How secure is the Login extra? - My Forums

How secure is the Login extra?

dubbs — Apr 22, 2015, 06:14 AM

I am building a new site with a members area and am using the Login extra - to allow members to login and access the members area. I am planning on having SSL on the domain name for added security - with SSL - how secure will the contents of the members area be? Any tips on making this as tight and secure as possible?

P.S. Running Revo 2.3.1 and Login 1.9.0-pl

Cheers

dubbs.

Re: How secure is the Login extra?

dubbs — Apr 29, 2015, 11:10 AM

Hi sofasurfer - not really related no - Best to not cache your Base URL.

Re: How secure is the Login extra?

sofasurfer.org — Apr 28, 2015, 10:19 AM

Not sure if this is really related, but I just had an issue with my base_url changing all the time.

After taking a look at the config file I found this:

        
$http_host= array_key_exists('HTTP_HOST', $_SERVER) ? $_SERVER['HTTP_HOST'] : 'my.site.com';

For what I understand this isn't really save, but can be solved with SSL. It's also possible, that my webserver got hacked, I just changed it so it will be fix to my domain.

Just wondering if someone else had a similar issue, have seen this previous post:
http://forums.modx.com/thread/?thread=33408&page=1

Re: How secure is the Login extra?

dubbs — Apr 28, 2015, 08:25 AM

Bob / Susan - thanks for your input here. Bob - I am not using the Register aspect of Login - The only way to create a new member is by being logged into the manager - so that should help make things as tight as poss I guess?

Any tips of making things as secure as poss?

Re: How secure is the Login extra?

BobRay — Apr 27, 2015, 11:04 PM

I think Login is fairly secure. The weak link, imo, is Register. I can't really describe the vulnerabilities without giving miscreants ideas, but I created Subscribe partly to avoid the issues with Register.

That said, someone taking the trouble to exploit the Register snippet is a pretty low-probability event. There are much easier ways to break into sites these days, and since Register is mostly used for front-end users with limited rights, the payoff wouldn't be worth the effort.

Re: How secure is the Login extra?

sottwell — Apr 27, 2015, 08:48 AM

Internal MODX security is handled using PHP sessions, which are controlled by cookies. Like SSH, cookies may or may not be secure. By default, MODX does set its session cookies using "HttpOnly", although this is a system setting and can be turned off.

http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html

Re: How secure is the Login extra?

sottwell — Apr 27, 2015, 08:44 AM

There are so many aspects to "security" that it's hard to respond in any meaningful way. SSL itself may or may not be particularly useful unless it's properly understood and used.

Basically SSL/SLT serves two purposes, one to validate the identity of the site being connected to, which requires a certificate, but who certifies the certificate? A lot of bad certificates have turned up over the years, and still are turning up from time to time.

The other purpose is to encrypt the content being passed. The encryption part doesn't depend on a certificate, but browsers will throw up nasty warning dialogs if there isn't a "recognized" certificate attached, so it's generally not too useful to just use it for the encryption alone.

https://scotthelme.co.uk/ssl-does-not-make-site-secure/

Re: How secure is the Login extra?

dubbs — Apr 27, 2015, 04:22 AM

Anyone any thoughts on this???