Suggestions required for rigid security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Suggestions required for rigid security

Post by raghavan20 »

I use md5() to encrypt passwords and store them in the db.
And for every page, I check whether a valid cookie exists to allow the user to browse that page.
And for admin panel, I validate cookies and users against their priveleges to allow them access to secure pages.

As far as now, I have never used session object at all. I know that my site is not secure enough so I am looking for suggestions on how to make my site more secure.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Suggestions required for rigid security

Post by Roja »

raghavan20 wrote:I use md5() to encrypt passwords and store them in the db.
Use feyd's sha256 library. Its extremely well written.
raghavan20 wrote:And for every page, I check whether a valid cookie exists to allow the user to browse that page.
Use sessions instead, and check the session each page. Cookies can be permanent, while sessions use a temporary cookie. Less time for hijacking.
raghavan20 wrote:As far as now, I have never used session object at all. I know that my site is not secure enough so I am looking for suggestions on how to make my site more secure.
Those are obvious "low-hanging fruit", but there may be more.

For example, do you have a form without javascript sending the user's password to the server? If so, you are sending passwords in cleartext. Use javascript to sha256 the password before sending.

How are you checking their credentials? Make sure the check can't be compromised by injection.

Plenty of other issues remain, its just a matter of going through the sequence step by step.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

Regarding the form you are talking of:

I usually get the password from user and md5() and also get the md5()'ied password in the db and compare both for equality.

When I get the password for the first time durin the member registration, I md5() and store it in the db.

Do you mean that md5() is done at the server? Each time I ask to md5(), the form data is sent in plain text to server and then md5'ied and compared at server?

You said you can use sha256 to encrypt the password using javascript. Is it possible to access from the client side?

Regarding the session:
Do you want to store the userid and session id at the start of the session in a separate table and compare the sessionid of each page against the entry in the db?

Regarding sql injection:
I havenot used anything so far, but I gonna use strip_tags instead of htmlentities cos I lose text formatting when I use with other fields in my blogging site(like getting post description and retaining new lines and tabs). But now, I have an idea, I can use them where I dont need text formatting like first name and last name.

If you hv got more ideas to tackle sql injection, I wld love to hear from you.

Thanks for your help
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

raghavan20 wrote: Do you mean that md5() is done at the server? Each time I ask to md5(), the form data is sent in plain text to server and then md5'ied and compared at server?
Right. So the password is sent in plain text. It would be more secure to use javascript to sha256 (hash) the password.
raghavan20 wrote:You said you can use sha256 to encrypt the password using javascript. Is it possible to access from the client side?
I'm not sure what you mean by "Access it from the client side". The javascript is run on the client side. It modifies the password before sending, and does not send the raw password - only the sha256'd password hash.
raghavan20 wrote: Regarding the session:
Do you want to store the userid and session id at the start of the session in a separate table and compare the sessionid of each page against the entry in the db?
You could do that.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Okay -- I'm a moron. :oops: How do sha256 a password with js or md5?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

neophyte wrote:Okay -- I'm a moron. :oops: How do sha256 a password with js or md5?
Nah, you never know anything until you learn it the first time. :)

First, md5 and SHA-256 are hashing functions. They take an input, and produce a "unique" hash of it. So, the question would be "How do I hash a password with javascript?".

With md5 or sha1, its somewhat simple: http://pajhome.org.uk/crypt/md5/index.html

Once you get the hang of it (that page does a good job of explaining the how-to), you can drop in the sha256 version as a replacement: http://anmar.eu.org/projects/jssha2/

All open source. If you have any problems, please let me know. I've implemented it a number of times, and it can be tricky until you get the hang of it.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

That's awesome. I'll have to take a long look at that. I'll post a little later if I have questions.

Thanks!
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

hi Roja, I tried to use something like this but it didnot work.

<script language="javascript">
var temp = 'raghavan';
alert (temp);
temp = sha256(temp);
alert(temp);
</script>

Do I have to include any header file?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

raghavan20 wrote:hi Roja, I tried to use something like this but it didnot work.

<script language="javascript">
var temp = 'raghavan';
alert (temp);
temp = sha256(temp);
alert(temp);
</script>

Do I have to include any header file?
I really hate to do this, because people saying RTM is a pet peeve of mine, but I honestly linked to the easiest page possible on how to do this.

Scroll down to "Quick Instructions", and you will see not only your question has been answered, but the syntax you are using is wrong - and also provided there. Seriously, read the link.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Here's my implementation:

Code: Select all

<script src=&quote;../includes/js/md5_lib.js&quote; type=&quote;text/javascript&quote;></script>
					<script language=&quote;JavaScript&quote; type=&quote;text/javascript&quote;>
					function hash(password){
						if(str_len(password) < 32){
							password.value=hex_md5(password);
						} 
					}
					</script>
      <form name=&quote;form1&quote; onSubmit=&quote;javascript:hash(password.value)&quote; method=&quote;post&quote; enctype=&quote;application/x-www-form-urlencoded&quote; action=&quote;login.php&quote;>
        <table width=&quote;80%&quote; border=&quote;0&quote; align=&quote;left&quote; cellpadding=&quote;5&quote; cellspacing=&quote;2&quote; class=&quote;borderfrm&quote;>
          <tr bgcolor=&quote;CDD4E6&quote;>

            <td width=&quote;79%&quote; align=&quote;left&quote;>
              <label for=&quote;login&quote; class=&quote;genmed&quote;><span class=&quote;bold&quote;>User Name:</span></label>
              <br>
              <input type=&quote;text&quote; name=&quote;login&quote;>
              <br>
            </td>
          </tr>
          <tr bgcolor=&quote;CDD4E6&quote;>

            <td align=&quote;left&quote;>
              <label for=&quote;password&quote; class=&quote;genmed&quote;><span class=&quote;bold&quote;>Password:</span></label>
              <br>
              <input type=&quote;password&quote; name=&quote;password&quote; onFocus=&quote;javascript:password.value=''&quote;>
              <span class=&quote;genmed&quote;><a href=&quote;forgot_password.php&quote;>Forgot your password?</a></span>
            </td>
          </tr>
          <tr bgcolor=&quote;CDD4E6&quote;>
            <td  align=&quote;left&quote; bgcolor=&quote;CDD4E6&quote;>
              <input type=&quote;submit&quote; name=&quote;Submit&quote; value=&quote;Login&quote;>
            </td>
          </tr>
        </table>
      </form>
Overall I like it. The only bad thing is that the password field changes right before it submits -- possibly creeping out users. Very cool and very simple to implement. Any security concerns with putting up a sign -- "Yo, MD5 hashing over here"?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

neophyte wrote: Overall I like it. The only bad thing is that the password field changes right before it submits -- possibly creeping out users. Very cool and very simple to implement. Any security concerns with putting up a sign -- "Yo, MD5 hashing over here"?
You can get around that issue.

Make a hidden field (hashed_pass), and using javascript, put the md5 hash of the password field into the hashed_pass field. Then (in the same function), clear the password field, and submit.

The user sees their password field clear on submit, thats it.. no creeping them out.

As to putting up a sign, security wise, no. But from a usability perspective, the user doesn't need to know.
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

Post by phpScott »

store the hash in a hidden field then use that in your php code.

It would stop the password field from changing and 'freaking' people out.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Sweet. With the hidden text field...

Code: Select all

<script language=&quote;JavaScript&quote;  src=&quote;../includes/js/md5_lib.js&quote; type=&quote;text/javascript&quote;></script>
					<script language=&quote;JavaScript&quote; type=&quote;text/javascript&quote;>
					function hash(password){
						if(password.length < 32){
							new_password=hex_md5(password);
						}
						return new_password;
					}
					</script>
      <form name=&quote;form1&quote; onSubmit=&quote;javascript:password.value=hash(user_password.value);user_password.value='';&quote; method=&quote;post&quote; enctype=&quote;application/x-www-form-urlencoded&quote; action=&quote;login.php&quote;>
        <table width=&quote;80%&quote; border=&quote;0&quote; align=&quote;left&quote; cellpadding=&quote;5&quote; cellspacing=&quote;2&quote; class=&quote;borderfrm&quote;>
          <tr bgcolor=&quote;CDD4E6&quote;>

             <td width=&quote;79%&quote; align=&quote;left&quote;>
              <label for=&quote;login&quote; class=&quote;genmed&quote;><span class=&quote;bold&quote;>User Name:</span></label>
              <br>
              <input type=&quote;text&quote; name=&quote;login&quote;>
              <br>
            </td>
          </tr>
          <tr bgcolor=&quote;CDD4E6&quote;>

             <td align=&quote;left&quote;>
              <label for=&quote;password&quote; class=&quote;genmed&quote;><span class=&quote;bold&quote;>Password:</span></label>
              <br>
              <input type=&quote;password&quote; name=&quote;user_password&quote; onFocus=&quote;javascript:user_password.value=''&quote;>
			  <input type=&quote;hidden&quote; name=&quote;password&quote;>
              <span class=&quote;genmed&quote;><a href=&quote;forgot_password.php&quote;>Forgot your password?</a></span>
            </td>
          </tr>

          <tr bgcolor=&quote;CDD4E6&quote;>
            <td  align=&quote;left&quote; bgcolor=&quote;CDD4E6&quote;>
              <input type=&quote;submit&quote; name=&quote;Submit&quote; value=&quote;Login&quote;>
            </td>
          </tr>
        </table>
      </form>
That worked great!
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

neophyte wrote: That worked great!
A few general suggestions:

- Now that you have the hang of it, switch to sha256. Much more secure, and its just a search/replace. :)

- The script language attribute is deprecated in xhtml (and only helps NS2+3 browsers), so use the new hotness (its smaller too!):

Code: Select all

<script type=&quote;text/javascript&quote;>
- You use labels, but you forgot id targets for them on the input tags.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Roja wrote: - Now that you have the hang of it, switch to sha256. Much more secure, and its just a search/replace. :)
Not sure how I convert stored db passwords that are already hashed to md5 to sha256. I've seen Feyd's class but I haven't looked at it closely enough to know how to implement it. I suppose for the future I could sha256(md5(password)) passwords. I'm going to take a closer look at his class. Any suggestions on switching would be great!

Roja wrote: - The script language attribute is deprecated in xhtml (and only helps NS2+3 browsers), so use the new hotness (its smaller too!):

Code: Select all

<script type=&quote;text/javascript&quote;>
- You use labels, but you forgot id targets for them on the input tags.


Thanks for the feedback and the info...
Post Reply