Secure Logins

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Secure Logins

Post by pilau »

When coding a login system, what are the security methods/requirements I should think of?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Feyd, it's going to be a FIFTH reference...

There are a few things - most you can search for on the forums. Others I would suggest reading up on Chris Shiflett who has a lot of very good things to teach you on session security.

One client side ideal (oft deemed a complicated thing to even think of) would be a Challenge/Response process. Yes, sounds complex. No, it's actually quite simple. I have a tutorial in progress on the topic - keep an eye out for it.

Server side there are other things.

1. Regenerate session IDs after any change in authentication or access privelages. For example once a user has logged in and been authenticated - change their session id. This will throw of any bad people who may have stolen that ID. See: http://shiflett.org/articles/security-corner-feb2004 on session fixation

2. Don't pass session ids by URI. It's functional - but wait till someone posts a link...with their session id for everyone to see ;)

3. The MOST important; filter/validate ALL user input, and escape all such output before sending an SQL query to the database.

4. Be aware of XSS - Cross Site Scripting. Never trust user input.

5. Store all passwords in hash format only on your database. If one is lost - send them a link to reset the password

There are a few others (probably more) but research the basics first. Some references I usually mention:

http://phpsec.org/projects/guide/
http://phpsec.org/library/

Library at phpsec lists many of Chris Schiflett's articles.
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

Thanks, very useful. I mean, this is such an important subject that a lor of developers forget to implement into their code, which is such a shame.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Yup. Me being one of them. There's so much you have to worry about that you end up never fixing them for a while.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Yeah, most new and more developers know how to implement a login - but it's securing the process that really makes it safe. Without the basic security measures almost any login process is going to be easily corrupted, misused, or lead to more colourful problems.

One of the main problems is the lack of security guidance in the PHP Manual - everyone's first reference...;)
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

http://www.clanbase.com uses a session sent via the URL, very insecure.
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

Do'h - to see it we must register :P
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

Has there been any GOOD public classes for a truly secure login scheme? I have a VERY VERY simple login/auth class that i use for a small site to protect the admin backend, but as i was running out of time i didnt bother to secure it to n'th degree. I've been looking for a good login/auth class for a while, but every one i've seen is either way old (think register globals) or either way too complex or too basic [if isset($_GET['auth']) allowAccess();]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

nickvd wrote:Has there been any GOOD public classes for a truly secure login scheme? I have a VERY VERY simple login/auth class that i use for a small site to protect the admin backend, but as i was running out of time i didnt bother to secure it to n'th degree. I've been looking for a good login/auth class for a while, but every one i've seen is either way old (think register globals) or either way too complex or too basic [if isset($_GET['auth']) allowAccess();]
have you read Maugrim's recently posted tutorial? viewtopic.php?t=38810
foobar
Forum Regular
Posts: 613
Joined: Wed Sep 28, 2005 10:08 am

Post by foobar »

One thing you can do when inserting user input into an SQL query is the following:

Code: Select all

$sql = sprintf("SELECT uid FROM users WHERE first_name = '%s' AND age = %d", $first_name, $age);
$rs = mysql_query($sql);
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

All you have to do now is escape the input prior to insertion in the SQL...then it might be secure. ;)

mysql_real_escape_string()
alvinphp
Forum Contributor
Posts: 380
Joined: Wed Sep 21, 2005 11:47 am

Post by alvinphp »

I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).

And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

alvinphp wrote:I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).

And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
Damn, that http_referer validation is a great test, thanks for the idea!
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Not really. HTTP_REFERER is unreliable and can be spoofed.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

pilau wrote:
alvinphp wrote:I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).

And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
Damn, that http_referer validation is a great test, thanks for the idea!
You should never rely on http_referer to exist, as it is an optional header
Post Reply