Page 1 of 2
Secure Logins
Posted: Sat Sep 24, 2005 6:35 am
by pilau
When coding a login system, what are the security methods/requirements I should think of?
Posted: Sat Sep 24, 2005 8:05 am
by Maugrim_The_Reaper
Feyd, it's going to be a FIFTH reference...
There are a few things - most you can search for on the forums. Others I would suggest reading up on Chris Shiflett who has a lot of very good things to teach you on session security.
One client side ideal (oft deemed a complicated thing to even think of) would be a Challenge/Response process. Yes, sounds complex. No, it's actually quite simple. I have a tutorial in progress on the topic - keep an eye out for it.
Server side there are other things.
1. Regenerate session IDs after any change in authentication or access privelages. For example once a user has logged in and been authenticated - change their session id. This will throw of any bad people who may have stolen that ID. See:
http://shiflett.org/articles/security-corner-feb2004 on session fixation
2. Don't pass session ids by URI. It's functional - but wait till someone posts a link...with their session id for everyone to see
3. The MOST important; filter/validate ALL user input, and escape all such output before sending an SQL query to the database.
4. Be aware of XSS - Cross Site Scripting. Never trust user input.
5. Store all passwords in hash format only on your database. If one is lost - send them a link to reset the password
There are a few others (probably more) but research the basics first. Some references I usually mention:
http://phpsec.org/projects/guide/
http://phpsec.org/library/
Library at phpsec lists many of Chris Schiflett's articles.
Posted: Sun Sep 25, 2005 9:06 am
by pilau
Thanks, very useful. I mean, this is such an important subject that a lor of developers forget to implement into their code, which is such a shame.
Posted: Sun Sep 25, 2005 1:58 pm
by Ambush Commander
Yup. Me being one of them. There's so much you have to worry about that you end up never fixing them for a while.
Posted: Tue Sep 27, 2005 4:35 pm
by Maugrim_The_Reaper
Yeah, most new and more developers know how to implement a login - but it's securing the process that really makes it safe. Without the basic security measures almost any login process is going to be easily corrupted, misused, or lead to more colourful problems.
One of the main problems is the lack of security guidance in the PHP Manual - everyone's first reference...

Posted: Tue Sep 27, 2005 4:38 pm
by jayshields
http://www.clanbase.com uses a session sent via the URL, very insecure.
Posted: Fri Sep 30, 2005 12:14 am
by pilau
Do'h - to see it we must register

Posted: Fri Sep 30, 2005 5:37 pm
by nickvd
Has there been any GOOD public classes for a truly secure login scheme? I have a VERY VERY simple login/auth class that i use for a small site to protect the admin backend, but as i was running out of time i didnt bother to secure it to n'th degree. I've been looking for a good login/auth class for a while, but every one i've seen is either way old (think register globals) or either way too complex or too basic [if isset($_GET['auth']) allowAccess();]
Posted: Fri Sep 30, 2005 5:42 pm
by feyd
nickvd wrote:Has there been any GOOD public classes for a truly secure login scheme? I have a VERY VERY simple login/auth class that i use for a small site to protect the admin backend, but as i was running out of time i didnt bother to secure it to n'th degree. I've been looking for a good login/auth class for a while, but every one i've seen is either way old (think register globals) or either way too complex or too basic [if isset($_GET['auth']) allowAccess();]
have you read Maugrim's recently posted tutorial?
viewtopic.php?t=38810
Posted: Sat Oct 01, 2005 7:31 am
by foobar
One thing you can do when inserting user input into an SQL query is the following:
Code: Select all
$sql = sprintf("SELECT uid FROM users WHERE first_name = '%s' AND age = %d", $first_name, $age);
$rs = mysql_query($sql);
Posted: Sat Oct 01, 2005 7:58 am
by Maugrim_The_Reaper
All you have to do now is escape the input prior to insertion in the SQL...then it might be secure.
mysql_real_escape_string()
Posted: Sat Oct 01, 2005 9:19 am
by alvinphp
I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).
And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
Posted: Sat Oct 01, 2005 1:00 pm
by pilau
alvinphp wrote:I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).
And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
Damn, that http_referer validation is a great test, thanks for the idea!
Posted: Sat Oct 01, 2005 1:03 pm
by Ambush Commander
Not really. HTTP_REFERER is unreliable and can be spoofed.
Posted: Sat Oct 01, 2005 1:03 pm
by John Cartwright
pilau wrote:alvinphp wrote:I would also validate the http_referer to make sure the login is coming from your login page. (not sure if this was said yet).
And as long as your site in on the world wide web there will always be a certain level of security risk, so you need to plan that one day you might get hacked so keep a current backup nearby and make sure passwords in your database are always stored in md5 (or something similar).
Damn, that http_referer validation is a great test, thanks for the idea!
You should never rely on http_referer to exist, as it is an optional header