Hi, I want to save a password to use later in code. I was using <a href="example.php?pass="xxx">..</a> then use GET to retrieve. This is not secure. Is there any other way I can use? Since it is <a href...> I can't save it as a <input type="hinder"...> in a form and retrieve it through POST. I am not allowed to use $_SESSION to keep it either for security reason. Thanks for any help in advance.
You can make sessions very secure by implementing things such as session_regenerate_id() and comparing an md5 hash of their user agent and ip address (plus a salt so they can't just generate a new md5 hash for their fake user agent). Which is a crap load more secure than passing a password via the query string. (POST is also insecure, so no hidden fields) Why not just have the browser remember them? Chrome is always bugging me to "Remember this password".
You can use Authentication right and other controller in cakephp framework but i am also learning so don't know more but you can search out.
Thank you for the tips and I will take a look. Just curious. What is the most common way to save people's login info and allow users to stay on a login site? PHP session, php cookies, Javascript cookie or something else? What does Google, Yahoo, banks, .... use? Just want to learn the most secure way but not too difficult for me to do (not an advanced php or javascript person). What does forums.digitalpoint.com use?
PHP Session would be the best way, and PHP Session uses a cookie for the Session ID on the user computer. Cookies aren't good for security to keep login info really. I use PHP Session for my user area's. It's quit easy to setup and you can find plenty of tutorials.
Most sites use cookies to store a unique key on the client side, this key can then be used to retrieve all their info from the server side database (the whole idea beneath PHP sessions, although URL parameters or form fields can also be used if cookies are disabled). There is no such think as 'PHP cookies' or 'Javascript Cookies' - cookies are cookies no matter how they are read or set. Banks aren't the best things to emulate - they often fall on their arses when it comes to online security, the main advantage they have is they hold a lot of your personal information. Something an average website account wouldn't, so they can ask very personal security questions that only you will know the answers to. Google, Ebay, Yahoo, Amazon - all use cookies to remember users. They do however use SSL to encrypt the entire HTTP exchange - which prevents man in the middle attacks (or just general network sniffing). Since cookies are sent within the HTTP headers and can be seen in plaintext if not encrypted.
you can use session to store password to store password; session_start(); $_session['pass']="your password"; PHP: to retrive password session_start(); $pass=$_session['pass']; PHP:
Check into PHP sessions, it will save it to the clients browser, other browsers will not see the same session cookies. ALWAYS call session_start(); at the first of every page, and you can set variables like: $_SESSION['user'] = 'Tom'; and echo values like: echo $_SESSION['user']; Thanks!
Not if you have a determined cracker who has launched a successful man in the middle attack . Session ID's are sent in plaintext within the HTTP headers (try it yourself, run wireshark and grep anything containing 'PHPSESSID' from port 80). If you want this to be secure, you need to make a few changes. Encryption is the first step.