/    Sign up×
Community /Pin to ProfileBookmark

Please help – Security advice

Copy linkTweet thisAlerts:
Aug 23.2011

Hello,

We are starting a family business with no web development but some programming experience, we have taken on the enormous task of building a secure website for our online browser game which includes a php apache database (full of sensitive usernames passwords etc) that need to be kept secure. We are taking small card payments for registration to the full game. After months of hard work, the website and database works, and we are now looking at security/publishing options.

There seem to be so many options out there we need some good advice and don’t know who to turn to. Consider we are not rolling in money here and need to do this in a practical but secure way.

Our first task is to stop users from simply typing in the correct url link for the full game, and playing it without actually signing up. We thought this should be easy but apparently it is not.

We have heard from some sources that SESSION cookies is the standard way of doing this and would really appreciate some decent advice on whether it is secure enough for the purposes of our business (we would like to provide a reliable and secure service to lots of players).

From other sources we have heard that we absolutely need to set up the website on two servers, an internal server with all of the files we want to protect or be inaccessible via url, and an external or “gateway” server which includes the homepage and communicates with it. This option seems extremely complicated and we only want to undertake it if it’s absolutely necessary.

Considering the needs of our business, would you please be so kind as to help us choose the right option, or make us aware of any other more suitable options out there that we might not know about.

Many many thanks,

RichardTheFrog

to post a comment
HTML

3 Comments(s)

Copy linkTweet thisAlerts:
@SMTSAug 23.2011 — Your website (which I am assuming accumulates less than 50-100 unique users a day) should not [B]need[/B] to be as secure as, say, Google. There becomes a point that you've added so much security, your real users can't even use your system. It is not likely that you need a specialized external device. If someone wants in that bad, and they know how to get in, then their gonna get in no matter how many precautions you take.

Session cookies work, but it's not just the cookie. You need a way to validate that cookie, a way to match the encrypted passwords with the appropriate sessions, a way to keep track of all current sessions, and several other elements.

All of the above can be accomplished in various ways:
[LIST]
  • [*]SoftWare or Coded Solution

  • [*]HardWare or External Device Solution

  • [*]Pre-Written Script Solution (such as a CMS or Forum) soultion

  • [*]Manual entry solution (like .htaccess - ban by IP)

    • [/LIST]

    Obviously, there is no 100% full-proof security. But rather it is the measures that you take to get security as close to that as possible.

    You will NOT accomplish the level of security that you want with HTML. [B]So, you have posted this in the wrong forum[/B]. You will need to look into php, CGI, or another - more powerful - scripting language.

    Here are some pointers:
    [LIST]
  • [*]If the login is wrong, don't let on whether it was the username or password that was wrong.

  • [*]If you print out the username (e.g. you print 'there is no user Bob registered here') make sure you html encode the username first to prevent cross-site scripting attacks.

  • [*]The choice of session id hashing algorithm is important. MD5, the default in many cases is not really suitable for applications which require a good level of security.

  • [*]Make sure any database lookups you do carry out are protected against SQL injections.

    • [/LIST]

    Want more? Read this.

    Want a Pre-Coded solution: http://www.bravenet.com/

    Good Luck

    [I]This is posted in the wrong forum. For best answers, please move it to a different forum as advised above.[/I]
    Copy linkTweet thisAlerts:
    @RichardTheFrogauthorAug 24.2011 — Hi,

    We are very grateful for your reply, we will take all of your pointers into careful consideration as we continue to finish up the site. We could have as low as 50 unique users per day but given the nature of games and the factors that determine popularity, we are preparing for the possibility of millions of users that have paid for a product that they expect to have secure and consistent access to.

    So to summarise, an internal server with an external gateway device setup would not offer a significant improvement to our security beyond what the SESSION cookies can already offer much more simply.

    We also heard from someone who was promoting the external gateway setup that it was of huge importance not to let hackers find out the IP address of our internal server which contains all of our important files/database, and that the external gateway setup is the only way of achieving that.

    Would you agree that ensuring our IP is not made public should be our upmost priority? and do you know of any other ways (hopefully simpler ways) we may be able to hide it to the same effect?

    Many many thanks,

    RichardTheFrog

    PS. I will start this thread again in the PHP section, incidentally we are using a lot of PHP to communicate between various html files and the .swf on our site.
    Copy linkTweet thisAlerts:
    @SMTSAug 29.2011 — It is good that you are [I]not[/I] getting rid of session cookies. They are extremly simple, but secure and an external device will [I]not[/I] replace them.

    Off the top of my head, I don't know about the IP thing. If you want this to be secure, you should be consulting with a private professional. Advice from me and other people on this forum is [B]no replacement[/B] for a trained professional who's expertise is in server security.

    I really hope this works out for you.

    Happy securing!

    ~Charles
    ×

    Success!

    Help @RichardTheFrog spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 5.21,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @AriseFacilitySolutions09,
    tipped: article
    amount: 1000 SATS,

    tipper: @Yussuf4331,
    tipped: article
    amount: 1000 SATS,

    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,
    )...