Secure Login / Register

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Secure Login / Register

Post by Chalks »

Who hasn't had to figure out creating a secure login before? When I first undertook the task, I found it quite daunting. So, I hope that I can help you at least get started down the right path with the following tutorial. Comments, criticisms, and additions are welcome. Just let me know. :)

Here's the tutorial I put together for everyone: Tutorial
Here's the source code: logreg_demo_src.zip
Here's the demo: Demo

I don't discuss much about _why_ you need to take steps. This old thread (which I decided not to bump) does go into that a little bit. So if you don't understand a step or two, check that out. I am going to quote one bit from it though: Before you get started, you should realize that these steps are sufficient for anything as sensitive up to (and maybe including) a webmail system. Anything involving monetary transactions MUST take further steps which go beyond the scope of this article.
JakeJ
Forum Regular
Posts: 675
Joined: Thu Dec 10, 2009 6:27 pm

Re: Secure Login / Register

Post by JakeJ »

Thanks for the tutorial, I'll check it out!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Secure Login / Register

Post by Mordred »

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/chalks71/public_html/logreg_tut/demo/back/login.php on line 16

Warning: Cannot modify header information - headers already sent by (output started at /home/chalks71/public_html/logreg_tut/demo/back/login.php:16) in /home/chalks71/public_html/logreg_tut/demo/back/login.php on line 123
Also, session_regenerate_id() after login, some server configurations may allow session fixation attacks.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Re: Secure Login / Register

Post by Chalks »

The offending line is:

Code: Select all

$u = mysql_real_escape_string($_POST['user']);
How did you manage to get an array passed to that? The only thing I can think of is if you manually edited the form that was submitted, but if you're doing that... the form submission _should_ fail (though perhaps more gracefully).

Edit: also, best way to prevent session fixation would be to... change sid when users log in? Could easily do that by setting the sid to be some hash of the username + some random characters. Edit of edit: oh, I see what you mean. Yep, will definitely update the code to your suggestion. Thanks!

Edit edit: As usual, thanks for your feedback. :)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Secure Login / Register

Post by kaisellgren »

Chalks wrote:How did you manage to get an array passed to that?
GET /logreg_tut/demo/back/login.php HTTP/1.1
Host: jdw.me
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

pass=a&js_on=yes&user[]=a
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Secure Login / Register

Post by Mordred »

Nothing in the game called security says that bad guys can't "cheat" :)
ando
Forum Newbie
Posts: 1
Joined: Wed Jul 28, 2010 10:51 am

Re: Secure Login / Register

Post by ando »

Thanks for the tutorial =) It was exactly what I was looking for.
shawngoldw
Forum Contributor
Posts: 212
Joined: Mon Apr 05, 2010 3:38 pm

Re: Secure Login / Register

Post by shawngoldw »

kaisellgren wrote:
Chalks wrote:How did you manage to get an array passed to that?
GET /logreg_tut/demo/back/login.php HTTP/1.1
Host: jdw.me
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

pass=a&js_on=yes&user[]=a
how do you run this?
and it can only be done for a get form right? What kind of similar procedure can you do on a post?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Secure Login / Register

Post by Mordred »

telnet/netcat to the server

The shown snippet is POST, not GET
for GET, modify the top line: GET /logreg_tut/demo/back/login.php?param=value HTTP/1.1
shawngoldw
Forum Contributor
Posts: 212
Joined: Mon Apr 05, 2010 3:38 pm

Re: Secure Login / Register

Post by shawngoldw »

Thanks.

P.S. I checked out your blog in your signature. Good stuff!
raccer
Forum Newbie
Posts: 11
Joined: Mon Aug 02, 2010 12:22 pm

Re: Secure Login / Register

Post by raccer »

In the tutorial you mentioned it's bad to keep track of user visitation, why? This question is for anyone!? (not just OP)

Edit: Thanks for taking the time to build the tutorial & post it here!
User avatar
ColonelSandersLite
Forum Commoner
Posts: 35
Joined: Sun May 09, 2010 1:32 am

Re: Secure Login / Register

Post by ColonelSandersLite »

raccer wrote:In the tutorial you mentioned it's bad to keep track of user visitation, why? This question is for anyone!? (not just OP)

Edit: Thanks for taking the time to build the tutorial & post it here!
Unless you can point to where exactly he says that, I think you misread it:
It's not a bad idea to keep track of when the last time a user did anything either.


Mordred wrote:Nothing in the game called security says that bad guys can't "cheat" :)
As the old saying goes, if you ain't cheatin' you ain't tryin'.
raccer
Forum Newbie
Posts: 11
Joined: Mon Aug 02, 2010 12:22 pm

Re: Secure Login / Register

Post by raccer »

ColonelSandersLite wrote:Unless you can point to where exactly he says that, I think you misread it:
Yea, you got me! Reading too fast again.
raccer
Forum Newbie
Posts: 11
Joined: Mon Aug 02, 2010 12:22 pm

Re: Secure Login / Register

Post by raccer »

So was/is the vulnerability highlighted above due to not filtering input properly?
Post Reply