Secure User Authentication and PHP
Moderator: General Moderators
Secure User Authentication and PHP
I noticed in FireBug (a cool little error console etc addon for FireFox) you can view page headers which includes cookies. If people hacked into your pc and read the cookie data, they could find out your user name and password that is saved in a cookie. Is that correct?
They could then use those details to login... Not good.
Is there anyway to authenticate users without the data coming up in the headers? If possible, which I sure is, how would I go about it?
They could then use those details to login... Not good.
Is there anyway to authenticate users without the data coming up in the headers? If possible, which I sure is, how would I go about it?
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
I'd recommend reading the PHP manual on sessions. The jist of it is that the data is stored on the server in temporary files (one for each session) and accessed through the $_SESSION superglobal, the user stores a cookie that is an ID reference to his session so PHP know which file to use. The cookie lasts until the user closes his browser. You can change PHP to use memcached instead of files for sessions or you can define your own session handling functionality using session_set_save_handler(). Many use that function to store sessions in the database, this is offers a security advantage over the file based session storage on servers where multiple sites run (small risk) or many users have access to PHP (significant risk).
- The Phoenix
- Forum Contributor
- Posts: 294
- Joined: Fri Oct 06, 2006 8:12 pm
Re: Secure User Authentication and PHP
Most places do not store passwords in cookies. Username varies.Mr Tech wrote:I noticed in FireBug (a cool little error console etc addon for FireFox) you can view page headers which includes cookies. If people hacked into your pc and read the cookie data, they could find out your user name and password that is saved in a cookie. Is that correct?
But yes, if you sent a cleartext password in a cookie to the user, then if an attacker had control of your pc, they could read the password.
Of course, if they had control of your pc, they could log your keystrokes, redirect ssl sessions, and more. In short, once your PC is compromised, the game is over.
Yes. Don't send passwords in cleartext.Mr Tech wrote:They could then use those details to login... Not good.
Is there anyway to authenticate users without the data coming up in the headers? If possible, which I sure is, how would I go about it?
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
phpbb e.g. stores a autologin_id in the table phpbb_sessions.
If auto login is enabled and the client sends the parameters user_id and autologin_id (as cookie) these values are compared to those stored in the table. If there is a match the user is logged in (again) without sending the password.
The autologin_id acts as password. But it doesn't allow to change the actual password or to enter the admin panel.
If auto login is enabled and the client sends the parameters user_id and autologin_id (as cookie) these values are compared to those stored in the table. If there is a match the user is logged in (again) without sending the password.
The autologin_id acts as password. But it doesn't allow to change the actual password or to enter the admin panel.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Any login information stored on the client-side is risky for the user because you lose control of it. If you want a secure "remember me," then make it only remember their username and force them to login themselves (MySpace does this).Mr Tech wrote:Cool thanks. That doesn't sound that safe either... Someone could find out the autologin_id and user_id and they're in.