Logins, .htaccess, and security

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
cybaf
Forum Commoner
Posts: 89
Joined: Tue Oct 01, 2002 5:28 am
Location: Gothenburg Sweden

Post by cybaf »

I've made a loginsystem that does not send the passwords and username over the network in clear text. and it does not require SSL. it is availiable on evilwalrus.com. (however, the version there is an old one). check it out.

//cybaf
User avatar
lazy_yogi
Forum Contributor
Posts: 243
Joined: Fri Jan 24, 2003 3:27 am

Post by lazy_yogi »

A link would be nice (I assume you already know where it is since it was your code that is posted somewhere there)

Also, if its an old version, how about offering the new one.
User avatar
aquila125
Forum Commoner
Posts: 96
Joined: Tue Dec 09, 2003 10:39 am
Location: Belgium

Post by aquila125 »

I suggest building your own login class.. Perhaps it's a lot of work, but you can use it in your next project...


Have the login page created through php and put in a hidden field a random generated number (or the current time) (save this number in the Session).. Have the user enter his password and with javascript create the md5 hash of the password, then add the random number from the hidden field and create the md5 hash of that combination.. save this information in the password field (overwriting the original password).. send it to the server.
On the server side, get the md5 hashed password from the database (flat file or whatever), add the random number and create the md5 hash of that combination.. compare with the one received from the form

This is pretty save.. when login succeeds, save the IP from the logged in user in your Session, and on each page check to see if the IP is still the same as the one used to login (security against session hacking)..

This should be pretty save.. use SSL and you have another layer of security..
User avatar
Fredix
Forum Contributor
Posts: 101
Joined: Fri Jul 18, 2003 2:16 pm
Location: Wehr (Eifel) Germany
Contact:

Post by Fredix »

Sorry, if I look like a big dumb noob here but what I always wonder about is:
How can this "sniffing" be done?
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

aquilla125: That is very interesting solution. You could also add some special protection measures like checking user browser or checking the difference between the user and the server time. Hijacker will not have a clue what is the user's computer time. Of course there is some possibility that the first time the user will send it's "time" to the server it will be sniffed, but it is the same problem with ssh or ssl.

BTW: cybaf, could you put that link here, evilwarus is vast and infinite ;) :D
User avatar
cybaf
Forum Commoner
Posts: 89
Joined: Tue Oct 01, 2002 5:28 am
Location: Gothenburg Sweden

Post by cybaf »

ok sorry guys... here is the link to my script. but remember that this is an old version, but I'll put up the new version after this weekend. (I'm not at home now) but the link... http://www.evilwalrus.com/viewcode.php?codeEx=478

it is using a mysql-handling script aswell so if you want to look at that aswell the link is as follows: http://www.evilwalrus.com/viewcode.php?codeEx=483
nufferkay
Forum Newbie
Posts: 24
Joined: Fri Nov 28, 2003 2:27 pm

Post by nufferkay »

Hm, some interesting ideas - thanks!

Now, what happens if the user has turned off Javascript?

-N
ilovetoast
Forum Contributor
Posts: 142
Joined: Thu Jan 15, 2004 7:34 pm

Post by ilovetoast »

Then that script won't work properly.....

However, if this is your system, it's no big deal IMHO to tell people to turn on javascript to use. Just put a simple detector out front of everything.

Authentication via PHP is more flexible than htaccess based authentication. Reason enough, IMHO, to go that route.

The whole sniffing question is nonsense. I'm sorry. You aren't running ebay or somesuch. Backup your data regularly and just encrypt you passwords and usernames in transit and don't bother with SSL/tunneling/etc.

Before getting worried about that stuff, just ask yourself... would the handful of people around the computers in question really care enough to install a packet sniffer AND then work to break your encrypted passwords? And if they did, exactly how much effort would it take you to restore to the most recent backup state and change the user name/pass in question? My guess is that honest answers to these questions would probably point you to the conclusion that security won't be a big deal.

peace
Straterra
Forum Regular
Posts: 527
Joined: Mon Nov 24, 2003 8:46 am
Location: Indianapolis, Indiana
Contact:

Post by Straterra »

aquila125 wrote:I suggest building your own login class.. Perhaps it's a lot of work, but you can use it in your next project...


Have the login page created through php and put in a hidden field a random generated number (or the current time) (save this number in the Session).. Have the user enter his password and with javascript create the md5 hash of the password, then add the random number from the hidden field and create the md5 hash of that combination.. save this information in the password field (overwriting the original password).. send it to the server.
On the server side, get the md5 hashed password from the database (flat file or whatever), add the random number and create the md5 hash of that combination.. compare with the one received from the form

This is pretty save.. when login succeeds, save the IP from the logged in user in your Session, and on each page check to see if the IP is still the same as the one used to login (security against session hacking)..

This should be pretty save.. use SSL and you have another layer of security..
The part about security against session hacking isn't true. I have know people who have found a way (by creating their own network adaptor apps) who can change their external IP to appear to be whatever they want it to be.
ilovetoast
Forum Contributor
Posts: 142
Joined: Thu Jan 15, 2004 7:34 pm

Post by ilovetoast »

People can hijack sessions, brute force your passwords, install keyloggers on your client's machines, invade your office and steal your computer.

At some point you just have to say... Is that really going to happen? Maybe if you've got some uber-porn/warez site. If you have some everday business site -- not likely.

If you're really concerne:
Encypt your passwords and usernames at all times
Modify your passwords and usernames before storage
Use SSL.
Monitor Session IPs.
Monitor random user browser traits for Sessions

And when your paranoia gets the best of you:
Rotate passwords every week
Incorporate biometrics into the auth scheme
Layer htaccess passwords on top of your php passwords
Layer a javascript question on top of that
Require your users to use Macs only on Wed. evenings for access

At some point you will realize that security paranoia is just that, paranoia.

peace
Post Reply