Security question.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Security question.

Post by Tommy1402 »

Hi, I develop a website and currently trying to apply a security system.

I use database to store: user, pass, session, and IP. In success, I store user ID to $_SESSION[uid].
I also use token to make sure that all request come from my web forms.
in login page, I use javascript to hash (md5) the password (with salting added).

so, everytime a user request a page, I check for: user id, session, IP and token.

My question is: Are those enough to make my site secure?
if not, please suggest what should be done.
Thanks a lot for any helps.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If you want to go paranoid, SSL is the next step.
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

feyd wrote:If you want to go paranoid, SSL is the next step.
Since I don't want to use SSL, it's pretty secure.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It sounds okay.

What happens if Javascript is disabled?
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

feyd wrote:It sounds okay.

What happens if Javascript is disabled?
If JS is off, the password will never be hashed. then, the user will never be able to log-in.
I just want that the user's password doesn't wander all around the network unencrypted.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Are you sure you want to make the site inaccessible to users who do not have Javascript enabled/supported?
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

feyd wrote:Are you sure you want to make the site inaccessible to users who do not have Javascript enabled/supported?
are there any other way beside using ssl ?

if not, then I'll stick with it.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Let them log in without the protection.

It's not keeping your server more safe, but your users' data safer.
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

feyd wrote:Let them log in without the protection.

It's not keeping your server more safe, but your users' data safer.
I think you right. well, I think I have to make a script to check whether user's JS is enabled or not. If not, then I hash the password in the server...
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

why not just hash the password regardless?
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

The Ninja Space Goat wrote:why not just hash the password regardless?
I've read in some site, that suggests to encrypt the user's pwd so that the data roaming the net is not the in plain text.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Tommy1402 wrote:I've read in some site, that suggests to encrypt the user's pwd so that the data roaming the net is not the in plain text.
well in response to that, sometimes you have to make a trade-off. What is more important to you, security or usability/accessibility? Do you want users with javascript disabled to be able to use your site?

what I was asking is why you don't just hash ALL passwords before storing them in the database (or wherever you store them)?
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

The Ninja Space Goat wrote:
Tommy1402 wrote:I've read in some site, that suggests to encrypt the user's pwd so that the data roaming the net is not the in plain text.
well in response to that, sometimes you have to make a trade-off. What is more important to you, security or usability/accessibility? Do you want users with javascript disabled to be able to use your site?

what I was asking is why you don't just hash ALL passwords before storing them in the database (or wherever you store them)?
in my database, all passwords are already hashed (along with salting). So, basically, when a registered user tries to log-in, a javascript hash the password's value, then send it to the server to be checked. The server doesn't hash the value again.

The registering process is also the same. When a user tries to register, I hash the password using javascript, then store it directly into database without any hashing.

one issue is when Javascript is disabled. In that case, I decided to make a script to check whether user's JS is disabled or not. If JS is off, then I hash the password inside the server.

I hope it's clear. or can you suggest something?
Thanks
Last edited by Tommy1402 on Thu Feb 22, 2007 2:14 am, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Tommy1402, I don't know if you've read it or not, but there's a tutorial by Maugrim_the_Reaper here which talks about this stuff is fair detail.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

I decided to make a script to check whether user's JS is disabled or not. If JS is off, then I hash the password inside the server.
OK, you're wording confused me a little. I see what you're saying now. Feyd is right, Maugrim wrote a great article about just that. I read it in its entirety a while back. Great article. Image
Post Reply