Page 1 of 1

Login Systems

Posted: Sat Aug 23, 2008 4:55 pm
by gavshouse
hi, im working on a login system for my site and want to talk about login systems.

My Understanding

Most logins use sessions and when the session expires they have cookies containing your password(encrypted) and username. right ?

My Views

Placing a password in a cookie even when encrypted seems a bad idea if i steal cookies from someone i can then login because the site checks for session then if no session it uses the cookie information to log me in. right ?

My Code

I was thinking about this while logging into my bank i had the idea of using part of the password just like they do.

I then had the idea of a access key instead of using a password in a cookie, have another field in your mysql called "access_key" that contains a 32 character string, which on login i can then select 4 characters from it and place those in a cookie.

This is a example of my code

Code: Select all

<?php
 
//This data is in a MYSQL
    $id = "1";
    $password = "098f6bcd4621d373cade4e832627b4f6";//md5 of "test"
    $username = "username";
    $access_key = "";
//End of MYSQL
 
//On Login this happens
    //insert this into MYSQL 
        $access_key = md5(rand(10000000, 90000000));
    //end of insert
    
    $start = rand(0, 28);
    $temp_key = substr($access_key,$start,4);//outputs the string from the $start value but only 4 characters
 
    setcookie("User", $username, time()+3600*24*7);
    setcookie("Access_Key", $temp_key, time()+3600*24*7);
    setcookie("Access_Key_Start", $start, time()+3600*24*7);
    setcookie("Remember", "Yes", time()+3600*24*7);
 
    session_start();
 
    $_SESSION['ID'] = $id;
    $_SESSION['User'] = $username;
//End of Login Stuff
 
//On index.php
 
session_start();
 
if($_SESSION['ID']):
    echo('Logged In');
endif;
 
if( (!$_SESSION['ID']) and ($_COOKIE['Remember'] == "Yes") ):
    /*
        OK now i query mysql for ID, User, Access_Key Where Username = $_COOKIE['username']
        $row['id'];
        $row['username']
        $row['access_key']
        
        THEN
    */
        $access_key = substr($row['access_key'],$_COOKIE['Access_Key_Start'],4);
        
        if(strcmp($access_key,$_COOKIE['Access_Key']) == "0")://compares the strings and outputs 0 if they are the same
            //insert this into MYSQL 
                $access_key = md5(rand(10000000, 90000000));
            //end of insert         
            
            $start = rand(0, 28);
            $temp_key = substr($access_key,$start,4);//outputs the string from the $start value but only 4 characters
 
            $_SESSION['ID'] = $id;
            $_SESSION['User'] = $username;
            setcookie("Access_Key", $temp_key, time()+3600*24*7);
            setcookie("Access_Key_Start", $start, time()+3600*24*7);
            
            echo('Re-Logged in');
        endif;  
endif;
 
?>
So now i have 4 cookies and 1 session.

if a hacker steals the cookiesthey can login as long as the real users session hasn't expired and a new one created, if this has happened the access key is different and worthless to the hacker.

So the main question is do other sites do this, looking through cookies ive found some sites have cookies called pw, pass or even password with encrypted passwords in. Also is this the best way or is there some other way sites do this ?

Re: Login Systems

Posted: Sat Aug 23, 2008 5:52 pm
by lukewilkins
You seem to be recreating what PHP sessions already do for you. All you need to do is:
1) On login, check the username and password (MD5, etc.) against what you have stored in your database.
2) If match is found, start your session and store that session ID and the users IP in the database. The session cookie is automatically set on the user's browser. There is no need to store any other cookies because the rest of the user's data can now be stored in the session variables.
3) On each page, have the session start and check if the SESSION variables you decide to save (don't save the password ... there is no need) against your database and SESSION ID stored there. Also check that that SESSION ID is still coming from the same IP address.
4) If yes, it is valid and you let them see the page.

Hope that helps, and let me know if you have further questions.

Luke

Re: Login Systems

Posted: Sat Aug 23, 2008 6:43 pm
by gavshouse
lukewilkins wrote:You seem to be recreating what PHP sessions already do for you. All you need to do is:
1) On login, check the username and password (MD5, etc.) against what you have stored in your database.
2) If match is found, start your session and store that session ID and the users IP in the database. The session cookie is automatically set on the user's browser. There is no need to store any other cookies because the rest of the user's data can now be stored in the session variables.
3) On each page, have the session start and check if the SESSION variables you decide to save (don't save the password ... there is no need) against your database and SESSION ID stored there. Also check that that SESSION ID is still coming from the same IP address.
4) If yes, it is valid and you let them see the page.

Hope that helps, and let me know if you have further questions.

Luke
1. What if the IP changes for the user. so im logged out
2. The session ends when you close the browser. so im logged out

i want to be able to stay logged in for 7days

Re: Login Systems

Posted: Sat Aug 23, 2008 6:49 pm
by lukewilkins
Always check the manual or do a simple google search ...
http://us.php.net/manual/en/function.se ... params.php

If the cookie is present and their session is not expired, BUT they have a different IP (because this can definitely change), just show a quick login with their username already filled in but no password to reactivate session.

Re: Login Systems

Posted: Mon Aug 25, 2008 3:48 am
by Mordred
This code is unsecure in so many ways. And this is only the part that you've posted. The pseudocode parts could hide even more security problems.
- it generates random tokens with very little entropy (i.e. almost not random at all)
- the token check can be trivially bypassed by manipulating substr parameters
- unsalted MD5-s in the database (viewtopic.php?t=62782)

Also, your assumption that data in cookies is inherently insecure is wrong. There are cryptographic means to ensure that the cookie data has not been manipulated and/or to keep it secret from the user (or hijacker).

Keeping a password in a cookie is definitely wrong, as you've already noticed.

My advice: throw this out and stick to industry best practice. Experimenting is good only if you know what you're doing (and then again, when speaking of security, no single person can "know what he's doing")