How to make administration section secure

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
lshaw
Forum Commoner
Posts: 69
Joined: Mon Apr 20, 2009 3:40 pm
Location: United Kingdom

How to make administration section secure

Post by lshaw »

hello,

I want to make a secure administration section, using session variables and a database, but i assume just session variable are not secure enough, so I was wondering if anyone knew any good way of protecting a site with Admin section from crackers. I cannot use IP's as most people using the site will have dynamic IP's.

Thanks for any help

Lewis
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: How to make administration section secure

Post by s.dot »

Make sure when you elevate permissions for a user you are using session_regenerate_id(true) and regenerate the id often. Also you can create a "fingerprint" for the user. Such as..

Code: Select all

if (empty($_SESSION['fingerprint']))
{
    $_SESSION['fingerprint'] = md5($username . $_SERVER['HTTP_USER_AGENT']);
}
 
if ($_SESSION['fingerprint'] != $username. $_SERVER['HTTP_USER_AGENT'])
{
    //logout
}
This way it will lock them to the same browser and log them out if they somehow switch browsers during their session. :) There are other values you can ues for fingerprints as well.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
lshaw
Forum Commoner
Posts: 69
Joined: Mon Apr 20, 2009 3:40 pm
Location: United Kingdom

Re: How to make administration section secure

Post by lshaw »

How often would you regenerate the session id? just when selecting from the database and setting the authentication varibles?

The fingerprint code looks good, but would if condition need to md5() the username too for it to match

[EDIT] Would adding the IP adress to the fingerprint help at all?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to make administration section secure

Post by kaisellgren »

You asked a very broad question. Securing an application is not a one-day task, and using certain controls do not guarantee anything. You need to perceive your assets, and model the idea of threats before you can go secure something.

Tying active sessions into IP-addresses and user agents (often referred to as "finger printing") is favorable. However, as you mentioned, IP-addresses may well change too often for your liking, thus, you can only tie them to a certain degree (e.g., don't check for all four parts of the IPv4-address.)

Session regeneration helps mostly in a way of hardening session prediction attacks assuming that the old session was destroyed (i.e., when using session_regenerate_id(), set the first parameter to true.) Another reason to regenerate the session (or just change the identifier) is to prevent session fixation attacks in which case the regeneration would take place after the authentication.
lshaw wrote:How often would you regenerate the session id?
Regenerate it after the initial log-on (it is a must). And after that, the more you do that, the better, but I doubt this is going to be the weakest node in your chain meaning that you have probably other more important things to worry about.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: How to make administration section secure

Post by social_experiment »

Would adding the IP adress to the fingerprint help at all?
You could register the ip address as a session variable, and in your authorization page check that value against $_SERVER['REMOTE_ADDR'] as the user moves between pages. Another thing is to write the fingerprint value (which you could also hash) to the database, and register a session variable ($_SESSION['fingerprint']) and compare the one inside the database against the session variable and should they not match, assume the user is not logged in or something is not correct and redirect the user.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply