Is my logon and access control code secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
post_phobic
Forum Newbie
Posts: 8
Joined: Tue Feb 03, 2009 3:58 pm

Is my logon and access control code secure?

Post by post_phobic »

I've recently coded a small website from scratch to learn php. I've also just read something about how you shouldn't try writing your own access control systems because you will screw up -which makes me worried.

My Pseudocode:
Logging in
Basically, to login a user I grab their escaped user alias and password from a form. I pass these variables to a sql query that tries to select the user alias from the database with the given parameters. If the selected alias matches the alias given in the form, the login is successful and I set a bunch of session variables using $_SESSION['myvariables'] . I am currently not using authentication headers (is that a baaad thing?)

Access Control
Now for the access control: All my pages are called from an index.php page. At the beginning of my index.php file and thus at the beginning of each of my pages, I use the sessioned alias and password to select the users authorization level from the database. This will return 0 for a guest (sessioned variables not found), 1 for a normal user, and 10 or above for an admin. I pass this authorization level through to the rest of my code, including my html SMARTY templates to display the appropriate data. For any action that involves an Insert, or Update (I dont have any queries that perform deletes) I run the function that checks the authorization level and make sure we have the required auth level to perform whatever action we're doing (If the check fails and the auth level does not meet the minimum for that action, the user is sent to a denied page).


Whew. Okay, heres my code:
Login Code:

Code: Select all

 
    function loginUser($userAlias, $userPassword) {
        $userAlias = escape($userAlias);
        $userPassword = escape($userPassword);
        $this->Alias = $userAlias;      
        $this->Password = $userPassword;            
        $sql_login= " SELECT tu.UserID, tu.UserAlias FROM $this->db.$this->table tu 
                          WHERE tu.UserAlias = '$this->Alias' AND tu.UserPassword = '$this->Password' ; ";
        $result = mysql_query($sql_login);
        $row = mysql_fetch_row($result);
        if ( $this->Alias == '' || $row[1] != $this->Alias) {
            // logon fails
            $_SESSION['log_sec'] = 0;
            $_SESSION['reg_fail_alias'] = $this->Alias; 
            $_SESSION['logged_in'] = 0;
            $_SESSION['failed_login'] = 1;
            return 0;
        } else {
            // logon succeeds
            $_SESSION['log_sec'] = 1;
            $_SESSION['session_alias'] = $this->Alias;
            $_SESSION['session_alias_id'] = $row[0];
            $_SESSION['session_password'] = $this->Password;
            $_SESSION['failed_login'] = 0;
            $_SESSION['reg_fail_alias'] = '';
            sleep(1);
            return 1;
        } 
    }
 
Access Control: Determining Users Authorization Level:

Code: Select all

 
    function getAuth() {
        $alias = $_SESSION['session_alias'];
        $passw = $_SESSION['session_password'];
        if ( isset($alias) && isset($passw) ) {
            $sql = " SELECT AuthLevel FROM $this->db.$this->table WHERE UserAlias = '$alias' 
                       AND UserPassword = '$passw' ; ";
            $result = mysql_query($sql); 
            $returned_rows = mysql_num_rows ($result); 
            if ( $returned_rows == 0 ) {
                $auth = 0;  // (hacker or session vars no longer match db)
            } else {
                $row = mysql_fetch_row($result);
                $auth = $row[0] ;
            }
        } else { // we're not logged in, auth = 0.
            $auth = 0;
        }
        return $auth;  //I thenpass
    }
 
All my input variables are escaped with mysql_real_escape before being passed to the functions. I wasn't sure if generally it was better to escape inside the functions, or to have naive functions but escape everything as soon as you get it from the user higher up in your code. I went for the latter because I wanted to escape the user input as soon as I got it from them.

EDIT: I just read some answers to similar questions. I will rewrite the code so that I am not storing the password in a session variable.
User avatar
paqman
Forum Contributor
Posts: 125
Joined: Sun Nov 14, 2004 7:41 pm
Location: Burnaby, BC, Canada

Re: Is my logon and access control code secure?

Post by paqman »

I personally use Acunetix to quickly try and break into my websites - just the free version since I don't have the huuuuge amount of money they charge for a license. The free one doesn't do everything, but I figure it's better than nothing! Try looking for other Website Security Auditing software out there - I'm sure there are other free trials you can try to take advantage of.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is my logon and access control code secure?

Post by kaisellgren »

Also, don't store the alias in the session. All you need to store there is the level of authentication and the user id. Your getAuth() -function is not escaping in lines 3-4.
post_phobic
Forum Newbie
Posts: 8
Joined: Tue Feb 03, 2009 3:58 pm

Re: Is my logon and access control code secure?

Post by post_phobic »

Thanks for the feedback! I will check out Acunetix, sounds like a good idea.

I ended up integrating with simple machine forums so I am using their code for registration and access control now.

Ah, for lines 3-4 - is it possible for someone to make up their own session variables and try to pass them through my code? I am still learning about sessions, how would this usually be done?
phpGamer
Forum Newbie
Posts: 5
Joined: Tue Aug 25, 2009 11:12 am

Re: Is my logon and access control code secure?

Post by phpGamer »

I'm still learning about sessions too but anyone can just key in a session in a url. They can also steal sessions with XSS http://shiflett.org/articles/foiling-cross-site-attacks

I would take a look at this stuff http://www.tuxradar.com/practicalphp/10/0/0 really cleared up a lot of questions about sessions for me and also part about 'files v. databases' if you're using shared webhosting looks like you need to consider different approach than just ripping stuff from $_SESSION.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is my logon and access control code secure?

Post by kaisellgren »

post_phobic wrote:is it possible for someone to make up their own session variables
Those "session variables" can be set by your scripts or someone who has cracked into the session storage space. You should put as less trust on your session variables as possible. It's unlikely that anyone is going to alter your session data, though.
Post Reply