Looking for SECURE login script

I'm currently making a website for Team639 and i'm looking for a secure login script. The script can be in any language, but PHP is preferred(since I understand it). The script must have the following criteria:

• server/user "talk" (especially with usernames and passwords) must be encrypted.
• database driven
• admin panel
• users can modify their data (Name, phone #, etc)

Thanks!

[rwaliany]

Quote:

Originally Posted by plutonium83

I'm currently making a website for Team639 and i'm looking for a secure login script. The script can be in any language, but PHP is preferred(since I understand it). The script must have the following criteria:

• server/user "talk" (especially with usernames and passwords) must be encrypted.
• database driven
• admin panel
• users can modify their data (Name, phone #, etc)

Thanks!

I would recommend http://www.phpnuke.org,
Creating one isn't too bad. It's good experience to learn.
Ex: user/login system

Code:

session_start(); // top of each page

// have a check from form post to post user/pass into a certain variable
// lets say $user, $pass it will store it into from the form variable $frm_user and $frm_pass

// next register these variables as session_variables

session_register("user", "pass");

//verify with database
$con = mysql_connect("host", "user", "pass");
//might want to add a crypt function in between for secure passwords
$result = mysql_query("SELECT from BLA where user='$user' AND pass='$pass'");
if ($row)
{
$row = mysql_fetch_assoc($result);
extract($row);
echo $user . "successfully logged in.";
}
else
{
//user denied
}

mysql_close($con);

It's just a sample, I made it up in less than a minute so there might be minute errors.

[Noah]

To secure that password, php has the wonderful
string md5 ( string str [, bool raw_output]) (<--Look, a syntax guide!<--)
function. It uses the md5 encryption technique to convert a text string into 32 char long alphanumeric string. Just store the password md5 encrypted. Whenver they log in, run md5 on thier password and then compare it to the database stored string. It's that simple!

One more thing to note: storing a password as an md5 hash means it is CasE SEnSetiVe, so you should make that obvious to your users. (Otherwise you will get lots of calls from people who can't log in. Trust me on that one.

[Greg]

Quote:

Originally Posted by plutonium83

server/user "talk" (especially with usernames and passwords) must be encrypted.

Even if you encrypt the passwords that are stored in the database, the passwords are still passed from the input form in the browser to the script on the server unencrypted in the HTTP request. You cant really encrypt the password on the client computer before sending it to the server. So if you want a truly secure connection you would have to use SSL on your server.

As for the other features you have talked about, may I suggest trying openFIRST? There is a lot of functionality in that system, and since you have the source, you can customize it to fit your team's needs.

[GregTheGreat]

Quote:

Originally Posted by Greg

Even if you encrypt the passwords that are stored in the database, the passwords are still passed from the input form in the browser to the script on the server unencrypted in the HTTP request. You cant really encrypt the password on the client computer before sending it to the server. So if you want a truly secure connection you would have to use SSL on your server.

Good Point. php will do fine if you won't have people wanting to hack whatever you are doing. If you are doing something that people may want to hack you would want to use an SSL. I know I have a written PHP setup somewhere around here.. that is if you are intereseted. It is strict access type though... no admin function. If you need the admin function it may be easier to just write your own code. If you need help give me a buzz.

Good Lcuk,

-Greg The Great

Quote:

Originally Posted by Noah

To secure that password, php has the wonderful
string md5 ( string str [, bool raw_output]) (<--Look, a syntax guide!<--)
function. It uses the md5 encryption technique to convert a text string into 32 char long alphanumeric string. Just store the password md5 encrypted. Whenver they log in, run md5 on thier password and then compare it to the database stored string.

md5 is not an encryption technique - it is a hashing technique. So, if you use md5 to hash a password, you cannot uniquely un-md5 or "decrypt" it. It is like the php function crypt(), neither crypt() nor md5() are decryptable. That's because md5 can have "collisions" as in:

PHP Code:

<?
if ((md5($var1)==md5($var2)) && ($var1!=$var2)){
print "A hashing collision\n";
}
?>

There is a one in 3.4028236692093846346337460743177e+38 probability that two different strings will have the same md5 (got probability stats from http://www.php.net/md5). Because a hashing (by definition) is a many-to-one mapping of values, the same hashed md5 can be reverse engineered to an infinite possible strings.

[deltacoder1020]

however, reverse-engineering md5, crypt, and other such algorithms is usually designed to be (at least currently) mathematically unfeasible, hence the reason they are often used for password storage - simply hash the input, and if the hashes match, you either have a correct login or someone with a supercomputer.

[Pierson]

Our team uses phpnuke as our "team communication portal" and we love it. Our wonderful webguy added a calendar module and we now have everything from team news, to our bylaws in the download section, to a scrolling calendar.

PM if you would like to know more about nuke.

[zeep25]

Why would you need a SSL secured php login script just for the robotics website ... its pretty weird ... i mean this would be one of the last website i would hack if i was hacker ...

but do check out www.hotscripts.com search for login scripts in php ... go by the features and the rating of the script

Quote:

Originally Posted by zeep25

i mean this would be one of the last website i would hack if i was hacker

Exactly.

And that's why our site uses custom non-SSL communications. We have administrative access, special registration codes (for some accounts tohave different priveleges than others), and use sessions. Our login script looks something like this (I wrote a custom database class for PHP, since our host does not have MySQL):

PHP Code:

<?
include_once("extractall.php"); // We register all session variables into $GLOBALS
session_start();
if (empty($saveuser) || isGuest($saveuser)){
$users = new nrgdb("fileforuserdb.txt");
}
?>