Page 1 of 1

secure authentication method

Posted: Fri Sep 17, 2004 9:33 am
by sgalmeida
Greetings

I'm looking for an article/tutorial/sample/method for a secure authentication method for user login and password.

can anyone give some suggestions?

TIA

Almeida

Posted: Fri Sep 17, 2004 9:53 am
by pickle
How do you mean secure? A webpage sent over https will be secure. One way to protect passwords is to only store the MD5 or SH1 (sp?) hash of the password.

Posted: Fri Sep 17, 2004 10:10 am
by jakobdoppler
Hehe seached for years, here are my best results: Basically you have to decide , whether to use a simple HTML Form Authentication or HTTP Basic or Digest Authentication, which offers a little more security but needs some workaround to create a logout (), since a Browser caches the credentials until you close it.

Besides these links below, have a look at "my search for the holy grail".

viewtopic.php?t=24126&highlight=
viewtopic.php?t=25571&highlight=
viewtopic.php?t=23923&highlight=

*hth* _yak


outofabox
-----------
1) patUser , haven't tried out, but seems to be very good + documentation
2) Pear Authentication Classes (+ HTTP Basic/ HTTP Digest)
3) didn't try this one

tutorials
-----------
4) Authentication Module with HTTP Basic Authentication, thats what I used finally with some modifications, I prefered this one to Pear:Auth because i could find a way to use Basic WWW Authentication with a Logout feature.
5.) different scripts all somehow related, some are easy to follow and implement

---
[1] http://www.php-tools.de/ >> patUser
(tutorial part 1/2/3)
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-1/
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-2/
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-3/
[2] http://pear.php.net/packages.php?catpid ... entication
[3] http://www.xiven.com/sourcecode/digestauthentication
[4] viewtopic.php?t=24789
[5] http://www.evolt.org/article/comment/17 ... index.html
http://martin.f2o.org/php/
http://www.evolt.org/article/Creating_a ... /17/19661/
http://www.evolt.org/article/Creating_a ... /17/27093/

info on HTTP authentication and drawbacks
http://www.php.net/manual/tw/features.http-auth.php
http://wiki.slugbug.org.uk/HTTP_Authentication

Posted: Fri Sep 17, 2004 12:27 pm
by AGISB
I wrote a little tutorial that can be found right here in the tutorial forum

Tutorial name: Authentication Module

Posted: Sat Sep 18, 2004 7:02 am
by jakobdoppler
@AGISB

Hej , yeah I mentioned that too.
It is basically the system I used for authentication; with some modification I even managed to create a kind of "Logout" in Basic Authentication.

Thx for your tutorial :-) I found, it was very helpful.

_yak

Posted: Mon Sep 20, 2004 3:50 am
by sgalmeida
jakobdoppler wrote:@AGISB

I even managed to create a kind of "Logout" in Basic Authentication.

_yak
greetings,

can you post your alterations module for logout?

thanks very much

Posted: Mon Sep 20, 2004 11:48 am
by AGISB
Logout is really easy:

Code: Select all

<?php
$sess = mysql_escape_string(session_id());
$user = mysql_escape_string($_SERVER['PHP_AUTH_USER']);
$addressip = mysql_escape_string($_SERVER['REMOTE_ADDR']);
$delete_str = "DELETE FROM Session_Log WHERE Session = '$sess' OR User = '$user' OR IP_Address = '$addressip'";
$result = @mysql_query($delete_str);
....
?>
So basically you simply have to delete all Session_log entries with the current username, IP and Session_id. Display the logout message and all is done. The user has to reauthorize to login again.

Posted: Tue Sep 21, 2004 9:27 am
by jakobdoppler
@AGISB

I came up with the same idea, just without using the ip_address, as it is easily possible to habe several users in the same IP range.
In the tutorials section I wanted to leave some comment on your code, but since this forum is restricted, I leave it here, perhaps you can modify you totorial, if you find this information valueable. I am going to refer myself to the last script in this tutorial - Authentication Modul (HTTP Basic)

1.) In the verify_user function I would recommend using md5 hash instead of using the mysql password() function http://dev.mysql.com/doc/mysql/en/Appli ... d_use.html
The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications change to md5...
2.) On line 51 the query on TStamp column must be named time_stamp to run properly
3.) You could point out, what is necessary to get the script run, like leaving all the dashes in $just-a-name and $just-a-time names out. That sounds a little bit silly to mention this, but for my part I didn't knew that dashes are not allowed for naming.
4.) It was very good to mention, that the line

Code: Select all

<?php
session_set_cookie_params(0, '/', '.foo.com');
?>
helps passing subdomains, but if e.g. I want to pass the session from a page that is secured by the script to a non secured area, it does not work for me, I have to drop that line. (mhh wondering if my point here makes sense at all ?!)

5.) Maybe it would be fine if you could post a version of the final script with the log_failed_user($user) lines included and the simple added Logout discussed here.

Thx again for your good tutorial _yak

Posted: Sun Sep 26, 2004 12:38 am
by AGISB
@jakobdoppler

As I place every IP-Block in the database I can easily drop every entry with the current IP as only the current user can have the ip and I want to log him out. If another user has the same IP (e.g. AOL proxy) entry in the database it is also invalid as that user must have a new IP now. However I noticed a problem in the tutorial. I should also update the ip-address in the session log to make sure it is always the correct one.

However as all entries with the username are deleted the user is also effectively logged out and any possible left IP entry would be gone within 15 minutes anyway.


1) Yes indeed this should be recommended. I kept it simple here.

2) I changed fieldnames and var names from my actual used functions as known var names could pose a possible security risk. So there might be a problem with different renaming.

3) I just placed a placeholder for the people to replace. I should have mentioned this indeed ;)

4) weird. This is working fine for me. Might be a php.ini issue or php version issue.

5) Problem is that I cannot post or correct the tutorial as the forum is blocked for posting as I also still have some german notes in it ;)

Posted: Mon Sep 27, 2004 7:15 am
by jakobdoppler
5) Problem is that I cannot post or correct the tutorial as the forum is blocked for posting as I also still have some german notes in it
hehe, at least no problem for me here, I am from Austria ;-)

Posted: Mon Sep 27, 2004 9:38 am
by McGruff