Hi,

In my new secure login script I deployed the following techniques, slightly more involved than this:

* PHP sha1() encrypted passwords
* User timeout. I update an activity date/time on each page access. if it's too old the user has to log in again.
* An incorrect password attempt causes a warning and delay of 1 min per attempt (after 5 attempts). This increases after the account is unlocked if they fail again.
* 10+ failed login attempts on one IP address causes a warning and delay of 1 min per attempt (after 10 attempts).
* I log the IP address on login, then I validate it against the user and session_id. This means the session and user is at the same location.

My user table holds:
last_activity_datetime,failed_attempts,failed_datetime,failed_ip,success_Datetime,success_ip,session_id

My IP_security table holds:
failed_ip,failed_attempts,failed_datetime

thx for the tips, great work...
but what if u store credit card numbers and expiration dates along with names and accounts etc... I need to store them encrypted and then decrypt them afterwards via pgp or even gpg....I think I might nbeed Linux on this cause windows are not the best solution for me.....any ideas for all this?

thx again

Issue 1 solved:

I have installew gpg on 2 pcs...created 2 accounts etc etc..passphrases, publickeys and secretkeys....the gpg version i have is a binary one and does not include a graphical environment...which means everything is done in the command prompt or in Cygwin if u prefer ;)...tried lots of things and encryptions...just imagine a 10,5MB mysql dump file becomes 930kb!zipped and encrypted...then sent to thew other pc...especially encrypted for user 2...then user 2 decrypts using the same prog and his passphrase...the 930kb becmes again 10,5MB ...identical to the original file...amazing till now...however...how can all these be imported/tranformed ultimately or partially in a web environment I DO NOT KNOW!i am just starting to think of some solutions....Does anyone have any idea?

I am using gnupg-w32cli-1.4.2. version...binary for win 32.....if it helps

any ideas would help...

you might want to check if you are allowed to store the numbers at all. I was ready terms not long ago for a processor and it is specifically against their terms to store the cc numbers in a 2 way format. I also hope you aren't storing the code from the back (CVV?) that is explicitly not allowed to be stored.

things you need

dedicated server - shared is not an option for storing data like this

multiple levels of security to protect this personal data both hardware and software

many many logs for everything - I mean absolutely everything. Anytime someone touches your system you better know about them and be able to track back any issue, this is at all levels.

a good sysadmin

as far as login and maintaining sessions
PHP User Authentication [webmasterworld.com] also read the review of this code

added tracking
Getting PHP session variables into your Apache logs [webmasterworld.com]

general security
PHP Security [webmasterworld.com]

I have multiple rants around about security and storing personal information and properly protecting it.

thx very much Jatar_k.
Your comments and guidance are appreciated!

I have to bare in mind lots and lots of things before procceeding...I myself dont agree to store confidential information and data on a pc even if it is the most secure server of all...for many reasons, basically ethical..but at this point its not up to me to decide...so I will have to create a theoretical "bulletproof" system (practically can not exist).
If anyone else has good ideas plz let me know

Thx again.

omoutop

>> but at this point its not up to me to decide

ah well, I never agree with that, the programmer has to inform whoever the person who does decide of the ramifications of their decisions. Sometimes you might even need to get something signed so your disagreement is documented in case of an issue.