Skip navigation
tessimon
tessimon
Currently Being Moderated

registration page over http

Aug 5, 2012 12:26 PM

Hi,

I have created a user registration page, and login page, that is accessed over http.

On each page the browser gets the pages where a form is presented, the form is posted back to the same page for validation before being entered into the database.

The only sensitive information in the forms is the user password which is encrypted after the form is posted and before being added to the database.

Is this method I am using safe? as in safe from attack? or do I need to use https?

 

Any advise would be much appreciated.

Thank you in advance.

648 Views   4 Replies   Latest reply: tessimon, Aug 8, 2012 12:18 AM
 
Replies
  • David_Powers
    Currently Being Moderated
    1. David_Powers,
    Aug 7, 2012 3:36 AM   in reply to tessimon
    Report

    What keeps you safe from attack is not the choice of http or https, but the security measures in your validation. If you're filtering out HTML and script tags, checking that the user input matches your criteria, and escaping values inserted in the database, you should be OK.

     

    The value of using https is that others cannot eavesdrop on unencrypted data being sent to the server. But if your validation and SQL injection prevention measures are inadequate, using https is meaningless.

     
    |
    Mark as:
  • tessimon
    Currently Being Moderated
    2. tessimon,
    Aug 7, 2012 10:13 AM   in reply to David_Powers
    Report

    Thank you

    That explains a lot actually. I have invested much time in creating this website now I would like to ensure its security.

    When you mention filtering out HTML and script tags, please could you confirm that when I validate user input through the registration form, the fact that I check that the fields are only filled with letters, numbers or spaces is enough? If script tags were input an error would result but I am unclear on what you mean by filtering HTML.

    I do escape values before entry into database and check that users input matches my criteria.

    Also on the same subject, my user administration pages are all protected by user sessions, the session is created on login after checking an encrypted form of the encrypted password in the database. However throughout my user administration pages I pass several variables across pages via url (http), and so far (as I have only just become aware of cross site scripting XSS hijacking) I have not put in place any checks that the values received through the url are what I am expecting let alone checking that they are only filled with letter or numbers to prevent script tags, should I also be checking these values when I check isset() or are the user sessions enough to protect the pages and finally if I were to use https would that offer protection instead of the whitelist checks on these session pages. I always excape value before entry to the database but my concern is also this XSS stuff.

    I much appreciate your expertise, this is my first website and I would like to get it right before I go online. 

     

    Date: Tue, 7 Aug 2012 04:36:55 -0600

    From: forums@adobe.com

    To: [email address removed by moderator]

    Subject: Re: registration page over http registration page over http

     

     

     

     

     

     

     

     

     

     

        Re: registration page over http

     

     

        created by David_Powers in Developing server-side applications in Dreamweaver - View the full discussion

     

     

     

    What keeps you safe from attack is not the choice of http or https, but the security measures in your validation. If you're filtering out HTML and script tags, checking that the user input matches your criteria, and escaping values inserted in the database, you should be OK. The value of using https is that others cannot eavesdrop on unencrypted data being sent to the server. But if your validation and SQL injection prevention measures are inadequate, using https is meaningless.

     

     

    Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: Re: registration page over http

    To unsubscribe from this thread, please visit the message page at Re: registration page over http. In the Actions box on the right, click the Stop Email Notifications link.

     

    Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Forums

      For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

     
    |
    Mark as:
  • David_Powers
    Currently Being Moderated
    3. David_Powers,
    Aug 7, 2012 10:21 AM   in reply to tessimon
    Report

    tessimon wrote:

     

    When you mention filtering out HTML and script tags, please could you confirm that when I validate user input through the registration form, the fact that I check that the fields are only filled with letters, numbers or spaces is enough? If script tags were input an error would result but I am unclear on what you mean by filtering HTML.

    That should be sufficient because HTML and script tags contain non-alphanumeric characters, so should be rejected by your validation. However, it's important that the validation is done by your server-side script. You cannot rely on JavaScript validation. If an attacker bothers to use a browser (instead of an automated script), you can bet your bottom dollar that JavaScript is disabled. JavaScript validation is only a courtesy to the user to prevent a round-trip to the server if there's an error in the input.

     

    I have not put in place any checks that the values received through the url are what I am expecting let alone checking that they are only filled with letter or numbers to prevent script tags, should I also be checking these values when I check isset()

    Every new page is a potential hole in your security. You must always check values passed through a URL. Even though the user is logged in with a session, you can't rely on that keeping you secure.

     
    |
    Mark as:
  • tessimon
    Currently Being Moderated
    4. tessimon,
    Aug 8, 2012 12:18 AM   in reply to David_Powers
    Report

    I cannot thank you enough for your reply, you have cleared up my questions perfectly and I now know what i need to do.

    All my validation is in php, I believe that is a server side script, if it is not then please let me know!

    best regards

    Tessimon

     

    Date: Tue, 7 Aug 2012 11:21:28 -0600

    From: forums@adobe.com

    To: [email address removed by moderator]

    Subject: Re: registration page over http registration page over http

     

     

     

     

     

     

     

     

     

     

        Re: registration page over http

     

     

        created by David_Powers in Developing server-side applications in Dreamweaver - View the full discussion

     

     

     

    tessimon wrote: When you mention filtering out HTML and script tags, please could you confirm that when I validate user input through the registration form, the fact that I check that the fields are only filled with letters, numbers or spaces is enough? If script tags were input an error would result but I am unclear on what you mean by filtering HTML.

    That should be sufficient because HTML and script tags contain non-alphanumeric characters, so should be rejected by your validation. However, it's important that the validation is done by your server-side script. You cannot rely on JavaScript validation. If an attacker bothers to use a browser (instead of an automated script), you can bet your bottom dollar that JavaScript is disabled. JavaScript validation is only a courtesy to the user to prevent a round-trip to the server if there's an error in the input. I have not put in place any checks that the values received through the url are what I am expecting let alone checking that they are only filled with letter or numbers to prevent script tags, should I also be checking these values when I check isset() Every new page is a potential hole in your security. You must always check values passed through a URL. Even though the user is logged in with a session, you can't rely on that keeping you secure.

     

     

    Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: Re: registration page over http

    To unsubscribe from this thread, please visit the message page at Re: registration page over http. In the Actions box on the right, click the Stop Email Notifications link.

     

    Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Forums

      For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points