Page 1 of 3

Suggestions required for rigid security

Posted: Sun Jun 26, 2005 8:24 am
by raghavan20
I use md5() to encrypt passwords and store them in the db.
And for every page, I check whether a valid cookie exists to allow the user to browse that page.
And for admin panel, I validate cookies and users against their priveleges to allow them access to secure pages.

As far as now, I have never used session object at all. I know that my site is not secure enough so I am looking for suggestions on how to make my site more secure.

Re: Suggestions required for rigid security

Posted: Sun Jun 26, 2005 9:07 am
by Roja
raghavan20 wrote:I use md5() to encrypt passwords and store them in the db.
Use feyd's sha256 library. Its extremely well written.
raghavan20 wrote:And for every page, I check whether a valid cookie exists to allow the user to browse that page.
Use sessions instead, and check the session each page. Cookies can be permanent, while sessions use a temporary cookie. Less time for hijacking.
raghavan20 wrote:As far as now, I have never used session object at all. I know that my site is not secure enough so I am looking for suggestions on how to make my site more secure.
Those are obvious "low-hanging fruit", but there may be more.

For example, do you have a form without javascript sending the user's password to the server? If so, you are sending passwords in cleartext. Use javascript to sha256 the password before sending.

How are you checking their credentials? Make sure the check can't be compromised by injection.

Plenty of other issues remain, its just a matter of going through the sequence step by step.

Posted: Sun Jun 26, 2005 10:24 am
by raghavan20
Regarding the form you are talking of:

I usually get the password from user and md5() and also get the md5()'ied password in the db and compare both for equality.

When I get the password for the first time durin the member registration, I md5() and store it in the db.

Do you mean that md5() is done at the server? Each time I ask to md5(), the form data is sent in plain text to server and then md5'ied and compared at server?

You said you can use sha256 to encrypt the password using javascript. Is it possible to access from the client side?

Regarding the session:
Do you want to store the userid and session id at the start of the session in a separate table and compare the sessionid of each page against the entry in the db?

Regarding sql injection:
I havenot used anything so far, but I gonna use strip_tags instead of htmlentities cos I lose text formatting when I use with other fields in my blogging site(like getting post description and retaining new lines and tabs). But now, I have an idea, I can use them where I dont need text formatting like first name and last name.

If you hv got more ideas to tackle sql injection, I wld love to hear from you.

Thanks for your help

Posted: Sun Jun 26, 2005 11:13 am
by Roja
raghavan20 wrote: Do you mean that md5() is done at the server? Each time I ask to md5(), the form data is sent in plain text to server and then md5'ied and compared at server?
Right. So the password is sent in plain text. It would be more secure to use javascript to sha256 (hash) the password.
raghavan20 wrote:You said you can use sha256 to encrypt the password using javascript. Is it possible to access from the client side?
I'm not sure what you mean by "Access it from the client side". The javascript is run on the client side. It modifies the password before sending, and does not send the raw password - only the sha256'd password hash.
raghavan20 wrote: Regarding the session:
Do you want to store the userid and session id at the start of the session in a separate table and compare the sessionid of each page against the entry in the db?
You could do that.

Posted: Sun Jun 26, 2005 1:51 pm
by neophyte
Okay -- I'm a moron. :oops: How do sha256 a password with js or md5?

Posted: Sun Jun 26, 2005 2:27 pm
by Roja
neophyte wrote:Okay -- I'm a moron. :oops: How do sha256 a password with js or md5?
Nah, you never know anything until you learn it the first time. :)

First, md5 and SHA-256 are hashing functions. They take an input, and produce a "unique" hash of it. So, the question would be "How do I hash a password with javascript?".

With md5 or sha1, its somewhat simple: http://pajhome.org.uk/crypt/md5/index.html

Once you get the hang of it (that page does a good job of explaining the how-to), you can drop in the sha256 version as a replacement: http://anmar.eu.org/projects/jssha2/

All open source. If you have any problems, please let me know. I've implemented it a number of times, and it can be tricky until you get the hang of it.

Posted: Sun Jun 26, 2005 2:47 pm
by neophyte
That's awesome. I'll have to take a long look at that. I'll post a little later if I have questions.

Thanks!

Posted: Sun Jun 26, 2005 4:34 pm
by raghavan20
hi Roja, I tried to use something like this but it didnot work.

<script language="javascript">
var temp = 'raghavan';
alert (temp);
temp = sha256(temp);
alert(temp);
</script>

Do I have to include any header file?

Posted: Sun Jun 26, 2005 7:24 pm
by Roja
raghavan20 wrote:hi Roja, I tried to use something like this but it didnot work.

<script language="javascript">
var temp = 'raghavan';
alert (temp);
temp = sha256(temp);
alert(temp);
</script>

Do I have to include any header file?
I really hate to do this, because people saying RTM is a pet peeve of mine, but I honestly linked to the easiest page possible on how to do this.

Scroll down to "Quick Instructions", and you will see not only your question has been answered, but the syntax you are using is wrong - and also provided there. Seriously, read the link.

Posted: Mon Jun 27, 2005 9:59 am
by neophyte
Here's my implementation:

Code: Select all

<script src=&quote;../includes/js/md5_lib.js&quote; type=&quote;text/javascript&quote;></script>
					<script language=&quote;JavaScript&quote; type=&quote;text/javascript&quote;>
					function hash(password){
						if(str_len(password) < 32){
							password.value=hex_md5(password);
						} 
					}
					</script>
      <form name=&quote;form1&quote; onSubmit=&quote;javascript:hash(password.value)&quote; method=&quote;post&quote; enctype=&quote;application/x-www-form-urlencoded&quote; action=&quote;login.php&quote;>
        <table width=&quote;80%&quote; border=&quote;0&quote; align=&quote;left&quote; cellpadding=&quote;5&quote; cellspacing=&quote;2&quote; class=&quote;borderfrm&quote;>
          <tr bgcolor=&quote;CDD4E6&quote;>

            <td width=&quote;79%&quote; align=&quote;left&quote;>
              <label for=&quote;login&quote; class=&quote;genmed&quote;><span class=&quote;bold&quote;>User Name:</span></label>
              <br>
              <input type=&quote;text&quote; name=&quote;login&quote;>
              <br>
            </td>
          </tr>
          <tr bgcolor=&quote;CDD4E6&quote;>

            <td align=&quote;left&quote;>
              <label for=&quote;password&quote; class=&quote;genmed&quote;><span class=&quote;bold&quote;>Password:</span></label>
              <br>
              <input type=&quote;password&quote; name=&quote;password&quote; onFocus=&quote;javascript:password.value=''&quote;>
              <span class=&quote;genmed&quote;><a href=&quote;forgot_password.php&quote;>Forgot your password?</a></span>
            </td>
          </tr>
          <tr bgcolor=&quote;CDD4E6&quote;>
            <td  align=&quote;left&quote; bgcolor=&quote;CDD4E6&quote;>
              <input type=&quote;submit&quote; name=&quote;Submit&quote; value=&quote;Login&quote;>
            </td>
          </tr>
        </table>
      </form>
Overall I like it. The only bad thing is that the password field changes right before it submits -- possibly creeping out users. Very cool and very simple to implement. Any security concerns with putting up a sign -- "Yo, MD5 hashing over here"?

Posted: Mon Jun 27, 2005 10:42 am
by Roja
neophyte wrote: Overall I like it. The only bad thing is that the password field changes right before it submits -- possibly creeping out users. Very cool and very simple to implement. Any security concerns with putting up a sign -- "Yo, MD5 hashing over here"?
You can get around that issue.

Make a hidden field (hashed_pass), and using javascript, put the md5 hash of the password field into the hashed_pass field. Then (in the same function), clear the password field, and submit.

The user sees their password field clear on submit, thats it.. no creeping them out.

As to putting up a sign, security wise, no. But from a usability perspective, the user doesn't need to know.

Posted: Mon Jun 27, 2005 10:43 am
by phpScott
store the hash in a hidden field then use that in your php code.

It would stop the password field from changing and 'freaking' people out.

Posted: Mon Jun 27, 2005 12:02 pm
by neophyte
Sweet. With the hidden text field...

Code: Select all

<script language=&quote;JavaScript&quote;  src=&quote;../includes/js/md5_lib.js&quote; type=&quote;text/javascript&quote;></script>
					<script language=&quote;JavaScript&quote; type=&quote;text/javascript&quote;>
					function hash(password){
						if(password.length < 32){
							new_password=hex_md5(password);
						}
						return new_password;
					}
					</script>
      <form name=&quote;form1&quote; onSubmit=&quote;javascript:password.value=hash(user_password.value);user_password.value='';&quote; method=&quote;post&quote; enctype=&quote;application/x-www-form-urlencoded&quote; action=&quote;login.php&quote;>
        <table width=&quote;80%&quote; border=&quote;0&quote; align=&quote;left&quote; cellpadding=&quote;5&quote; cellspacing=&quote;2&quote; class=&quote;borderfrm&quote;>
          <tr bgcolor=&quote;CDD4E6&quote;>

             <td width=&quote;79%&quote; align=&quote;left&quote;>
              <label for=&quote;login&quote; class=&quote;genmed&quote;><span class=&quote;bold&quote;>User Name:</span></label>
              <br>
              <input type=&quote;text&quote; name=&quote;login&quote;>
              <br>
            </td>
          </tr>
          <tr bgcolor=&quote;CDD4E6&quote;>

             <td align=&quote;left&quote;>
              <label for=&quote;password&quote; class=&quote;genmed&quote;><span class=&quote;bold&quote;>Password:</span></label>
              <br>
              <input type=&quote;password&quote; name=&quote;user_password&quote; onFocus=&quote;javascript:user_password.value=''&quote;>
			  <input type=&quote;hidden&quote; name=&quote;password&quote;>
              <span class=&quote;genmed&quote;><a href=&quote;forgot_password.php&quote;>Forgot your password?</a></span>
            </td>
          </tr>

          <tr bgcolor=&quote;CDD4E6&quote;>
            <td  align=&quote;left&quote; bgcolor=&quote;CDD4E6&quote;>
              <input type=&quote;submit&quote; name=&quote;Submit&quote; value=&quote;Login&quote;>
            </td>
          </tr>
        </table>
      </form>
That worked great!

Posted: Mon Jun 27, 2005 12:41 pm
by Roja
neophyte wrote: That worked great!
A few general suggestions:

- Now that you have the hang of it, switch to sha256. Much more secure, and its just a search/replace. :)

- The script language attribute is deprecated in xhtml (and only helps NS2+3 browsers), so use the new hotness (its smaller too!):

Code: Select all

<script type=&quote;text/javascript&quote;>
- You use labels, but you forgot id targets for them on the input tags.

Posted: Mon Jun 27, 2005 1:17 pm
by neophyte
Roja wrote: - Now that you have the hang of it, switch to sha256. Much more secure, and its just a search/replace. :)
Not sure how I convert stored db passwords that are already hashed to md5 to sha256. I've seen Feyd's class but I haven't looked at it closely enough to know how to implement it. I suppose for the future I could sha256(md5(password)) passwords. I'm going to take a closer look at his class. Any suggestions on switching would be great!

Roja wrote: - The script language attribute is deprecated in xhtml (and only helps NS2+3 browsers), so use the new hotness (its smaller too!):

Code: Select all

<script type=&quote;text/javascript&quote;>
- You use labels, but you forgot id targets for them on the input tags.


Thanks for the feedback and the info...