1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:02 am May 1, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Secure authentication with SSL

         

Claes100

5:46 pm on Mar 3, 2009 (gmt 0)

10+ Year Member



Hi there,
in my next project we'll use SSL when our customers access their customer-specific part of our site.
I haven't done anything regarding SSL before and have some basic questions. Thanks in advance!

1.
It's OK for 90% of our customers to log in to their application over https. User name and the hashed password will be stored in MySQL. After authentication, what do you think is the best way to check (on each page) if the user has been authenticated when browsing the site? Setting a cookie with some hashed content or just some session variable? We would rather not have to check the database for each page access.

2.
Any other concerns regarding SSL that I need to bear in mind in the situation described above?

3.
The other 10% of our customers would rather have a "direct" https link on their intranet to our site (i.e. no login) with some sort of identifier appended, e.g. [ourDomain.com...] Are there any concerns regarding this, the way the ?id is built and could I handle the further auth check as in 1. above when the user browses the site?

Again, all tips are much appreciated!
/Claes

optik

4:57 pm on Mar 6, 2009 (gmt 0)

10+ Year Member



You could use cookies or sessions but make sure you back that up with a database check that include IP or you will be seriously compromising the sites security. If you just issued a cookie or session (which sets a cookie as well) then a users cookie could easily be stolen then the session hijacked.

Regarding the SSL bear in mind if the cookie is set on a secure site it won't be valid on the rest of the site so once logged in you will have to keep them on the secure site for any log in protected features.

Your third suggestion is frankly mad. This is about the worst security compromise imaginable, once someone has that URL they would be able to access the system and it wouldn't even be hacking just poor security.

Claes100

5:04 pm on Mar 8, 2009 (gmt 0)

10+ Year Member



Thanks for your comment, optik.
1. I agree
2. That's OK
3. "frankly mad"... Thanks for being honest with me, I guess that was what I needed to hear... My problem is that our product management really wants to find a solution where some customers won't need to log in, but just follow a link from their intranet to our site...
The only way I could think of was the one described above, with SSL, no hits in google search and, of course, letting the customer be very aware of the link's "sensibility".

Any ideas of a more secure way of obtaining 3. above...?

Thanks again
/Claes

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:02 am May 1, 2026