Login Systems

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
gavshouse
Forum Newbie
Posts: 11
Joined: Thu Aug 21, 2008 6:42 am

Login Systems

Post by gavshouse »

hi, im working on a login system for my site and want to talk about login systems.

My Understanding

Most logins use sessions and when the session expires they have cookies containing your password(encrypted) and username. right ?

My Views

Placing a password in a cookie even when encrypted seems a bad idea if i steal cookies from someone i can then login because the site checks for session then if no session it uses the cookie information to log me in. right ?

My Code

I was thinking about this while logging into my bank i had the idea of using part of the password just like they do.

I then had the idea of a access key instead of using a password in a cookie, have another field in your mysql called "access_key" that contains a 32 character string, which on login i can then select 4 characters from it and place those in a cookie.

This is a example of my code

Code: Select all

<?php
 
//This data is in a MYSQL
    $id = "1";
    $password = "098f6bcd4621d373cade4e832627b4f6";//md5 of "test"
    $username = "username";
    $access_key = "";
//End of MYSQL
 
//On Login this happens
    //insert this into MYSQL 
        $access_key = md5(rand(10000000, 90000000));
    //end of insert
    
    $start = rand(0, 28);
    $temp_key = substr($access_key,$start,4);//outputs the string from the $start value but only 4 characters
 
    setcookie("User", $username, time()+3600*24*7);
    setcookie("Access_Key", $temp_key, time()+3600*24*7);
    setcookie("Access_Key_Start", $start, time()+3600*24*7);
    setcookie("Remember", "Yes", time()+3600*24*7);
 
    session_start();
 
    $_SESSION['ID'] = $id;
    $_SESSION['User'] = $username;
//End of Login Stuff
 
//On index.php
 
session_start();
 
if($_SESSION['ID']):
    echo('Logged In');
endif;
 
if( (!$_SESSION['ID']) and ($_COOKIE['Remember'] == "Yes") ):
    /*
        OK now i query mysql for ID, User, Access_Key Where Username = $_COOKIE['username']
        $row['id'];
        $row['username']
        $row['access_key']
        
        THEN
    */
        $access_key = substr($row['access_key'],$_COOKIE['Access_Key_Start'],4);
        
        if(strcmp($access_key,$_COOKIE['Access_Key']) == "0")://compares the strings and outputs 0 if they are the same
            //insert this into MYSQL 
                $access_key = md5(rand(10000000, 90000000));
            //end of insert         
            
            $start = rand(0, 28);
            $temp_key = substr($access_key,$start,4);//outputs the string from the $start value but only 4 characters
 
            $_SESSION['ID'] = $id;
            $_SESSION['User'] = $username;
            setcookie("Access_Key", $temp_key, time()+3600*24*7);
            setcookie("Access_Key_Start", $start, time()+3600*24*7);
            
            echo('Re-Logged in');
        endif;  
endif;
 
?>
So now i have 4 cookies and 1 session.

if a hacker steals the cookiesthey can login as long as the real users session hasn't expired and a new one created, if this has happened the access key is different and worthless to the hacker.

So the main question is do other sites do this, looking through cookies ive found some sites have cookies called pw, pass or even password with encrypted passwords in. Also is this the best way or is there some other way sites do this ?
User avatar
lukewilkins
Forum Commoner
Posts: 55
Joined: Tue Aug 12, 2008 2:42 pm

Re: Login Systems

Post by lukewilkins »

You seem to be recreating what PHP sessions already do for you. All you need to do is:
1) On login, check the username and password (MD5, etc.) against what you have stored in your database.
2) If match is found, start your session and store that session ID and the users IP in the database. The session cookie is automatically set on the user's browser. There is no need to store any other cookies because the rest of the user's data can now be stored in the session variables.
3) On each page, have the session start and check if the SESSION variables you decide to save (don't save the password ... there is no need) against your database and SESSION ID stored there. Also check that that SESSION ID is still coming from the same IP address.
4) If yes, it is valid and you let them see the page.

Hope that helps, and let me know if you have further questions.

Luke
gavshouse
Forum Newbie
Posts: 11
Joined: Thu Aug 21, 2008 6:42 am

Re: Login Systems

Post by gavshouse »

lukewilkins wrote:You seem to be recreating what PHP sessions already do for you. All you need to do is:
1) On login, check the username and password (MD5, etc.) against what you have stored in your database.
2) If match is found, start your session and store that session ID and the users IP in the database. The session cookie is automatically set on the user's browser. There is no need to store any other cookies because the rest of the user's data can now be stored in the session variables.
3) On each page, have the session start and check if the SESSION variables you decide to save (don't save the password ... there is no need) against your database and SESSION ID stored there. Also check that that SESSION ID is still coming from the same IP address.
4) If yes, it is valid and you let them see the page.

Hope that helps, and let me know if you have further questions.

Luke
1. What if the IP changes for the user. so im logged out
2. The session ends when you close the browser. so im logged out

i want to be able to stay logged in for 7days
User avatar
lukewilkins
Forum Commoner
Posts: 55
Joined: Tue Aug 12, 2008 2:42 pm

Re: Login Systems

Post by lukewilkins »

Always check the manual or do a simple google search ...
http://us.php.net/manual/en/function.se ... params.php

If the cookie is present and their session is not expired, BUT they have a different IP (because this can definitely change), just show a quick login with their username already filled in but no password to reactivate session.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Login Systems

Post by Mordred »

This code is unsecure in so many ways. And this is only the part that you've posted. The pseudocode parts could hide even more security problems.
- it generates random tokens with very little entropy (i.e. almost not random at all)
- the token check can be trivially bypassed by manipulating substr parameters
- unsalted MD5-s in the database (viewtopic.php?t=62782)

Also, your assumption that data in cookies is inherently insecure is wrong. There are cryptographic means to ensure that the cookie data has not been manipulated and/or to keep it secret from the user (or hijacker).

Keeping a password in a cookie is definitely wrong, as you've already noticed.

My advice: throw this out and stick to industry best practice. Experimenting is good only if you know what you're doing (and then again, when speaking of security, no single person can "know what he's doing")
Post Reply