Page 1 of 1

Secure Login / Register

Posted: Mon May 10, 2010 8:38 pm
by Chalks
Who hasn't had to figure out creating a secure login before? When I first undertook the task, I found it quite daunting. So, I hope that I can help you at least get started down the right path with the following tutorial. Comments, criticisms, and additions are welcome. Just let me know. :)

Here's the tutorial I put together for everyone: Tutorial
Here's the source code: logreg_demo_src.zip
Here's the demo: Demo

I don't discuss much about _why_ you need to take steps. This old thread (which I decided not to bump) does go into that a little bit. So if you don't understand a step or two, check that out. I am going to quote one bit from it though: Before you get started, you should realize that these steps are sufficient for anything as sensitive up to (and maybe including) a webmail system. Anything involving monetary transactions MUST take further steps which go beyond the scope of this article.

Re: Secure Login / Register

Posted: Wed May 12, 2010 9:29 am
by JakeJ
Thanks for the tutorial, I'll check it out!

Re: Secure Login / Register

Posted: Wed May 19, 2010 12:17 pm
by Mordred
Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/chalks71/public_html/logreg_tut/demo/back/login.php on line 16

Warning: Cannot modify header information - headers already sent by (output started at /home/chalks71/public_html/logreg_tut/demo/back/login.php:16) in /home/chalks71/public_html/logreg_tut/demo/back/login.php on line 123
Also, session_regenerate_id() after login, some server configurations may allow session fixation attacks.

Re: Secure Login / Register

Posted: Wed May 19, 2010 2:17 pm
by Chalks
The offending line is:

Code: Select all

$u = mysql_real_escape_string($_POST['user']);
How did you manage to get an array passed to that? The only thing I can think of is if you manually edited the form that was submitted, but if you're doing that... the form submission _should_ fail (though perhaps more gracefully).

Edit: also, best way to prevent session fixation would be to... change sid when users log in? Could easily do that by setting the sid to be some hash of the username + some random characters. Edit of edit: oh, I see what you mean. Yep, will definitely update the code to your suggestion. Thanks!

Edit edit: As usual, thanks for your feedback. :)

Re: Secure Login / Register

Posted: Thu May 20, 2010 2:07 pm
by kaisellgren
Chalks wrote:How did you manage to get an array passed to that?
GET /logreg_tut/demo/back/login.php HTTP/1.1
Host: jdw.me
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

pass=a&js_on=yes&user[]=a

Re: Secure Login / Register

Posted: Fri May 21, 2010 3:12 am
by Mordred
Nothing in the game called security says that bad guys can't "cheat" :)

Re: Secure Login / Register

Posted: Wed Jul 28, 2010 11:03 am
by ando
Thanks for the tutorial =) It was exactly what I was looking for.

Re: Secure Login / Register

Posted: Wed Jul 28, 2010 12:27 pm
by shawngoldw
kaisellgren wrote:
Chalks wrote:How did you manage to get an array passed to that?
GET /logreg_tut/demo/back/login.php HTTP/1.1
Host: jdw.me
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

pass=a&js_on=yes&user[]=a
how do you run this?
and it can only be done for a get form right? What kind of similar procedure can you do on a post?

Re: Secure Login / Register

Posted: Wed Jul 28, 2010 1:26 pm
by Mordred
telnet/netcat to the server

The shown snippet is POST, not GET
for GET, modify the top line: GET /logreg_tut/demo/back/login.php?param=value HTTP/1.1

Re: Secure Login / Register

Posted: Wed Jul 28, 2010 1:51 pm
by shawngoldw
Thanks.

P.S. I checked out your blog in your signature. Good stuff!

Re: Secure Login / Register

Posted: Tue Aug 03, 2010 11:28 am
by raccer
In the tutorial you mentioned it's bad to keep track of user visitation, why? This question is for anyone!? (not just OP)

Edit: Thanks for taking the time to build the tutorial & post it here!

Re: Secure Login / Register

Posted: Thu Aug 05, 2010 3:58 pm
by ColonelSandersLite
raccer wrote:In the tutorial you mentioned it's bad to keep track of user visitation, why? This question is for anyone!? (not just OP)

Edit: Thanks for taking the time to build the tutorial & post it here!
Unless you can point to where exactly he says that, I think you misread it:
It's not a bad idea to keep track of when the last time a user did anything either.


Mordred wrote:Nothing in the game called security says that bad guys can't "cheat" :)
As the old saying goes, if you ain't cheatin' you ain't tryin'.

Re: Secure Login / Register

Posted: Sat Aug 07, 2010 11:57 am
by raccer
ColonelSandersLite wrote:Unless you can point to where exactly he says that, I think you misread it:
Yea, you got me! Reading too fast again.

Re: Secure Login / Register

Posted: Sat Aug 07, 2010 12:03 pm
by raccer
So was/is the vulnerability highlighted above due to not filtering input properly?