Page 1 of 2
Secure User Authentication and PHP
Posted: Sun Jul 22, 2007 7:58 pm
by Mr Tech
I noticed in FireBug (a cool little error console etc addon for FireFox) you can view page headers which includes cookies. If people hacked into your pc and read the cookie data, they could find out your user name and password that is saved in a cookie. Is that correct?
They could then use those details to login... Not good.
Is there anyway to authenticate users without the data coming up in the headers? If possible, which I sure is, how would I go about it?
Posted: Sun Jul 22, 2007 8:06 pm
by feyd
Don't store such information (in the open) in a cookie. Simple enough.
Posted: Sun Jul 22, 2007 8:09 pm
by Ollie Saunders
Session cookies are better than those storing data on the client as feyd said. You might want to google "session hi-jacking" and "session fixation".
Posted: Sun Jul 22, 2007 8:15 pm
by Mr Tech
Would you store sessions in the database?
This is just a guess but would you save the session data in the database and then link that session data to the logged user?
Or would browser sessions be as safe?
Posted: Sun Jul 22, 2007 8:32 pm
by feyd
The session ID needs to be given to the browser, that won't change.
Database storage is generally considered a bit more secure than file based storage, but both depend on the security of your scripts and your server.
Posted: Sun Jul 22, 2007 8:33 pm
by Ollie Saunders
I'd recommend reading the PHP manual on sessions. The jist of it is that the data is stored on the server in temporary files (one for each session) and accessed through the $_SESSION superglobal, the user stores a cookie that is an ID reference to his session so PHP know which file to use. The cookie lasts until the user closes his browser. You can change PHP to use memcached instead of files for sessions or you can define your own session handling functionality using
session_set_save_handler(). Many use that function to store sessions in the database, this is offers a security advantage over the file based session storage on servers where multiple sites run (small risk) or many users have access to PHP (significant risk).
Posted: Sun Jul 22, 2007 8:35 pm
by Mr Tech
Cool, that makes sense thanks. What about the "remember me" feature on scripts? I know phpBB have this feature...
How would they do that and still having the script secure?
Re: Secure User Authentication and PHP
Posted: Sun Jul 22, 2007 8:36 pm
by The Phoenix
Mr Tech wrote:I noticed in FireBug (a cool little error console etc addon for FireFox) you can view page headers which includes cookies. If people hacked into your pc and read the cookie data, they could find out your user name and password that is saved in a cookie. Is that correct?
Most places do not store passwords in cookies. Username varies.
But yes, if you sent a cleartext password in a cookie to the user, then if an attacker had control of your pc, they could read the password.
Of course, if they had control of your pc, they could log your keystrokes, redirect ssl sessions, and more. In short, once your PC is compromised, the game is over.
Mr Tech wrote:They could then use those details to login... Not good.
Is there anyway to authenticate users without the data coming up in the headers? If possible, which I sure is, how would I go about it?
Yes. Don't send passwords in cleartext.
Posted: Sun Jul 22, 2007 8:53 pm
by Mr Tech
Yes, I definitely don't use cleartext.. I use sha1.
Posted: Mon Jul 23, 2007 1:28 am
by Mr Tech
I was wondering if anyone had an answer to my "remember me" question? I know phpBB and vbulletin has that feature that keeps you logged in every time however they don't seem to store the details in a cookie. How do they do it?
Posted: Mon Jul 23, 2007 2:56 am
by Ollie Saunders
Yeah I do, you need to use a cookie for that I think. Either that or you need to set the session to not expire when the browser is closed. There are loads of configurations settings for sessions, a lot of them confusing.
Posted: Mon Jul 23, 2007 5:08 am
by volka
phpbb e.g. stores a autologin_id in the table phpbb_sessions.
If auto login is enabled and the client sends the parameters user_id and autologin_id (as cookie) these values are compared to those stored in the table. If there is a match the user is logged in (again) without sending the password.
The autologin_id acts as password. But it doesn't allow to change the actual password or to enter the admin panel.
Posted: Mon Jul 23, 2007 6:18 pm
by Mr Tech
Cool thanks. That doesn't sound that safe either... Someone could find out the autologin_id and user_id and they're in.
I'll have a look at the sessions more closely and see what I can find out.
Posted: Mon Jul 23, 2007 6:20 pm
by John Cartwright
Mr Tech wrote:Cool thanks. That doesn't sound that safe either... Someone could find out the autologin_id and user_id and they're in.
I'll have a look at the sessions more closely and see what I can find out.
Any "remember me" feature is inherently insecure at best..
Posted: Mon Jul 23, 2007 6:40 pm
by superdezign
Mr Tech wrote:Cool thanks. That doesn't sound that safe either... Someone could find out the autologin_id and user_id and they're in.
Any login information stored on the client-side is risky for the user because you lose control of it. If you want a secure "remember me," then make it only remember their username and force them to login themselves (MySpace does this).