Security and where to go after login and more stuff

[HighDarkTemplar]

Hi!

I'm working on a login-form on my webpage (xampp@localhost) and instead of just take the "get it working and forget it", I've decided to go security first so I don't have to do things twice. Should I split the login script into two or more pieces for security, or is it better to just leave it as one? I've also guessed that sessions is the way to go if you think about security, am I wrong?

The basic site design is a banner on the top, a menu on the left and a big window with the main content(standard and boring design, yes, and no scrolling :-)). I'm using frameset at the moment, with targeted loading (no refreshing the whole page). Would some newer technology be better? If yes, what should I learn? How can I replace the frameset? Also, I'd love to have a standard background image, using transparent backgrounds on the pages "lying on top".

Someone who knows how I can get a css file to apply to all pages without typing it in on each **** page? In asp.net you can do it by putting it in your master page, but I've decided to develop avoiding asp.

I consider myself good at html and css, no master but I've been working with it for the past few months for some school projects. I haven't learned javascript yet, but i'm planning to do so. The database is up and running so that's one thing less to worry about.

And in the end, any tutorials you'd recommend?

Thanks for your time!

-Nerevar

[CoffeeFiend]

Should I split the login script into two or more pieces for security, or is it better to just leave it as one?

I don't see how it would change anything. Usually, the main problem with login forms is the risk of SQL injection.

Would some newer technology be better?

Framesets are a relic of the past (from the Netcape days). Frames already sucked 10+ years ago. They're ugly, bookmarking or linking to one of your pages is a pain (the bookmarks/links that will work will lose your frameset too), often the back and refresh buttons don't work as intended, printing is a pain, etc. Again, they just SUCK. Just use some server-side includes instead.

Someone who knows how I can get a css file to apply to all pages without typing it in on each **** page?

Just put it in your first server-side include (like the one for the top portion of the page).

[HighDarkTemplar]

First of all, thanks for answering!

I know about the SQL injection, which I'm planning to try to kill afterwards. But still, would it be better to split the login into two files? I'm asking since that's what's done in ASP.NET, which I've had some experience with from a university course but it didn't strike my fancy, but I also had a short handin with php, so I decided that I would continue using php. Is it more secure? Marginally?

Include is no problem, but what should I put it in then? Tables? Iframes? Others? Also, for the linking part, it's for a specific purpose so please don't pay attention to that.

Thanks!

[Tripredacus]

When I made my own CMS, my login page submitted info to itself. If it passed, it would redirect to a user welcome page. If login failed, it would redirect to a failed page. I made this in 2005, but if I would redo it, I would definately use AJAX so I could do everything with just 1 page. Of course, all form fields used a validator include, and all pages had a sentry include that checked session info and user rights levels.

I don't know if it would help you much, I did it in PHP.

[HighDarkTemplar]

When I made my own CMS, my login page submitted info to itself. If it passed, it would redirect to a user welcome page. If login failed, it would redirect to a failed page. I made this in 2005, but if I would redo it, I would definately use AJAX so I could do everything with just 1 page. Of course, all form fields used a validator include, and all pages had a sentry include that checked session info and user rights levels.

I don't know if it would help you much, I did it in PHP.

I'm using php (had some asp.net at the university, but I hate that), and since you think AJAX would be a good idea, I'll try that after I get the basic login working. The question isn't what works best but what would be most secure, everything in one file or split in two?

Also, what should I replace the frameset with, since that's not recommended?

[CoffeeFiend]

I'm asking since that's what's done in ASP.NET

Not sure what you're talking about. I never split my login stuff in 2 parts, and the vast majority of what I do is ASP.NET (and I love it too -- it's so darn productive). The only "split" thing I can think about which you may be referring to is the sparation between markup and code (aka code-behind) but that has nothing to do with this (splitting the code in 2 in some way for no apparent reason)

Is it more secure? Marginally?

It's not inherently more secure in any way. It's only going to be as secure as you code it. You can write very secure and very insecure code in any language.

Include is no problem, but what should I put it in then? Tables? Iframes? Others?

You said you had previous experience with CSS so I assumed you'd go for that. These days we use div tags (wrapping around different parts of the page) which we then position using CSS. It's pretty simple as long as you understand the box object model (there's plenty of templates and tutorials out there to get you started as well).

[HighDarkTemplar]

I know about the div etc, but what would be the best(or recommended if you want) for php includes that suddenly changes one section on the site? iframes or tables? Thanks again!

[Tripredacus]

I know about the div etc, but what would be the best(or recommended if you want) for php includes that suddenly changes one section on the site? iframes or tables? Thanks again!

You can use AJAX to change includes. You could also use page variables and vars in your include code if you wanted. It is something I was working on but I got sidetracked. I never got to test it out yet.