Page 1 of 1

A better Login Script?

Posted: Sat Feb 10, 2007 6:06 pm
by patch2112
Hello all,

I am trying to make a login routine that is a bit safer than just setting a session upon login and checking for it's existance to allow access to secure areas. There is some pretty detailed routines like http://www.devshed.com/c/a/PHP/Creating ... in-Script/ but I was wondering if something simpler would still give pretty good security.

Any thoughts on something like this...

Login

Code: Select all

if (creditials are correct) {
$_SESSION['login_ip'] = GetHostByName($REMOTE_ADDR); }
Verify Logged In

Code: Select all

if ( (isset($_SESSION['login_ip'])) && ($_SESSION['login_ip'] == GetHostByName($REMOTE_ADDR)) ) {
//secure content 
}

Posted: Sat Feb 10, 2007 6:11 pm
by kaszu
IP address may change between session, so don't compare all IP, but only part (first 6 digits?).

Ah

Posted: Sat Feb 10, 2007 6:13 pm
by patch2112
The idea being that if the user is on a dynamic IP network that the first 6 or so will stay the same?

Posted: Sat Feb 10, 2007 6:18 pm
by kaszu
Yes (usually i use first 9 digits, but AOL "ffs").
From my experience AOL users always have the same first 6 IP digits, just had problems with phpBB forum, others haven't reported about any problems, so I can't say 100%.
AOL just because they were only ones i had problems with.

Alright

Posted: Sat Feb 10, 2007 6:22 pm
by patch2112
Seems like a pretty good point, so now we are looking at something like...

Code: Select all

if (creditials are correct) { 
$_SESSION['login_ip'] = substr(GetHostByName($REMOTE_ADDR),0,6); }
and

Code: Select all

if ( (isset($_SESSION['login_ip'])) && ($_SESSION['login_ip'] == substr(GetHostByName($REMOTE_ADDR),0,6)) ) { 
//secure content 
}
Any other thoughts?

Posted: Sat Feb 10, 2007 6:33 pm
by kaszu
If $REMOTE_ADDR == $_SERVER['REMOTE_ADDR'] then instead of 6 use 7, because of the dot (.)
I would say that it's ok, but you can also check browser because of session hijack attempts if it is happening from the same network (only checking 6 numbers in IP).
Probably some phpDN Guru's will can give you extra info, so wait till tomorrow (hopefully sooner).

Yes

Posted: Sat Feb 10, 2007 6:53 pm
by patch2112
Yes, it should be $_SERVER['REMOTE_ADDR'] for when register_globals is off. Also, I meant to be getting by address, not name, like... gethostbyaddr($_SERVER['REMOTE_ADDR']);. So now we are at...


Login

Code: Select all

if (creditials are correct) { 
$_SESSION['login_ip'] = substr(GetHostByAddr($_SERVER['REMOTE_ADDR']),0,7); }
and
Verify

Code: Select all

if ( (isset($_SESSION['login_ip'])) && ($_SESSION['login_ip'] == substr(GetHostByAddr($_SERVER['REMOTE_ADDR']),0,7)) ) { 
//secure content 
}
Thanks Kaszu! Anyone else?

Error

Posted: Sat Feb 10, 2007 7:43 pm
by patch2112
Doesn't seem that we need any "gethostby...." now that I tried using it. Current version is...

Code: Select all

$_SESSION['login_ip'] = substr($_SERVER['REMOTE_ADDR'],0,7);
and

Code: Select all

if ( (isset($_SESSION['login_ip'])) && ($_SESSION['login_ip'] == substr($_SERVER['REMOTE_ADDR'],0,7)) ) { 
//secure content 
}

Posted: Sun Feb 11, 2007 6:18 am
by kaszu
Didn't thought about this yesterday, but more correct way to get first 2 parts of IP probably would be

Code: Select all

$ip_parts = explode('.', $_SERVER['REMOTE_ADDR']);
if (isset($ip_parts[0]) and isset($ip_parts[1]))
    $ip = $ip_parts[0].'.'.$ip_parts[1];
else
    $ip = substr($_SERVER['REMOTE_ADDR'], 0, 7);
because there are ip addresses with 2 digits (ex. 12.345.678.90)

ip

Posted: Sun Feb 11, 2007 9:02 am
by patch2112
Yea, I had ran into that when I tested it too. I decided though that it didn't really matter if the IP was in correct form since it just has to match the value it set on log-in...

12.345.67 == 12.345.67 fine
123.456.7 == 123.456.7 fine

we could even just drop the dot, but I'm not sure it's necessary either...
1234567 == 1234567 fine.

Think we should go down to 5 digits though? It's not banking software so it doesn't have to be rock-solid, just a bit harder than creating a session is all.

What do you think?

Secure login

Posted: Sun Feb 11, 2007 10:14 am
by mark_john
To me the simple solution is just use https. The browser maintains the secured session through out that transaction. You can embed a hidden value as well so that it will remain same for that secured session. So even if some one sniffs the session cookie they won't be able to decode the embedded hidden value as it is encripted by the the key generated by the server and the browser during that session. So the sniffer browser is getting another secured connection and another key for decoding.(Try understanding https or ssl. That should clear your doubts about how https ssl handshaking is done.) Me too had similar problem when I was creating a wholesaler directory.
The customers has to signup before they view the directory contents. But later I found the problem of same account being used mementarily by some bots that spidered by directory. wholesalers directory . So I used https with my own certificate and there after there was no problem.

Anyway you must understand that there are limitations to http protocol.
You need to work around to void these.

Posted: Sun Feb 11, 2007 11:05 pm
by the DtTvB
I think session variables could not be changed by the browser, unlike cookies, so I think it's safe enough.

SSL / Sessions

Posted: Mon Feb 12, 2007 10:02 am
by patch2112
Thanks for commenting...

SSL, might be a bit much for the particular site in question, but certainly worthwhile to offer it as an option to my client.

Changing Session Data, AHHH, didn't know that! Here's good article on the subject... http://www.sitepoint.com/blogs/2004/03/ ... -security/.

So, it seems that this method would be "pretty" secure, provided that the first 7 digits of the IP are definately going to be the same for the same person as they go from page to page. Any more thoughts on this? Should I use 5 digits instead perhaps?

Thanks all,
Philip