How secure is my user authentification concept

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Tehquickness
Forum Commoner
Posts: 32
Joined: Mon Oct 24, 2005 11:31 pm

How secure is my user authentification concept

Post by Tehquickness »

I have been reading alot into $_SESSION variables and their uses. I have used them in the admin section of the website I am working on for a sorority but now that I am almost done, I want to know that I have given them a secure website that will not be easily broken into and vandilized. My basic strategy has been that when someone logs into the admin section, I issue them a session ID. THis id is stored as a session variable along with their usename and also stored in the database next to their user name. When ever they access a new page in the admin section, the webpage will check the session variables of username and SID against those stored in the database. This is pretty much the extent of my security. Is this a pretty secure concept?
As far as improvements go, I have thought about including their IP and checking that everytime. I have thought about making a time out where if they dont access a new page with in XX amount of time then they will have to long in again. All suggestions are welcome.
THanks in advance,
Tehquickness
User avatar
themurph
Forum Commoner
Posts: 76
Joined: Wed Apr 19, 2006 1:56 pm
Contact:

Post by themurph »

I'm sure there are other and better ways to do this, but I usually use a
variation of the following basic authentication code:

The login page script:

Code: Select all

<?
session_start();
header("Cache-control: private"); // IE 6 Fix

// DB LINK CODE
include "db.php";

$bad = 0;  // used for bad login prompting
// FORM SUBMITTED?
if (isset($_POST['username']) && isset($_POST['password']))
  {
     $user = $_POST['username'];
     $pass = $_POST['password'];
     $query = "SELECT fullname FROM users WHERE username='$user' AND password='$pass'";
     $result = mysql_query($query);
     $numrows = mysql_num_rows($result);
     if($numrows != 1) { $bad++; }
     else
       {
          $row = mysql_fetch_array($result);
          $name = $row["fullname"];

          //Start Session And Register Variables
          $_SESSION['user'] = $user;
          $_SESSION['name'] = $name;
       }
  }

//PUT LOGIN FORM BELOW
?>

The logout page script:

Code: Select all

<?
session_start();
header("Cache-control: private"); // IE 6 Fix

$_SESSION = array();
session_destroy();
$goto = header('Location:somewhere.php');
exit;
?>

Then, for any page with content that you want to protect (or customize), simply
include an "auth.php" the top of the script.

The authentication script: (auth.php)

Code: Select all

<?
session_start();
header("Cache-control: private"); // IE 6 Fix

if (session_is_registered('user'))
  {
     $user = $_SESSION['user'];
     $name = $_SESSION['name'];
  }
else
  {
     $_SESSION = array();
     session_destroy();
     $goto = header('Location:unauthorized.php');
     exit;
  }
?>
programmermatt
Forum Commoner
Posts: 65
Joined: Tue Mar 15, 2005 5:03 pm
Contact:

Post by programmermatt »

The basics will work, but they won't do much to keep someone who really wants to get in from getting in. Personally I think that IP and timeout functionality are a must for any authentication design (though it is a nice touch to add a 'remeber me' option that they can use when they are on a computer they would deem secure). You can take it further with a challenge-response mechanism, SSL and many other things, but even after you implement those you still have your bigest problem: your users, you can't trust them to be safe, to log out when they are done on a public computer, to not share their password, to have a alpha-numeric+special character 12 letter password, etc.
User avatar
R4000
Forum Contributor
Posts: 168
Joined: Wed Mar 08, 2006 12:50 pm
Location: Cambridge, United Kingdom

Post by R4000 »

I normaly use something along the lines of:

Code: Select all

// THIS CODE MAY NOT WORK, IT IS NOT TESTED AND IS MAINLY A CONCEPT \\
session_start();
function isLoggedIn($un){
   $uid = $_SESSION['uniq_id'];
   $uid = explode("|",$uid);
     if(md5($un) == $uid[1] && time() <= $uid[2] + 3600 && md5($_SERVER['REMOTE_ADDR']) == $uid[3]){
        return true;
     }
     return false;
}
function setSession($username) {
     $_SESSION['uniq_id'] = base64_encode(md5($username) . "|" . time() . "|" . md5($_SERVER['REMOTE_ADDR']));
}
if(!isLoggedIn("demo")){
     setSession("demo");
     echo "You wasn't logged in, but now are.";
} else {
     echo "You are logged in...";
}
Tehquickness
Forum Commoner
Posts: 32
Joined: Mon Oct 24, 2005 11:31 pm

Post by Tehquickness »

I understand themurph's code except for the $bad variable, what is that for? I assume it is some kind of variable to detect to many failed attempts. Now I am a little less clear about R4000's coding. First off, what does $un represent? Username maybe? Second, why do you explode $uid? I am guess that maybe in the login script your join together USERNAME | TIMESTAMP | REMOTE_ADDRESS in to one string with is stored as $_SESSION['uniq_id']? And then bottom function is the actually session creation then. In the second function what is the if statement for?
Thanks for the help.
Post Reply