouples
          Confirmed User
          • Mar 2004
          • 1341

          #5
          Yeah but cookies have to have some sort of a de-cryption on the server and that is a security risk. Why not htaccess password protection? Is there any risk there?

          Comment

          • AgentCash
            Confirmed User
            • Feb 2002
            • 720

            #6
            The main risk with standard .htaccess password protection is from cracking. Next up with both cookies & query sting session variables would be XSS (cross-site scripting) & ref logging allowing an attacker to steal a session. You can't bind the session to the IP address as an IP address can change during a session.

            I would use a form based login, with a captcha if crackers were hitting the site. Maybe bind the useragent to the session & if I was really paranoid make all internal links POSTed form based submits.

            That's off the top of my head, and I'm pretty tired, but at a glance it seems that would be pretty secure.

            Comment

            • GrouchyAdmin
              Now choke yourself!
              • Apr 2006
              • 12085

              #7
              Originally posted by AgentCash
              I would use a form based login, with a captcha if crackers were hitting the site. Maybe bind the useragent to the session & if I was really paranoid make all internal links POSTed form based submits.
              Protip: Using both the current time of login and captcha text as salt makes it quite difficult to 'crack' someone's key.

              I usually use two seperate keys - the original login, and one that's set on access. If there's more than time_len difference, I force a logout. It keeps people feeling a little secure (if it takes you more than fifteen minutes to rub one out to a single picture before you decide to move on, it's not my problem.)

              Comment

              • VexXxed
                Confirmed User
                • Sep 2006
                • 544

                #8
                Sparta
                Strongbox
                Pennywize

                Comment

                • squishypimp
                  PostMaster General
                  • Aug 2006
                  • 10781

                  #9
                  check out sparta from www.toomuchmedia.com

                  Comment

                  • teksonline
                    So Fucking Banned
                    • Jan 2005
                    • 2904

                    #10
                    Originally posted by toonpornblog
                    Protip: Using both the current time of login and captcha text as salt makes it quite difficult to 'crack' someone's key.

                    I usually use two seperate keys - the original login, and one that's set on access. If there's more than time_len difference, I force a logout. It keeps people feeling a little secure (if it takes you more than fifteen minutes to rub one out to a single picture before you decide to move on, it's not my problem.)

                    heh, captcha, havnt seen many site that wasnt bypassable to date.

                    go try to bypass nats captcha for example, all you have to do is look at one code copy that code to your server bot, and it will work for all attempts

                    I had to bypass it to download content zips from a nats sponsor to server and
                    they forced captcha, LAME THING TO DO!!!

                    Comment

                    • Alky
                      Confirmed User
                      • Apr 2002
                      • 5651

                      #11
                      Originally posted by teksonline
                      heh, captcha, havnt seen many site that wasnt bypassable to date.

                      go try to bypass nats captcha for example, all you have to do is look at one code copy that code to your server bot, and it will work for all attempts

                      I had to bypass it to download content zips from a nats sponsor to server and
                      they forced captcha, LAME THING TO DO!!!
                      http://sam.zoy.org/pwntcha/

                      there are plenty of captcha's that are VERY tough to beat.

                      Comment

                      • Nathan
                        Confirmed User
                        • Jul 2003
                        • 3108

                        #12
                        Originally posted by teksonline
                        heh, captcha, havnt seen many site that wasnt bypassable to date.

                        go try to bypass nats captcha for example, all you have to do is look at one code copy that code to your server bot, and it will work for all attempts

                        I had to bypass it to download content zips from a nats sponsor to server and
                        they forced captcha, LAME THING TO DO!!!
                        Hi,

                        small note.. he is talking about the CAPTCHA used on the NATS access template displayed on false login attempts. Not the captcha in SPARTA.

                        The reason why what he does works is by design, when we added the CAPTCHA in v2 (I think it was v2) we wanted to make transition as easy as possible and show people that its possible to use a captcha if wanted. We did not lockup the login system to force captcha checking.

                        In SPARTA the process works a lot different and is not bypassable unless it is specifically disabled in the configuration.
                        "Think about it a little more and you'll agree with me, because you're smart and I'm right."
                        - Charlie Munger

                        Comment

                        • teksonline
                          So Fucking Banned
                          • Jan 2005
                          • 2904

                          #13
                          btw the term Captcha should be thrown out the window

                          Please refer to it as "turing"

                          Not only is captcha, a meaningless word that don't exist, it's a stupid word
                          and very hard to type.

                          Comment

                          • baycouples
                            Confirmed User
                            • Mar 2004
                            • 1341

                            #14
                            Originally posted by AgentCash
                            The main risk with standard .htaccess password protection is from cracking.
                            Cracking? It's a one way MD5 encryption!!!

                            Comment

                            • Alky
                              Confirmed User
                              • Apr 2002
                              • 5651

                              #15
                              Originally posted by baycouples
                              Cracking? It's a one way MD5 encryption!!!
                              i think he mean't brute force http attempts.

                              Comment

                              Working...