Hi,
I have an existing PHP membership script and want to add a few things:
1) Currently the users passwords are stored as plain text. I want to store these as a hash (with added salt) so it's more secure. There are many of my customers who use this script already and we have an upgrade page, so the conversion of plaintext to hash etc should be added to an upgrade routine for existing customers too.
2) There seems to be a hacking attack whereby some people are attacking random sites that are using my script and somehow managing to click on parts of the site which should be protected by PHP sessions. This might be session fixation but I'm not sure. I've read that session regenerate ID can help so this needs to be implemented on user login/logout pages and also any other advice on preventing this attack is welcomed.
3) We have an existing forgotten password routine which emails a user their password in plaintext if they enter their email. However, when we convert to using hashed passwords this won't work. So I need you to also come up with a solution on how users can retrieve their passwords or perhaps reset their password.
CRITERIA
========
1) You must have at LEAST 10 feedbacks with 100% rating
2) You should have an expert knowledge of PHP security and best practices
Future work will be offered to you if a the job is well done.
One more thing.. our code is currently hosted on Github, so knowledge of Github/git is preferred.
Thanks for your time,
Anthony