Page 1 of 1
secure Authentification
Posted: Wed Jul 21, 2004 5:02 am
by jakobdoppler
Hi
I checked out a few variaties to make authentification process and proceed to secure pages.
1.) After login and writing userinfo into SESSION variable, some secure pages use a small scripts to recheck md5 encrypted $_SESSION['passwort'] with the database everytime, they are called
2.) A second possibility is just to login and rely on some SESSION check in the beginning of every page, like
Code: Select all
<?php
if ($_SESSION['registered']!=1{
die('Cannot access page');
}
else //proceeding secure code
?>
I would be interested in the security aspect of both. Is it better to establish a db connection every time or is it more secure just to request this $_SESSION['registered'] which came from a single authentication. Are there better options ?
thx _yak
Posted: Wed Jul 21, 2004 5:30 am
by feyd
well.. session data is kept on the server, generally, so you could just set the session permission hook when needed.. which would save a database query for other information..
Posted: Wed Jul 21, 2004 5:37 am
by AGISB
It all depends on the security you need. If you are protecting e.g. a members section where an unauthorized access is just annoying the session approach is ok. If you are protecting e.g. personal data of the user it might not be secure enough.
Your versions 1 and 2 have basically the same security as if the session is captured by someone it doesn't matter if you check the password against a database or just check the session. It might be enough security if you let the session die e.g. every 15 to 30 minutes.
Better Security does require www-authentication, combined with Sessions and probably SSL.
I am also still thinking about the security isse as it is probably the most complex thing if you need to protect something important as there are so many ways to bypass certain settings.
Posted: Wed Jul 21, 2004 7:44 am
by jakobdoppler
@AGISB
yeah

i like that www-authentication and I actually want to use SSL+Digest Web Authentication and Sessions.
Found a very good Pear Class, which worked for me after some modifications Auth and AuthHttp
http://pear.php.net/packages.php?catpid ... entication
Its all about highly secure personal data, therefor needs special kind of "attention" and system design consideration.
But nevertheless, if I work which PHP I have to rely on SESSIONS as security part somehow , do I ? But that SESSION switching seems interesting to me, how would code this ? Does it chance something on this Session-Check, that is performed on every page.
Regards _yak
Posted: Wed Jul 21, 2004 8:06 am
by AGISB
I use the session to recall the www-authenticate after a certain time the user has not done anything. The browser normally recalls the credentials as long the browser stays open unless you call a new www-authentication. This reduces the danger of e.g. a user logging in using a public internet terminal where the browser stays open by default. In this scenario the attacker just needs to surf the browser history and simply connect.
There is of course no 100% security against stupid users but at least you can limit it down to a small percentage.
Posted: Wed Jul 21, 2004 8:28 am
by jakobdoppler
And how do you call this, how can i destroy the session after a certain time,
Is it a javascript thing that the browser automatically loads a page with a session_destroy() command after a while, noone has moved the mouse ?
Or is there a setting on the server that destroys a sessio after a certain time ?
thx _yak
Posted: Wed Jul 21, 2004 8:30 am
by jakobdoppler
sorry the thing with the mouse was kind of a joke

i don't know how to do this on client side...
Posted: Wed Jul 21, 2004 12:12 pm
by feyd
onmousemove, [re]set a timer.
Posted: Wed Jul 21, 2004 1:20 pm
by AGISB
For me it works to refresh the session on each link. If you only got one page simply destroy the session with e.g. a meta refresh after a certain time.
You could write a custom session handler with e.g. a MYSQL database and use a cronjob to do the garbage collection on the expired sessions.
An metarefreshing iframe might also do the job.
Posted: Wed Jul 21, 2004 1:29 pm
by feyd
you don't need a cronjob to garbage collect the expired sessions.. just run a delete query over the table saving only those with lifespans, and not autologin..
Posted: Wed Jul 21, 2004 1:43 pm
by AGISB
feyd wrote:you don't need a cronjob to garbage collect the expired sessions.. just run a delete query over the table saving only those with lifespans, and not autologin..
Of course this will work. I was thinking on a low activity site it might be a long time untill a session expires but of course then you don't have to worry about security at all.
Might be a performance plus to use cron on very high volume sites as the query might take some time if many sessions are saved in the table and you would have to do the query on every sitecall. But this as well must be indeed many sessions so the delete query should be fine.
Posted: Thu Jul 22, 2004 7:34 am
by jakobdoppler
@AGISB mhh I think I don' understand
Usually when a browser window is closed, the session expires. But when noone closes the browser, what kind of setting destroys the session, after certain inactivity ?
Is there a session expire setting server side, because e.g. Java Script will not do a good job on this, will it ?
And isn't a session refreshed everytime I press a succeeding link ?
@both, Thx a lot for your help _yak
Posted: Thu Jul 22, 2004 7:54 am
by AGISB
Its quite simple:
you save a session ID in a database and add a timestamp.
on each call you check this entry against the timestamp and if it is beyond a certain time you destroy the session and reauthenticate. If the time is not expired you can refresh the timestamp.
Posted: Thu Jul 22, 2004 8:03 am
by jakobdoppler

ahh ok *g* thx a lot , i'll give it a try !
greetz _yak
Posted: Thu Jul 22, 2004 1:56 pm
by WaldoMonster
I use a cookie-based authentication something like this:
Setup a database with only the username and password.
When login is ok then set a cookie with username, expiretime and a hash with username+password+clientip+clientagent+timeout+serversecret.
Every time you grant a page set a new cookie with a new expiretime etc.