Page 1 of 1

Is this code secure?

Posted: Tue Mar 30, 2010 1:43 pm
by BenB
Hi there,
I'm trying to make a cookie which stores an authentication value so the user doesn't need to log in every time they visit the website, is this code secure, as in, it would be infeasible for an attacker to try and guess or work out the value even if they knew how the result was made:

Code: Select all

$salt = "my random string here";
$randomString = hash('sha256', $salt.microtime(true).mt_rand(10000000,99999999));
The idea is that the result this produces would be stored in the database too, and the two values compared when the user visits the site.

Thanks, your help is appreciated!

Re: Is this code secure?

Posted: Tue Mar 30, 2010 2:24 pm
by AbraCadaver
All an attacker needs is the cookie yes? The value is in the cookie.

Re: Is this code secure?

Posted: Tue Mar 30, 2010 4:17 pm
by BenB
AbraCadaver wrote:All an attacker needs is the cookie yes? The value is in the cookie.
So how does one prevent this?

Re: Is this code secure?

Posted: Tue Mar 30, 2010 4:35 pm
by AbraCadaver
BenB wrote:
AbraCadaver wrote:All an attacker needs is the cookie yes? The value is in the cookie.
So how does one prevent this?
I don't think there is a sure fire way. You can use HTTPS so that the cookie is not intercepted in transit, but if the user's machine is compromised then I'm not sure what you can do about it.

Re: Is this code secure?

Posted: Tue Mar 30, 2010 8:42 pm
by Benjamin
BenB wrote:is this code secure, as in, it would be infeasible for an attacker to try and guess or work out the value even if they knew how the result was made
Yes, it is secure in that aspect.

Re: Is this code secure?

Posted: Thu Apr 01, 2010 12:43 pm
by BenB
Benjamin wrote:Yes, it is secure in that aspect.
So is this an advisable piece of code to use? Are there any aspects in which it is not secure, apart from the Man in the Middle attack mentioned above?

Re: Is this code secure?

Posted: Thu Apr 01, 2010 6:38 pm
by flying_circus
BenB wrote:So is this an advisable piece of code to use?
I don't think any security conscious developer would advise keeping a user logged in.


You need to take a good look at how sensitive your data is and determine if the risk of a compromised account is worth the reward. This forum remembers login's, but there isnt a significant risk invovled.

Re: Is this code secure?

Posted: Fri Apr 02, 2010 12:52 am
by Benjamin
Adding to what flying_circus mentioned.

What you are doing is creating a random string for use as a login key. This is simple. Is it hard to guess? Yes. You could simply MD5 the users user name, password and login time to create this string. Since an attacker would not know the password or login time, they would not be able to create the key.

Will this make your system secure? There are many other points of entries, to put it mildly.

Re: Is this code secure?

Posted: Fri Apr 02, 2010 1:07 am
by s.dot
here's what i do
generate a hashed value string unique to the user (eg hash username, id, random string)
store it in db and in cookie
if not logged in, check for cookie existence, check it against the db string.
if it matches, log them in, and set new string

Re: Is this code secure?

Posted: Sat Apr 03, 2010 9:05 am
by kaisellgren
BenB, you want the user to stay in a session and the key you have created is known as the session identifier. PHP has a built-in support for sessions, see: http://fi2.php.net/manual/en/book.session.php. It's going to be stronger than yours.

Re: Is this code secure?

Posted: Sat Apr 03, 2010 11:20 am
by samwho
Mm, I tried to make a similar system but a friend of mine who has a lot more experience with PHP told me I was trying to reinvent the wheel ^_^ Sessions, I am told, are a far better and more secure method to do logins.

However, I'm not sure that would solve your problem... You want a persistent login, right? Stay logged in every single day (until your cookies get cleared, of course). The secure key you're generating would be pretty damn hard to guess, yeah. You could use SHA512 for added security but I'm not sure if the extra 64 chars are going to be worth it.

As was already stated, depends how sensitive your data is :) If it's nothing financial or personal detail related, don't worry more than you are.

Re: Is this code secure?

Posted: Thu Apr 22, 2010 7:58 am
by Mordred
Benjamin wrote: You could simply MD5 the users user name, password and login time to create this string.
So, a XSS flaw to steal the cookie, then you can run an offline bruteforce attack against the password (the usernames in most systems are publicly known or at least enumeratable, or if you have a XSS that targets a specific user (think PM), you can skip the username enumeration). The login time does add significant delay, but even with 86K seconds in a day, you can achieve speeds like 2000 passwords per second. (200mil/second reported speed of http://bvernoux.free.fr/md5/index.php / (60*60*24)). You can optimize this if you search the "login time" space consecutively from one second ago to one day ago.

In short, don't include the user's password in any hash without salting it with a big secret.

Re: Is this code secure?

Posted: Thu Apr 22, 2010 9:03 am
by Benjamin
Perhaps theoretically, but one would need to know what the login key consists of and in what order to know where to begin. That's not really relevant though, because if you had the login key, you could just login. Further, if you had the password, you wouldn't need the login key.