Secure Logins
Moderator: General Moderators
Secure Logins
When coding a login system, what are the security methods/requirements I should think of?
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Feyd, it's going to be a FIFTH reference...
There are a few things - most you can search for on the forums. Others I would suggest reading up on Chris Shiflett who has a lot of very good things to teach you on session security.
One client side ideal (oft deemed a complicated thing to even think of) would be a Challenge/Response process. Yes, sounds complex. No, it's actually quite simple. I have a tutorial in progress on the topic - keep an eye out for it.
Server side there are other things.
1. Regenerate session IDs after any change in authentication or access privelages. For example once a user has logged in and been authenticated - change their session id. This will throw of any bad people who may have stolen that ID. See: http://shiflett.org/articles/security-corner-feb2004 on session fixation
2. Don't pass session ids by URI. It's functional - but wait till someone posts a link...with their session id for everyone to see
3. The MOST important; filter/validate ALL user input, and escape all such output before sending an SQL query to the database.
4. Be aware of XSS - Cross Site Scripting. Never trust user input.
5. Store all passwords in hash format only on your database. If one is lost - send them a link to reset the password
There are a few others (probably more) but research the basics first. Some references I usually mention:
http://phpsec.org/projects/guide/
http://phpsec.org/library/
Library at phpsec lists many of Chris Schiflett's articles.
There are a few things - most you can search for on the forums. Others I would suggest reading up on Chris Shiflett who has a lot of very good things to teach you on session security.
One client side ideal (oft deemed a complicated thing to even think of) would be a Challenge/Response process. Yes, sounds complex. No, it's actually quite simple. I have a tutorial in progress on the topic - keep an eye out for it.
Server side there are other things.
1. Regenerate session IDs after any change in authentication or access privelages. For example once a user has logged in and been authenticated - change their session id. This will throw of any bad people who may have stolen that ID. See: http://shiflett.org/articles/security-corner-feb2004 on session fixation
2. Don't pass session ids by URI. It's functional - but wait till someone posts a link...with their session id for everyone to see
3. The MOST important; filter/validate ALL user input, and escape all such output before sending an SQL query to the database.
4. Be aware of XSS - Cross Site Scripting. Never trust user input.
5. Store all passwords in hash format only on your database. If one is lost - send them a link to reset the password
There are a few others (probably more) but research the basics first. Some references I usually mention:
http://phpsec.org/projects/guide/
http://phpsec.org/library/
Library at phpsec lists many of Chris Schiflett's articles.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Yeah, most new and more developers know how to implement a login - but it's securing the process that really makes it safe. Without the basic security measures almost any login process is going to be easily corrupted, misused, or lead to more colourful problems.
One of the main problems is the lack of security guidance in the PHP Manual - everyone's first reference...
One of the main problems is the lack of security guidance in the PHP Manual - everyone's first reference...
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
http://www.clanbase.com uses a session sent via the URL, very insecure.
-
nickvd
- DevNet Resident
- Posts: 1027
- Joined: Thu Mar 10, 2005 5:27 pm
- Location: Southern Ontario
- Contact:
Has there been any GOOD public classes for a truly secure login scheme? I have a VERY VERY simple login/auth class that i use for a small site to protect the admin backend, but as i was running out of time i didnt bother to secure it to n'th degree. I've been looking for a good login/auth class for a while, but every one i've seen is either way old (think register globals) or either way too complex or too basic [if isset($_GET['auth']) allowAccess();]
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
have you read Maugrim's recently posted tutorial? viewtopic.php?t=38810nickvd wrote:Has there been any GOOD public classes for a truly secure login scheme? I have a VERY VERY simple login/auth class that i use for a small site to protect the admin backend, but as i was running out of time i didnt bother to secure it to n'th degree. I've been looking for a good login/auth class for a while, but every one i've seen is either way old (think register globals) or either way too complex or too basic [if isset($_GET['auth']) allowAccess();]
One thing you can do when inserting user input into an SQL query is the following:
Code: Select all
$sql = sprintf("SELECT uid FROM users WHERE first_name = '%s' AND age = %d", $first_name, $age);
$rs = mysql_query($sql);- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).
And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
Damn, that http_referer validation is a great test, thanks for the idea!alvinphp wrote:I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).
And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
You should never rely on http_referer to exist, as it is an optional headerpilau wrote:Damn, that http_referer validation is a great test, thanks for the idea!alvinphp wrote:I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).
And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).