/    Sign up×
Community /Pin to ProfileBookmark

will this secure feature even help?

Copy linkTweet thisAlerts:
Dec 14.2005

I am writting a site right now which will probebly be used by a lot of people, its for a startup company that I am part of and this is the first time I am writting code for a site that could receive over 100,000 hits a day. I am trying to make it as secure as possible and just in case we do not make the whole thing SSL I am wondering if this security feature I have thought of will even help.

Right now all I am doing once a person is logged-in is storing their IP address from login in a session, their username and the session variable ‘login’ = true. Then everytime they hit a secure page I check to make sure all 3 values are correct including comparing the IP address to their current remote_address. This does not give them very much security, I know its better then nothing and if a real hacker wants into a site they will find a way, but I was thinking that if I add just a little something it might give them more of a challange, the problem being I am not sure if this will slow down the site to much or even really make it more of a challange. What is I generate a uniq string, store it in a session variable AND in the mysql database, then each time the user hits a secure page it compares the session variable to the mysql database variable, if they match it generates a new uniq string and replace the old session variable and mysql variable. This would force the hacker to capture the string over the network, get setup to intercept the the traffic and pose as the user, and access the site and do his damage. If the user hit another secure page BEFORE he hacker did the uniq string will have changed, also if someones uniq string does not match up, the mysql variable would be set to null and the sessions detroyed on the clients computer, forcing the client to re-login (thru SSL)

My main concern is if this site gets ALOT of hits, I am talking 1,000,000 a day hits would this piece of extra code be to much for 2 servers to handle? or a cluster? I have always wondered how much database reading and writting a server could handle before it really, really slowed down. Also does my logic for security make sence? or is there a loophole I am not seeing here.

thanks

to post a comment
PHP

1 Comments(s)

Copy linkTweet thisAlerts:
@BozeboDec 14.2005 — 1 mil hits a day................ thats insane if theyr all unique, only sites that get that much r like neopets, microsoft(complaints) macromedia... and a few others lol. if theyr not unique then the session wont like.. ehm u know if its the same person it wont make another session... i dunno

(my post was prolly pointless)
×

Success!

Help @cafrow spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...