Hi,
I'm currently developing an application using Flex and PHP. A very abstract description of how the application is built up:
The frontend is built with Adobe Flex and is accessed via a webbrowser using the flash player. It communicates with PHP using HTTP-Services. PHP is used to read and write informations to a MySQL database. The PHP processes partly require authorization with a username and password.
The Flex Application starts with a login box where the user enters username and password. The login data is sent to PHP using a HTTP Service, which transports the data via POST. The password is currently sent as MD5 hash. In PHP, the received login data is validated against a database table.
The authorization in PHP should only be done once (after the login box) to avoid sending username and password every time from the client to the remote server which does the PHP work. So I think the only way to keep the user "logged in" is writing a session variable.
Later, when the Flex application sends a command to PHP, then PHP tests, if the session variable exists. If the variable exists, the user is authorized and the command is executed. If the variable doesn't exist, he is not authorized and the command is not executed.
My question: Is this "secure"? Can this be optimized?
I thought about a concept using a "secure key": After the login-data is validated, a secure key is generated of, say, 100 random characters. This secure key is written to the session and sent back to the Flex App. Later, when the Flex App sends commands to the PHP server, it also sends the secure key. So PHP just needs to compare the secure key stored in the session with the key sent by Flex. If it's the same key, the user is authorized. Would that make it "more secure"?
Thanks for comments and hints!
Secure Login for Flex/PHP Application
Moderator: General Moderators
Secure Login for Flex/PHP Application
Last edited by netdesk on Sun Apr 18, 2010 6:53 am, edited 1 time in total.
Re: Secure Login for Flex/PHP Application
If the Flex app passes the session id each request, I think PHP should not act any different than a normal web page. You should be able to use PHP's built-in session functionality.
So if session id is not passed or `$_SESSION` is empty after `session_start()` then no session exists with that id. If the session id is valid, check some value in session such as `$_SESSION['is_authorized']`.
It should be no different than a regular web app except that you output XML or JSON or whatever instead of HTML. If you use a SOAP service instead of a REST service, your input will come directly into a function instead of $_GET and you would need to set the session id using `session_id($passedId)` before calling `session_start()`.
So if session id is not passed or `$_SESSION` is empty after `session_start()` then no session exists with that id. If the session id is valid, check some value in session such as `$_SESSION['is_authorized']`.
It should be no different than a regular web app except that you output XML or JSON or whatever instead of HTML. If you use a SOAP service instead of a REST service, your input will come directly into a function instead of $_GET and you would need to set the session id using `session_id($passedId)` before calling `session_start()`.
-
minorDemocritus
- Forum Commoner
- Posts: 96
- Joined: Thu Apr 01, 2010 7:28 pm
- Location: Chicagoland, IL, USA
Re: Secure Login for Flex/PHP Application
It doesn't really apply to the sessions, but since we're supposed to nitpick:netdesk wrote:The Flex Application starts with a login box where the user enters username and password. The login data is sent to PHP using a HTTP Service, which transports the data via POST. The password is currently sent as MD5 hash. In PHP, the received login data is validated against a database table.
MD5 is "good enough", but you can do better. There are some theoretical vulnerabilities what with the collision potential... SHA1 would be somewhat better, but that's not a huge concern.
A bigger issue is that everyone knows the MD5 for 'password'. You'd be a lot better off if you salt the password first:
Code: Select all
$password = 'somesecret';
$salt1 = '2Kx!q';
$salt2 = 'd#I9%';
$token = sha1($salt1 . $password . $salt2);
// put the $token in the DB
EDIT: didn't realize you were talking about password hashing BEFORE transmit. That helps protect the password, but it still can leave your application open. Someone just has to sniff the hashed password off the wire, and they can still get in. You're much better off using HTTPS.
Re: Secure Login for Flex/PHP Application
Thanks for your comments so far!
@minorDemocritus: I'll store and transfer the passwords salted and sha1 encoded instead of md5.
@tr0gd0rr: I'll try to implement your hint. I think you mean pretty much the same as in http://phpsec.org/projects/guide/4.html where the recommendation is, to regenerate the session id if the "is_authorized" in your example does not exist or the access level changes.
What about my idea to store a secure key in the session after login, which needs to be transferred from Flex to PHP every time? Would it make things more secure?
HTTPS is another story. Beeing exact, I'm not only developing a single App. Currently I try to build a basic framework consisting of the PHP part and the Flex part, which should be reusable for diffenerent future projects. If I see, that this "framework" (I don't like the term, don't know if it matches in this case) is useful, I'll make it public and develop it as a little open source project.
@minorDemocritus: I'll store and transfer the passwords salted and sha1 encoded instead of md5.
@tr0gd0rr: I'll try to implement your hint. I think you mean pretty much the same as in http://phpsec.org/projects/guide/4.html where the recommendation is, to regenerate the session id if the "is_authorized" in your example does not exist or the access level changes.
What about my idea to store a secure key in the session after login, which needs to be transferred from Flex to PHP every time? Would it make things more secure?
HTTPS is another story. Beeing exact, I'm not only developing a single App. Currently I try to build a basic framework consisting of the PHP part and the Flex part, which should be reusable for diffenerent future projects. If I see, that this "framework" (I don't like the term, don't know if it matches in this case) is useful, I'll make it public and develop it as a little open source project.
-
minorDemocritus
- Forum Commoner
- Posts: 96
- Joined: Thu Apr 01, 2010 7:28 pm
- Location: Chicagoland, IL, USA
Re: Secure Login for Flex/PHP Application
Well, that doesn't really help much... since you're transferring the password hash over the wire, it can be sniffed. Hashing and salting makes it harder to recover the actual password entered, but it won't really improve security, since an attacker that has the hash can just push that to the form, and he's authenticated. Hashing really only helps the security of your users if the database is compromised.netdesk wrote:Thanks for your comments so far!
@minorDemocritus: I'll store and transfer the passwords salted and sha1 encoded instead of md5.
Re: Secure Login for Flex/PHP Application
Ok, but how can one make the transfer of passwords secure independently from the server configuration? As developer of the "framework" I only can recommend the users which use the framework, to use it over a HTTPS connection. But that's a challenge which every script faces if it uses authorization. For a login at least a password must be transfered from the client to the server, hashed or not.
Do I have any options which can be implemented in Flex/PHP?
Do I have any options which can be implemented in Flex/PHP?
Re: Secure Login for Flex/PHP Application
Some sort of challenge-response mechanism, meaning that the password does not actually need to be sent over HTTP.
There is a little bit of information in this thread on challenge-response, but as mentioned, shouldn't be considered an alternative HTTPS.
viewtopic.php?f=34&t=110430
There is a little bit of information in this thread on challenge-response, but as mentioned, shouldn't be considered an alternative HTTPS.
viewtopic.php?f=34&t=110430
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Secure Login for Flex/PHP Application
Do you mean you hash the password with MD5 client-side and then send the hashed password to your web application? It would be much better to send the password as-is, via SSL/TLS, and then being hashed on the server with a salt and a key before stored on the database.