1

I'm currently building a username/password/session-management/etc. system for a website I've been working on. I've spent all day reading all sorts of articles on the topic, and have a much better sense of what I need to do now than before. I'm more or less set on the server side of things, and just need to code up the things that I've learned. However, one thing that I haven't been able to figure out on my own is how to best get sensitive information (username/password) to the server from the client.

I'm planning on having a login/registration page at the front-end of my site (so when you go to mysite.com, you'll just see a form or something of that nature), and then after you register or log in, you'll get served the actual webapp. What are common practices for sending login info to a server? Is the username/password combo hashed and then sent as a cookie in the header of a packet? or could it be sent straight up as a JSON (if using javascript)? I guess I really have no idea what the norm is, and somehow haven't been able to find any really useful info on google or stackoverflow, hence this question.

If you guys have any other useful info regarding login systems for sites, I'd love to hear what you have to say, since again, this is completely new to me.

Also, related question, once I have this working, is it the standard to just have a cookie on the user's computer that identifies them so that they don't have to login each time they visit? Is that what checking that "Keep me logged in!" box does on all those sites?

Best, and thanks

Paul Sasik
  • 73,575
  • 18
  • 144
  • 180
thisissami
  • 12,525
  • 14
  • 42
  • 71

2 Answers2

1

Your best bet is to use HTTPS for at least your login page. You have to pay a 3rd party certificate authority to use an official certificate or use one that you generated but that will cause your users to encounter various dire warnings from their browsers.

Using HTTPS (HTTP secured with SSL/TLS) encrypts all traffic between the web site and the client which takes care of transport security for you.

Rolling your own security scheme is VERY hard to do well. The process that you describe as part of your question is easy to hack since you have to do the hashing on the client. This is a process which is simple to reverse engineer by even a casual hacker.

And the answer to your follow-up question is yes. It's cookies.

Merlyn Morgan-Graham
  • 54,918
  • 14
  • 119
  • 174
Paul Sasik
  • 73,575
  • 18
  • 144
  • 180
  • In that case can I assume that all the major websites that people use on a regular basis out there use https for logging in, even though the pages you go through all usually just say "http"? – thisissami Aug 28 '11 at 06:11
  • Nope. If it's https it will say https. The web sites you log in with that use unsecured http log in means that they don't regard security very highly. When data security is truly important such as with email login (Google), banking of any kind etc. you will always see HTTPS. – Paul Sasik Aug 28 '11 at 06:50
1

I recommend reading StackOverflow's own Definitive Guide To Forms based Website Authentication. The answers detail a few best practices for handling user log in, and most likely it'll answer a lot of the questions you have regarding authentication for users.

Community
  • 1
  • 1