Is this code secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
BenB
Forum Newbie
Posts: 3
Joined: Tue Mar 30, 2010 1:37 pm

Is this code secure?

Post by BenB »

Hi there,
I'm trying to make a cookie which stores an authentication value so the user doesn't need to log in every time they visit the website, is this code secure, as in, it would be infeasible for an attacker to try and guess or work out the value even if they knew how the result was made:

Code: Select all

$salt = "my random string here";
$randomString = hash('sha256', $salt.microtime(true).mt_rand(10000000,99999999));
The idea is that the result this produces would be stored in the database too, and the two values compared when the user visits the site.

Thanks, your help is appreciated!
Last edited by Benjamin on Tue Mar 30, 2010 1:45 pm, edited 1 time in total.
Reason: Added [syntax=php] tags.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Is this code secure?

Post by AbraCadaver »

All an attacker needs is the cookie yes? The value is in the cookie.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
BenB
Forum Newbie
Posts: 3
Joined: Tue Mar 30, 2010 1:37 pm

Re: Is this code secure?

Post by BenB »

AbraCadaver wrote:All an attacker needs is the cookie yes? The value is in the cookie.
So how does one prevent this?
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Is this code secure?

Post by AbraCadaver »

BenB wrote:
AbraCadaver wrote:All an attacker needs is the cookie yes? The value is in the cookie.
So how does one prevent this?
I don't think there is a sure fire way. You can use HTTPS so that the cookie is not intercepted in transit, but if the user's machine is compromised then I'm not sure what you can do about it.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Is this code secure?

Post by Benjamin »

BenB wrote:is this code secure, as in, it would be infeasible for an attacker to try and guess or work out the value even if they knew how the result was made
Yes, it is secure in that aspect.
BenB
Forum Newbie
Posts: 3
Joined: Tue Mar 30, 2010 1:37 pm

Re: Is this code secure?

Post by BenB »

Benjamin wrote:Yes, it is secure in that aspect.
So is this an advisable piece of code to use? Are there any aspects in which it is not secure, apart from the Man in the Middle attack mentioned above?
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Is this code secure?

Post by flying_circus »

BenB wrote:So is this an advisable piece of code to use?
I don't think any security conscious developer would advise keeping a user logged in.


You need to take a good look at how sensitive your data is and determine if the risk of a compromised account is worth the reward. This forum remembers login's, but there isnt a significant risk invovled.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Is this code secure?

Post by Benjamin »

Adding to what flying_circus mentioned.

What you are doing is creating a random string for use as a login key. This is simple. Is it hard to guess? Yes. You could simply MD5 the users user name, password and login time to create this string. Since an attacker would not know the password or login time, they would not be able to create the key.

Will this make your system secure? There are many other points of entries, to put it mildly.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: Is this code secure?

Post by s.dot »

here's what i do
generate a hashed value string unique to the user (eg hash username, id, random string)
store it in db and in cookie
if not logged in, check for cookie existence, check it against the db string.
if it matches, log them in, and set new string
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is this code secure?

Post by kaisellgren »

BenB, you want the user to stay in a session and the key you have created is known as the session identifier. PHP has a built-in support for sessions, see: http://fi2.php.net/manual/en/book.session.php. It's going to be stronger than yours.
samwho
Forum Newbie
Posts: 15
Joined: Sat Apr 03, 2010 8:06 am

Re: Is this code secure?

Post by samwho »

Mm, I tried to make a similar system but a friend of mine who has a lot more experience with PHP told me I was trying to reinvent the wheel ^_^ Sessions, I am told, are a far better and more secure method to do logins.

However, I'm not sure that would solve your problem... You want a persistent login, right? Stay logged in every single day (until your cookies get cleared, of course). The secure key you're generating would be pretty damn hard to guess, yeah. You could use SHA512 for added security but I'm not sure if the extra 64 chars are going to be worth it.

As was already stated, depends how sensitive your data is :) If it's nothing financial or personal detail related, don't worry more than you are.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Is this code secure?

Post by Mordred »

Benjamin wrote: You could simply MD5 the users user name, password and login time to create this string.
So, a XSS flaw to steal the cookie, then you can run an offline bruteforce attack against the password (the usernames in most systems are publicly known or at least enumeratable, or if you have a XSS that targets a specific user (think PM), you can skip the username enumeration). The login time does add significant delay, but even with 86K seconds in a day, you can achieve speeds like 2000 passwords per second. (200mil/second reported speed of http://bvernoux.free.fr/md5/index.php / (60*60*24)). You can optimize this if you search the "login time" space consecutively from one second ago to one day ago.

In short, don't include the user's password in any hash without salting it with a big secret.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Is this code secure?

Post by Benjamin »

Perhaps theoretically, but one would need to know what the login key consists of and in what order to know where to begin. That's not really relevant though, because if you had the login key, you could just login. Further, if you had the password, you wouldn't need the login key.
Post Reply