Secure Login for Flex/PHP Application

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
netdesk
Forum Newbie
Posts: 3
Joined: Thu Apr 08, 2010 5:50 am

Secure Login for Flex/PHP Application

Post by netdesk »

Hi,
I'm currently developing an application using Flex and PHP. A very abstract description of how the application is built up:

The frontend is built with Adobe Flex and is accessed via a webbrowser using the flash player. It communicates with PHP using HTTP-Services. PHP is used to read and write informations to a MySQL database. The PHP processes partly require authorization with a username and password.
The Flex Application starts with a login box where the user enters username and password. The login data is sent to PHP using a HTTP Service, which transports the data via POST. The password is currently sent as MD5 hash. In PHP, the received login data is validated against a database table.

The authorization in PHP should only be done once (after the login box) to avoid sending username and password every time from the client to the remote server which does the PHP work. So I think the only way to keep the user "logged in" is writing a session variable.
Later, when the Flex application sends a command to PHP, then PHP tests, if the session variable exists. If the variable exists, the user is authorized and the command is executed. If the variable doesn't exist, he is not authorized and the command is not executed.

My question: Is this "secure"? Can this be optimized?
I thought about a concept using a "secure key": After the login-data is validated, a secure key is generated of, say, 100 random characters. This secure key is written to the session and sent back to the Flex App. Later, when the Flex App sends commands to the PHP server, it also sends the secure key. So PHP just needs to compare the secure key stored in the session with the key sent by Flex. If it's the same key, the user is authorized. Would that make it "more secure"?

Thanks for comments and hints!
Last edited by netdesk on Sun Apr 18, 2010 6:53 am, edited 1 time in total.
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: Secure Login for Flex/PHP Application

Post by tr0gd0rr »

If the Flex app passes the session id each request, I think PHP should not act any different than a normal web page. You should be able to use PHP's built-in session functionality.

So if session id is not passed or `$_SESSION` is empty after `session_start()` then no session exists with that id. If the session id is valid, check some value in session such as `$_SESSION['is_authorized']`.

It should be no different than a regular web app except that you output XML or JSON or whatever instead of HTML. If you use a SOAP service instead of a REST service, your input will come directly into a function instead of $_GET and you would need to set the session id using `session_id($passedId)` before calling `session_start()`.
minorDemocritus
Forum Commoner
Posts: 96
Joined: Thu Apr 01, 2010 7:28 pm
Location: Chicagoland, IL, USA

Re: Secure Login for Flex/PHP Application

Post by minorDemocritus »

netdesk wrote:The Flex Application starts with a login box where the user enters username and password. The login data is sent to PHP using a HTTP Service, which transports the data via POST. The password is currently sent as MD5 hash. In PHP, the received login data is validated against a database table.
It doesn't really apply to the sessions, but since we're supposed to nitpick:

MD5 is "good enough", but you can do better. There are some theoretical vulnerabilities what with the collision potential... SHA1 would be somewhat better, but that's not a huge concern.

A bigger issue is that everyone knows the MD5 for 'password'. You'd be a lot better off if you salt the password first:

Code: Select all

$password = 'somesecret';
$salt1 = '2Kx!q';
$salt2 = 'd#I9%';
$token = sha1($salt1 . $password . $salt2);
// put the $token in the DB
Obviously, if someone gets a hold of the code AND the database, they can still do some brute force matching... but if only your code OR your database is compromised, it can help protect the users' passwords.

EDIT: didn't realize you were talking about password hashing BEFORE transmit. That helps protect the password, but it still can leave your application open. Someone just has to sniff the hashed password off the wire, and they can still get in. You're much better off using HTTPS.
netdesk
Forum Newbie
Posts: 3
Joined: Thu Apr 08, 2010 5:50 am

Re: Secure Login for Flex/PHP Application

Post by netdesk »

Thanks for your comments so far!

@minorDemocritus: I'll store and transfer the passwords salted and sha1 encoded instead of md5.
@tr0gd0rr: I'll try to implement your hint. I think you mean pretty much the same as in http://phpsec.org/projects/guide/4.html where the recommendation is, to regenerate the session id if the "is_authorized" in your example does not exist or the access level changes.

What about my idea to store a secure key in the session after login, which needs to be transferred from Flex to PHP every time? Would it make things more secure?

HTTPS is another story. Beeing exact, I'm not only developing a single App. Currently I try to build a basic framework consisting of the PHP part and the Flex part, which should be reusable for diffenerent future projects. If I see, that this "framework" (I don't like the term, don't know if it matches in this case) is useful, I'll make it public and develop it as a little open source project.
minorDemocritus
Forum Commoner
Posts: 96
Joined: Thu Apr 01, 2010 7:28 pm
Location: Chicagoland, IL, USA

Re: Secure Login for Flex/PHP Application

Post by minorDemocritus »

netdesk wrote:Thanks for your comments so far!

@minorDemocritus: I'll store and transfer the passwords salted and sha1 encoded instead of md5.
Well, that doesn't really help much... since you're transferring the password hash over the wire, it can be sniffed. Hashing and salting makes it harder to recover the actual password entered, but it won't really improve security, since an attacker that has the hash can just push that to the form, and he's authenticated. Hashing really only helps the security of your users if the database is compromised.
netdesk
Forum Newbie
Posts: 3
Joined: Thu Apr 08, 2010 5:50 am

Re: Secure Login for Flex/PHP Application

Post by netdesk »

Ok, but how can one make the transfer of passwords secure independently from the server configuration? As developer of the "framework" I only can recommend the users which use the framework, to use it over a HTTPS connection. But that's a challenge which every script faces if it uses authorization. For a login at least a password must be transfered from the client to the server, hashed or not.

Do I have any options which can be implemented in Flex/PHP?
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Secure Login for Flex/PHP Application

Post by timWebUK »

Some sort of challenge-response mechanism, meaning that the password does not actually need to be sent over HTTP.

There is a little bit of information in this thread on challenge-response, but as mentioned, shouldn't be considered an alternative HTTPS.

viewtopic.php?f=34&t=110430
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Secure Login for Flex/PHP Application

Post by kaisellgren »

Do you mean you hash the password with MD5 client-side and then send the hashed password to your web application? It would be much better to send the password as-is, via SSL/TLS, and then being hashed on the server with a salt and a key before stored on the database.
Post Reply