Secure User Authentication and PHP

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Secure User Authentication and PHP

Post by Mr Tech »

I noticed in FireBug (a cool little error console etc addon for FireFox) you can view page headers which includes cookies. If people hacked into your pc and read the cookie data, they could find out your user name and password that is saved in a cookie. Is that correct?

They could then use those details to login... Not good.

Is there anyway to authenticate users without the data coming up in the headers? If possible, which I sure is, how would I go about it?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Don't store such information (in the open) in a cookie. Simple enough.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Session cookies are better than those storing data on the client as feyd said. You might want to google "session hi-jacking" and "session fixation".
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Post by Mr Tech »

Would you store sessions in the database?

This is just a guess but would you save the session data in the database and then link that session data to the logged user?

Or would browser sessions be as safe?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The session ID needs to be given to the browser, that won't change.

Database storage is generally considered a bit more secure than file based storage, but both depend on the security of your scripts and your server.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

I'd recommend reading the PHP manual on sessions. The jist of it is that the data is stored on the server in temporary files (one for each session) and accessed through the $_SESSION superglobal, the user stores a cookie that is an ID reference to his session so PHP know which file to use. The cookie lasts until the user closes his browser. You can change PHP to use memcached instead of files for sessions or you can define your own session handling functionality using session_set_save_handler(). Many use that function to store sessions in the database, this is offers a security advantage over the file based session storage on servers where multiple sites run (small risk) or many users have access to PHP (significant risk).
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Post by Mr Tech »

Cool, that makes sense thanks. What about the "remember me" feature on scripts? I know phpBB have this feature...

How would they do that and still having the script secure?
User avatar
The Phoenix
Forum Contributor
Posts: 294
Joined: Fri Oct 06, 2006 8:12 pm

Re: Secure User Authentication and PHP

Post by The Phoenix »

Mr Tech wrote:I noticed in FireBug (a cool little error console etc addon for FireFox) you can view page headers which includes cookies. If people hacked into your pc and read the cookie data, they could find out your user name and password that is saved in a cookie. Is that correct?
Most places do not store passwords in cookies. Username varies.

But yes, if you sent a cleartext password in a cookie to the user, then if an attacker had control of your pc, they could read the password.

Of course, if they had control of your pc, they could log your keystrokes, redirect ssl sessions, and more. In short, once your PC is compromised, the game is over.
Mr Tech wrote:They could then use those details to login... Not good.

Is there anyway to authenticate users without the data coming up in the headers? If possible, which I sure is, how would I go about it?
Yes. Don't send passwords in cleartext.
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Post by Mr Tech »

Yes, I definitely don't use cleartext.. I use sha1.
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Post by Mr Tech »

I was wondering if anyone had an answer to my "remember me" question? I know phpBB and vbulletin has that feature that keeps you logged in every time however they don't seem to store the details in a cookie. How do they do it?
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Yeah I do, you need to use a cookie for that I think. Either that or you need to set the session to not expire when the browser is closed. There are loads of configurations settings for sessions, a lot of them confusing.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

phpbb e.g. stores a autologin_id in the table phpbb_sessions.
If auto login is enabled and the client sends the parameters user_id and autologin_id (as cookie) these values are compared to those stored in the table. If there is a match the user is logged in (again) without sending the password.
The autologin_id acts as password. But it doesn't allow to change the actual password or to enter the admin panel.
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Post by Mr Tech »

Cool thanks. That doesn't sound that safe either... Someone could find out the autologin_id and user_id and they're in.

I'll have a look at the sessions more closely and see what I can find out.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Mr Tech wrote:Cool thanks. That doesn't sound that safe either... Someone could find out the autologin_id and user_id and they're in.

I'll have a look at the sessions more closely and see what I can find out.
Any "remember me" feature is inherently insecure at best..
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Mr Tech wrote:Cool thanks. That doesn't sound that safe either... Someone could find out the autologin_id and user_id and they're in.
Any login information stored on the client-side is risky for the user because you lose control of it. If you want a secure "remember me," then make it only remember their username and force them to login themselves (MySpace does this).
Post Reply