Logins Check list

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

Logins Check list

Post by kippy »

I am curious to know if there is a check list that an individual (a newbie with some experience) can use to try and build a secure login/session/cookies script to protect his site. I have been reading post after post on here and I find that every post leaves me asking more questions and more concerns. I think I have a good idea of the checks and balances needed, bu tlike I said before I come across a 2nd or 3rd post that leaves me wondering where to begin and what am I going to miss that is going to be a huge gapping hole in the wall inviting hackers to come right on in. If anyone knows where I can find a checklist to work off I would greatly appreciate it.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Logins Check list

Post by Christopher »

You might want to look at http://www.owasp.org/

Also, you might want to divide the discussion into Authentication (login) and Access Control (per page checks) as they involve different issues. certainly creating a check list would be helpful. Perhaps some of our members, like Mordred, have or could contribute to a checklist.
(#10850)
pkbruker
Forum Commoner
Posts: 32
Joined: Sun Aug 03, 2008 9:36 am
Location: Oslo, Norway

Re: Logins Check list

Post by pkbruker »

every post leaves me asking more questions and more concerns
That's good! If it didn't you would not have started to grasp the security problems of login/verification. You could probably work on your script inserting new security measures to the day you die, but here's a short list of things you should take into consideration for basic security:

1. Never Trust User Input
Assume all input from your login/registration forms are attempts to hack your site. Use PHP to verify that the input is correct, i.e. check the length of a password, check that an e-mail field actually contains an e-mail address. DO NOT rely on client-side Javascript for checking form input, as this Javascript can easily be turned off.

2. SQL Injections
Never use data from a HTML form directly in a query. Evil users can enter SQL code in the form, thus screwing around with your database. To prevent this, check user input as described above, and look into the mysql_real_escape_string() function.

3. Prevention Against Bots
You don't wan't an evil minded person's script to register millions of accounts in your system. This can rather easily be prevented using CAPTCHA images. I've used PHP Capcha Security, which is very easy to include in your site.

4. Session Security
Two things to keep in mind:

1. Sessions are stored (usually) in a temporary directory on the server. Anyone using the server can theoretically gain access to the contents of the session. So, never store any important information (i.e. passwords) in a session. If you're feeling very concerned with security, you can completely rewrite how PHP stores session data.

2. Session highjacking is when somebody else gains access to a session, and hence all pages related to the session. This is a complex subject in itself, but providing automated logout after an idle period is always a good rule of the thumb. A bit more about session security here.

5. Be Paranoid
Always keep security in mind when writing PHP. Whatver you do, be on the look-out for possible security holes in your code. For instance: User A is logged in, and is accessing a database record with a certain ID. The URL the can look like this: index.php?record_id=1234. User A is smart, and changes the record number, hence gaining access to user B's records, which should not occur.

Security in PHP is a complex issue, and this should give you some ideas. Though, there is always a new security measure to add, your pages will never be 100% secure.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Logins Check list

Post by alex.barylski »

Checklist? I never bothered personally but...

1. Use SSL or a poor man's version
2. Use CAPTCHA to prevent brute force attempts (if #6 is not sufficient)
3. Use sha256 not MD5 for password hashing
4. Do not store the password in cookies for automatic login -- especially if your application is susceptable to XSS exploits
5. Enforce random chaotic passwords with upper/lower/funny characters
6. Implement a failed login attempt system where more than 3 attempts locks the account for X number of hours and notifies admin
7. Log everything!!!

Obviously SQLi prevention using the proper escaping, filtering and validation techniques are important but that is more general than specific to logging into a system.

Once you are logged into a system...a new checklist is needed to ensure system integrity.
Post Reply