A better Login Script?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
patch2112
Forum Commoner
Posts: 86
Joined: Sun Oct 31, 2004 9:44 am
Location: London

A better Login Script?

Post by patch2112 »

Hello all,

I am trying to make a login routine that is a bit safer than just setting a session upon login and checking for it's existance to allow access to secure areas. There is some pretty detailed routines like http://www.devshed.com/c/a/PHP/Creating ... in-Script/ but I was wondering if something simpler would still give pretty good security.

Any thoughts on something like this...

Login

Code: Select all

if (creditials are correct) {
$_SESSION['login_ip'] = GetHostByName($REMOTE_ADDR); }
Verify Logged In

Code: Select all

if ( (isset($_SESSION['login_ip'])) && ($_SESSION['login_ip'] == GetHostByName($REMOTE_ADDR)) ) {
//secure content 
}
Last edited by patch2112 on Sat Feb 10, 2007 6:16 pm, edited 1 time in total.
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Post by kaszu »

IP address may change between session, so don't compare all IP, but only part (first 6 digits?).
patch2112
Forum Commoner
Posts: 86
Joined: Sun Oct 31, 2004 9:44 am
Location: London

Ah

Post by patch2112 »

The idea being that if the user is on a dynamic IP network that the first 6 or so will stay the same?
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Post by kaszu »

Yes (usually i use first 9 digits, but AOL "ffs").
From my experience AOL users always have the same first 6 IP digits, just had problems with phpBB forum, others haven't reported about any problems, so I can't say 100%.
AOL just because they were only ones i had problems with.
patch2112
Forum Commoner
Posts: 86
Joined: Sun Oct 31, 2004 9:44 am
Location: London

Alright

Post by patch2112 »

Seems like a pretty good point, so now we are looking at something like...

Code: Select all

if (creditials are correct) { 
$_SESSION['login_ip'] = substr(GetHostByName($REMOTE_ADDR),0,6); }
and

Code: Select all

if ( (isset($_SESSION['login_ip'])) && ($_SESSION['login_ip'] == substr(GetHostByName($REMOTE_ADDR),0,6)) ) { 
//secure content 
}
Any other thoughts?
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Post by kaszu »

If $REMOTE_ADDR == $_SERVER['REMOTE_ADDR'] then instead of 6 use 7, because of the dot (.)
I would say that it's ok, but you can also check browser because of session hijack attempts if it is happening from the same network (only checking 6 numbers in IP).
Probably some phpDN Guru's will can give you extra info, so wait till tomorrow (hopefully sooner).
patch2112
Forum Commoner
Posts: 86
Joined: Sun Oct 31, 2004 9:44 am
Location: London

Yes

Post by patch2112 »

Yes, it should be $_SERVER['REMOTE_ADDR'] for when register_globals is off. Also, I meant to be getting by address, not name, like... gethostbyaddr($_SERVER['REMOTE_ADDR']);. So now we are at...


Login

Code: Select all

if (creditials are correct) { 
$_SESSION['login_ip'] = substr(GetHostByAddr($_SERVER['REMOTE_ADDR']),0,7); }
and
Verify

Code: Select all

if ( (isset($_SESSION['login_ip'])) && ($_SESSION['login_ip'] == substr(GetHostByAddr($_SERVER['REMOTE_ADDR']),0,7)) ) { 
//secure content 
}
Thanks Kaszu! Anyone else?
patch2112
Forum Commoner
Posts: 86
Joined: Sun Oct 31, 2004 9:44 am
Location: London

Error

Post by patch2112 »

Doesn't seem that we need any "gethostby...." now that I tried using it. Current version is...

Code: Select all

$_SESSION['login_ip'] = substr($_SERVER['REMOTE_ADDR'],0,7);
and

Code: Select all

if ( (isset($_SESSION['login_ip'])) && ($_SESSION['login_ip'] == substr($_SERVER['REMOTE_ADDR'],0,7)) ) { 
//secure content 
}
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Post by kaszu »

Didn't thought about this yesterday, but more correct way to get first 2 parts of IP probably would be

Code: Select all

$ip_parts = explode('.', $_SERVER['REMOTE_ADDR']);
if (isset($ip_parts[0]) and isset($ip_parts[1]))
    $ip = $ip_parts[0].'.'.$ip_parts[1];
else
    $ip = substr($_SERVER['REMOTE_ADDR'], 0, 7);
because there are ip addresses with 2 digits (ex. 12.345.678.90)
patch2112
Forum Commoner
Posts: 86
Joined: Sun Oct 31, 2004 9:44 am
Location: London

ip

Post by patch2112 »

Yea, I had ran into that when I tested it too. I decided though that it didn't really matter if the IP was in correct form since it just has to match the value it set on log-in...

12.345.67 == 12.345.67 fine
123.456.7 == 123.456.7 fine

we could even just drop the dot, but I'm not sure it's necessary either...
1234567 == 1234567 fine.

Think we should go down to 5 digits though? It's not banking software so it doesn't have to be rock-solid, just a bit harder than creating a session is all.

What do you think?
mark_john
Forum Newbie
Posts: 1
Joined: Sun Feb 11, 2007 9:09 am

Secure login

Post by mark_john »

To me the simple solution is just use https. The browser maintains the secured session through out that transaction. You can embed a hidden value as well so that it will remain same for that secured session. So even if some one sniffs the session cookie they won't be able to decode the embedded hidden value as it is encripted by the the key generated by the server and the browser during that session. So the sniffer browser is getting another secured connection and another key for decoding.(Try understanding https or ssl. That should clear your doubts about how https ssl handshaking is done.) Me too had similar problem when I was creating a wholesaler directory.
The customers has to signup before they view the directory contents. But later I found the problem of same account being used mementarily by some bots that spidered by directory. wholesalers directory . So I used https with my own certificate and there after there was no problem.

Anyway you must understand that there are limitations to http protocol.
You need to work around to void these.
the DtTvB
Forum Newbie
Posts: 11
Joined: Sun Feb 11, 2007 6:10 am

Post by the DtTvB »

I think session variables could not be changed by the browser, unlike cookies, so I think it's safe enough.
patch2112
Forum Commoner
Posts: 86
Joined: Sun Oct 31, 2004 9:44 am
Location: London

SSL / Sessions

Post by patch2112 »

Thanks for commenting...

SSL, might be a bit much for the particular site in question, but certainly worthwhile to offer it as an option to my client.

Changing Session Data, AHHH, didn't know that! Here's good article on the subject... http://www.sitepoint.com/blogs/2004/03/ ... -security/.

So, it seems that this method would be "pretty" secure, provided that the first 7 digits of the IP are definately going to be the same for the same person as they go from page to page. Any more thoughts on this? Should I use 5 digits instead perhaps?

Thanks all,
Philip
Post Reply