u/Sad_School828

I have a big problem with HTML-based login and persistence routines.

1: As far as login security goes, when the end-user is typing in the username and password, I just can't justify letting the user transmit that data "in the clear" over SSL/TLS. I lived through Heartbleed, so yes I do consider SSL/TLS encryption to be entirely "in the clear" even though we haven't heard of anything like Heartbleed for over a decade. I mean I have a hardcore psychological aversion, like a phobia, to transmitting the user-data as entered and without doing some pre-obfuscation like running a SHA-hash over the username and password before even sending it over an encrypted pipe.

2: As far as session security goes, when exchanging cookie data with an endpoint, I have a similar phobia about any use of PHP Sessions or other built-ins. I mean I get absolutely pedantic about it, creating my own class to represent an HTTP-level packet header and then I extend that into a cookie and I ultimately build the HTTP packet from the ground-up. Even though newer versions of PHP have finally introduced support for high-security cookie properties, I still just refuse to use it. Then I database my own user-IPs and user-agents and other data representing the physical characteristics of the session-owner, and I implement my own methods of validating a session.

So absolutely every project I try to start, for myself, ends up being a circular shitshow where I'm constantly tweaking this thing or that thing which never actually gets past the session/login procedures... or even better, gets months past that point before I come up with a tweak and then I basically just trash everything but the session/login and start over from there.

I'm looking for anybody who actually builds websites, not some WordPress Template or some DreamWeaver page, but full-stack ground-up developments which intertwine the CGI with the front-end GUI, who can explain to me why I'm acting like a paranoid retread in such a complete and rational way that I can learn to trust server/browser built-in security along with pipe-cryptography, and just get on with my life.

Alternately, I'd love to hear from anybody who doesn't think I'm being paranoid or retready but who can give me some advice to get my head out of my backside where it comes to worrying that I'm wasting time by feeding my security-centered phobias.

Edited 20h after posting: Just wanted to thank everybody who answered in good faith. Not just good advice for getting my head oriented right, but good advice for alternative/additional security measures. There were even a couple of plain common-sense suggestions that I would never have come up with my own!

That's r/developers, not r/developer (this subreddit right here).

r/developers started showing up in my Reddit feed not long after I subscribed to r/developer -- but absolutely every time I attempt to post or even comment in r/developers I find that they have deliberately sabotaged the forum, by AutoMod.

Specifically, they never ever allow me to post anything because every single time they claim I'm including "external links" which violate the forum rules... the first time it was "my.domain.com" and today it was C#.NET and VB.NET -- except that even after I edited the post to "C# DotNET and VB DotNET" the forum and its phony AutoMod then decided that VB DotNET was still an external link, so I was still not allowed to post.

Feels to me like r/developers is literally there to imitate r/developer, but the mods are just plain trolls who make totally phony posts (which look a whole lot like the legitimate posts in this subreddit here) in the interest of pissing people off and making them think r/developer is to blame. I like to think I'm pretty on-the-ball with this stuff, but it still took me a few repetitions of this troll-mod behavior in r/developers to figure out that it was NOT happening in r/developer

My favorite part about fiber is polishing the tip. I love being on an actual worksite, working with somebody new and different, and seeing that look of dawning horror on the face around the 12th time I deliberately use the words, "polish that tip," in an affectionate tone of voice.

A user called me to ask how to operate a Mk 2 Pineapple. I did my best to describe the Mk 2 from top to bottom, including how to ensure that it doesn't slide around during the required procedure.

When I heard him say the words, "Okay! I pulled out the stick and the little clippy thing flew off the side... Now what?" I knew I had solved all his problems!