I need help in creating secure authorization for all areas on php and mysql. I read in many forums how you can make a secure authorization, but all this does not fit, because there is not written in detail what and how. Therefore, I address the question in the hope that someone will write an explanation. Thank you in advance.

    1 answer 1

    If I understand correctly, how to make a simple authorization you know.
    Security Levels:

    1. Turns on SQL injection protection. Of course, you have already done this.
    2. Login + password, with a password of at least 6 characters. The password is hashed with salt at least 10 times.
    3. Password transfer is encrypted. For encryption, use symmetric encryption, the key to which you pass on the scheme El-Gamal (El-Gamal)
    4. All form fields have a random name stored in the session and reassigned when the page is reloaded.
    5. The login / password field is created using js from two arbitrary text fields (of which there can be up to one hundred), the rest are removed, using the same js. Two fields are extracted from the $ _GET request (the system knows what it has converted), and if the extra ones are filled, an error is issued.
    6. After the second error, a complex captcha crashes. Better at least two lines.
    7. All around JS, responsible for security, walk obfuscator.
    8. Cooldown-time (pause time between unsuccessful attempts) - at least 10 seconds. If the error is repeated more than 10 times, you can block the address for an hour.
    9. Paranoid: the session time in such a system is 5 minutes; during some particularly important actions, ask to make a pause of 30 seconds (the maximum execution time of the script on most hosting sites).
    10. Get the certificate https ... :)
    • one
      <small> OMFG <b> knes </ b> and why only 10 times? : D Come on 1000 already for sure xD In general, I liked it, smiled ... This is actually for those who are really obsessed with this - forward comrades: D </ small> - Zowie
    • That's right! <h3> ☺ </ h3> - Miha Nikolaev
    • Everyone can choose the required minimum. Most often, they are limited to points 1 + 6. Regarding the number of hashes - ten times is enough, in principle. In Linux, 100 times, but it is with the installation for the future, so as not to have to rewrite. After two times, it becomes problematic to use rainbow tables. - knes
    • And if you use http-auth? - Miha Nikolaev
    • Well nafig. This dialog box infuriates me. In addition, there are a lot of restrictions and low dynamics. XD - knes