secure authentication method

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sgalmeida
Forum Newbie
Posts: 4
Joined: Tue Dec 23, 2003 11:24 am

secure authentication method

Post by sgalmeida »

Greetings

I'm looking for an article/tutorial/sample/method for a secure authentication method for user login and password.

can anyone give some suggestions?

TIA

Almeida
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

How do you mean secure? A webpage sent over https will be secure. One way to protect passwords is to only store the MD5 or SH1 (sp?) hash of the password.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

Hehe seached for years, here are my best results: Basically you have to decide , whether to use a simple HTML Form Authentication or HTTP Basic or Digest Authentication, which offers a little more security but needs some workaround to create a logout (), since a Browser caches the credentials until you close it.

Besides these links below, have a look at "my search for the holy grail".

viewtopic.php?t=24126&highlight=
viewtopic.php?t=25571&highlight=
viewtopic.php?t=23923&highlight=

*hth* _yak


outofabox
-----------
1) patUser , haven't tried out, but seems to be very good + documentation
2) Pear Authentication Classes (+ HTTP Basic/ HTTP Digest)
3) didn't try this one

tutorials
-----------
4) Authentication Module with HTTP Basic Authentication, thats what I used finally with some modifications, I prefered this one to Pear:Auth because i could find a way to use Basic WWW Authentication with a Logout feature.
5.) different scripts all somehow related, some are easy to follow and implement

---
[1] http://www.php-tools.de/ >> patUser
(tutorial part 1/2/3)
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-1/
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-2/
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-3/
[2] http://pear.php.net/packages.php?catpid ... entication
[3] http://www.xiven.com/sourcecode/digestauthentication
[4] viewtopic.php?t=24789
[5] http://www.evolt.org/article/comment/17 ... index.html
http://martin.f2o.org/php/
http://www.evolt.org/article/Creating_a ... /17/19661/
http://www.evolt.org/article/Creating_a ... /17/27093/

info on HTTP authentication and drawbacks
http://www.php.net/manual/tw/features.http-auth.php
http://wiki.slugbug.org.uk/HTTP_Authentication
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

I wrote a little tutorial that can be found right here in the tutorial forum

Tutorial name: Authentication Module
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

@AGISB

Hej , yeah I mentioned that too.
It is basically the system I used for authentication; with some modification I even managed to create a kind of "Logout" in Basic Authentication.

Thx for your tutorial :-) I found, it was very helpful.

_yak
sgalmeida
Forum Newbie
Posts: 4
Joined: Tue Dec 23, 2003 11:24 am

Post by sgalmeida »

jakobdoppler wrote:@AGISB

I even managed to create a kind of "Logout" in Basic Authentication.

_yak
greetings,

can you post your alterations module for logout?

thanks very much
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Logout is really easy:

Code: Select all

<?php
$sess = mysql_escape_string(session_id());
$user = mysql_escape_string($_SERVER['PHP_AUTH_USER']);
$addressip = mysql_escape_string($_SERVER['REMOTE_ADDR']);
$delete_str = "DELETE FROM Session_Log WHERE Session = '$sess' OR User = '$user' OR IP_Address = '$addressip'";
$result = @mysql_query($delete_str);
....
?>
So basically you simply have to delete all Session_log entries with the current username, IP and Session_id. Display the logout message and all is done. The user has to reauthorize to login again.
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

@AGISB

I came up with the same idea, just without using the ip_address, as it is easily possible to habe several users in the same IP range.
In the tutorials section I wanted to leave some comment on your code, but since this forum is restricted, I leave it here, perhaps you can modify you totorial, if you find this information valueable. I am going to refer myself to the last script in this tutorial - Authentication Modul (HTTP Basic)

1.) In the verify_user function I would recommend using md5 hash instead of using the mysql password() function http://dev.mysql.com/doc/mysql/en/Appli ... d_use.html
The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications change to md5...
2.) On line 51 the query on TStamp column must be named time_stamp to run properly
3.) You could point out, what is necessary to get the script run, like leaving all the dashes in $just-a-name and $just-a-time names out. That sounds a little bit silly to mention this, but for my part I didn't knew that dashes are not allowed for naming.
4.) It was very good to mention, that the line

Code: Select all

<?php
session_set_cookie_params(0, '/', '.foo.com');
?>
helps passing subdomains, but if e.g. I want to pass the session from a page that is secured by the script to a non secured area, it does not work for me, I have to drop that line. (mhh wondering if my point here makes sense at all ?!)

5.) Maybe it would be fine if you could post a version of the final script with the log_failed_user($user) lines included and the simple added Logout discussed here.

Thx again for your good tutorial _yak
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

@jakobdoppler

As I place every IP-Block in the database I can easily drop every entry with the current IP as only the current user can have the ip and I want to log him out. If another user has the same IP (e.g. AOL proxy) entry in the database it is also invalid as that user must have a new IP now. However I noticed a problem in the tutorial. I should also update the ip-address in the session log to make sure it is always the correct one.

However as all entries with the username are deleted the user is also effectively logged out and any possible left IP entry would be gone within 15 minutes anyway.


1) Yes indeed this should be recommended. I kept it simple here.

2) I changed fieldnames and var names from my actual used functions as known var names could pose a possible security risk. So there might be a problem with different renaming.

3) I just placed a placeholder for the people to replace. I should have mentioned this indeed ;)

4) weird. This is working fine for me. Might be a php.ini issue or php version issue.

5) Problem is that I cannot post or correct the tutorial as the forum is blocked for posting as I also still have some german notes in it ;)
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

5) Problem is that I cannot post or correct the tutorial as the forum is blocked for posting as I also still have some german notes in it
hehe, at least no problem for me here, I am from Austria ;-)
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Post Reply