views:

96

answers:

2

Hey. Am new to the world of web programming and learning a bunch of fairly simple new pieces of tech, trying to piece them all together.

So, we have a simple client (currently iPhone, to move to J2ME soon) that's pulling down lists of data via PHP, which is talking to a MySQL db. I have a rudimentary user/login system so that data is only served to someone who matches a known user etc, either on the website or on the client.

All the php scripts on the website that query the DB check to make sure an active session is in place, otherwise dumping the user back to the login screen.

I've read a little about SSL and want to know if that is sufficient to protect the website AND the data passing between the server and the client?

A: 

Yes, SSL is sufficient to secure the connection between the client and the server, given that it's properly setup.

Your user credentials should also be sent across from client to server over an SSL connection.

Alan
He wants to protect data, therefore the entire session must be covered by SSL/TLS, not just the login.
Longpoke
Agreed; the whole thing about login was just reminding him that if he's using SSL, that he should remember to also pass the creds via SSL (it's a common error to start the SSL session *after* authentication, and people pass creds in the clear)
Alan
+2  A: 

HTTPS is about protecting data and authenticating the endpoints. You still have to worry about properly authenticating the client to access your services. You also have to worry about vulnerabilities such as SQL Injection and other vulnerabilities that affect PHP. I highly recommend reading The OWASP Top 10 2010 A3: Broken Authentication and Session Management to make sure your session implementation is secure.

Rook
Thanks. That's exactly my concern; knowing so little about ALL of these technologies, I want to make sure I have all the angles covered. I've read just enough about SQL Injecttion etc to be pretty worried.I'll do some more reading, particularly about "authenticating the client".
Amir Latif
This may be a dumb question, but is it reasonable to expect to be able to implement "good enough" security whilst being relatively new to the whole game? By new, I'd say a couple of months of working with MySQL and PHP.
Amir Latif
@Amir Latif probably not, I'd try and track down a library or framework that will help. For instance if you build your application from a CMS like Joomla you'll have all of this written for you. A CMS is easy to customize and you can build addons to do whatever you want.
Rook
Erk. That's obviously not what I wanted to hear. I'm also not overly keen on re-writing the whole thing using Joomla, mostly because I don't want to learn a large framework from scratch. There are a LOT of resources for doing this or that in PHP/MySQL. But if you think I can write my db based client-server code using something like that, I'll do some more reading. Cheers.
Amir Latif
@Amir Latif your current application could be made into a joomla plugin. But your right its not a very good solution. Another option is you could pull the Auth.php class out of this project and use it (http://code.google.com/p/michael-the-messenger/), i know its secure because I wrote it :) .
Rook
Yeah, Joomla just doesn't seem like the right thing for us at this stage. I spent a few hours reading up on CodeIgniter and CakePHP, but having seen your Auth.php, if that's all I need, I'll just look into that. Ta very much dude.
Amir Latif