what security features of a php membership system [closed]_问答_开发者

what security features of a php membership system [closed]

开发者 https://www.devze.com 2023-03-25 00:15 出处：网络

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references,or expertise, but this question will likely solicit debate, a

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 11 years ago.

just like the title says, what are the most common security features of a php based membership system. A few I know:

mysql injections
secured connectio开发者_StackOverflow中文版n
encrypted password(s) and other sensitive data.

What else?

Authentication != Authorization is another one that comes to mind.

An extensive list of attacks can be found here: https://www.owasp.org/index.php/Category:Attack

Some methods:

Abuse of Code Functionality (Bad Coding)
Data Structure Attacks
Embedding Malicious Code (XSS)
Exploitation of Authentications
Injections
Path Traversal Attacks (include($_GET['file']))
Protocol Manipulation
Resource Depletion (DOS/DDOS)
Resource Manipulation
Sniffing Attacks
Spoofing (COOKIES)

Some other things to think about:

Session security (How are session variables set? Can someone's session ID be stolen? Is session fixation possible?)
Are your forms protected against XSS?
Do you have any mechanism to prevent brute-force attacks, like locking out an IP address after X failed attempts? Do you need to keep track of who logs into a given account? (e.g., should you be notified if someone logs into an administrator account from an IP address in southeast Asia if your site is run solely by people who live in the US?)

Minimal password requirements are a definite must. Also, use some type of CAPTCHA.

Here is a link that shows some important security issues:

link

Not necessarily a security feature, but the user experience of the system should not be confusing. Most users have seen the uname/pword login form and some have seen OAuth/OpenId. Beyond that you enter a world where you need to ensure your intentions are clear.

I made a small list of the most usual security problem seen in here : Historical security flaws of popular PHP CMS's?

It lacks the authorization != authentication problem barfon answered, all the anti spam protection you should have and I'm sure some other things I can't think of right now.