PHP & MySQL site login, security concepts
Moderator: General Moderators
Re: PHP & MySQL site login, security concepts
Hi everyone
Ok I've been thinking about this and learning loads but I have some further questions.
1) Salting
kaisellgren: I read your article about hashing (http://www.phptalk.net/2009/01/24/every ... and-myths/) and that gave me some more understanding of salting, and it's definitely something I'll do. Probably dynamic salting.
But how is the salt stored in the DB?
Is it stored appended onto the password hash? Or is it stored in a separate field?
So when the user attempts to login I hash their plaintext password, add the salt from the DB to the end of that user plaintext hash, and compare that to the value of hash.salt stored in the DB
If login is successful I then set $_SESSION['auth'] = 1, generate a new salt and password hash, and update the DB.
Is that correct?
2) Regenerating session ID
So I'll be regenerating the session ID after every login/logout, that seems easy enough. But I also want to be regenerating the session ID every 10-15 minutes
In practice though, how do I do that without logging the user in/out every 20 mins?
3) Auto-login / remember username
For this particular project I don't want to have an auto-login system, but it would be cool to remember the user's username somehow.
Is it possible to do that without storing the username in a cookie?
Thanks everyone!
Ben
Ok I've been thinking about this and learning loads but I have some further questions.
1) Salting
kaisellgren: I read your article about hashing (http://www.phptalk.net/2009/01/24/every ... and-myths/) and that gave me some more understanding of salting, and it's definitely something I'll do. Probably dynamic salting.
But how is the salt stored in the DB?
Is it stored appended onto the password hash? Or is it stored in a separate field?
So when the user attempts to login I hash their plaintext password, add the salt from the DB to the end of that user plaintext hash, and compare that to the value of hash.salt stored in the DB
If login is successful I then set $_SESSION['auth'] = 1, generate a new salt and password hash, and update the DB.
Is that correct?
2) Regenerating session ID
So I'll be regenerating the session ID after every login/logout, that seems easy enough. But I also want to be regenerating the session ID every 10-15 minutes
In practice though, how do I do that without logging the user in/out every 20 mins?
3) Auto-login / remember username
For this particular project I don't want to have an auto-login system, but it would be cool to remember the user's username somehow.
Is it possible to do that without storing the username in a cookie?
Thanks everyone!
Ben
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP & MySQL site login, security concepts
Remember that it is not required and only recommended for applications, which require high security. If you are sure you require all that security, then:batfastad wrote:Probably dynamic salting.
For instance,batfastad wrote:But how is the salt stored in the DB?
Code: Select all
passwd_hash VARCHAR(255) NOT NULL DEFAULT ''
salt VARCHAR(255) NOT NULL DEFAULT ''After a successful logon, read the filesystem salt, which you should have (it is far more important to have a file system salt than to have dynamic salts), then do hash($pass.$db_salt.$filesystem_salt) and update the database passwd_hash with the result of that. Also, remember to update the salt column to $db_salt. Do the login system before updating any values. That is, update the new values after you have made sure the login was successful.batfastad wrote:So when the user attempts to login I hash their plaintext password, add the salt from the DB to the end of that user plaintext hash, and compare that to the value of hash.salt stored in the DB If login is successful I then set $_SESSION['auth'] = 1, generate a new salt and password hash, and update the DB.
Why would you need to regenerate an identifier if he logs out? You just destroy the whole session.batfastad wrote:So I'll be regenerating the session ID after every login/logout
Are you working on a bank site? I doubt you need to regenerate the ID every 10-15 minutes as long as you make sure the identifier is strong.batfastad wrote:But I also want to be regenerating the session ID every 10-15 minutes.
I do not recommend that. It violates certain security principles. Typing the username or having it saved in the browser should not be a problem for your visitors. Usernames may not be stored within cookies.batfastad wrote:3) Auto-login / remember username
For this particular project I don't want to have an auto-login system, but it would be cool to remember the user's username somehow.
Is it possible to do that without storing the username in a cookie?
Re: PHP & MySQL site login, security concepts
Ok got it!
Glad to know I don't need to regenerate the session every 10-15 minutes, I was struggling to get my head round that.
I was wondering how sites like Gmail and eBay can get away with auto-logins... if it's secure enough for them then surely it's secure enough for our small subscriber-only database system?
Thanks for the further information about salting, I'll go with your suggestion. So for the filesystem salt, I just generate it in the same way as the DB salt.
But where do I store it? In a PHP variable in my main config file?
Or does it need to be a separate PHP file and brought in using require()?
Thanks, Ben
Glad to know I don't need to regenerate the session every 10-15 minutes, I was struggling to get my head round that.
I was wondering how sites like Gmail and eBay can get away with auto-logins... if it's secure enough for them then surely it's secure enough for our small subscriber-only database system?
Thanks for the further information about salting, I'll go with your suggestion. So for the filesystem salt, I just generate it in the same way as the DB salt.
But where do I store it? In a PHP variable in my main config file?
Or does it need to be a separate PHP file and brought in using require()?
Thanks, Ben
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP & MySQL site login, security concepts
When you login to Gmail automatically, the browser is giving a session identifier through cookies. This is the right approach. The session identifier Gmail uses is 182 characters long and uses characters A-Za-z0-9-_ making total of (26*2+10+2)^182 combinations = 64^182 which is roughly 5.3*10^328 combinations (thats over 5.3 sexvigintillion^4 combinations). So how strong is this session identifier? Provided that you can do math, you should end up in a figure of 1092-bits of strength. Now that along with SSL/TLS will make sure that Session Hijacking attempts remain as attempts.batfastad wrote:I was wondering how sites like Gmail and eBay can get away with auto-logins... if it's secure enough for them then surely it's secure enough for our small subscriber-only database system?
It is up to you as long as it is never exposed to anyone and is kept safe and is kept in the file system.batfastad wrote:But where do I store it? In a PHP variable in my main config file?
Or does it need to be a separate PHP file and brought in using require()?
Re: PHP & MySQL site login, security concepts
So storing the FS salt in my global site config.php file sounds fine.
I was planning on using PHP's built-in session generating functions.
Should I be doing something different to make the session ID longer/more complex?
I was planning on using PHP's built-in session generating functions.
Should I be doing something different to make the session ID longer/more complex?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP & MySQL site login, security concepts
How secure important is your application? PHP session system has proven to be rather good. If you want the extra security, read this: viewtopic.php?f=34&t=88685batfastad wrote:Should I be doing something different to make the session ID longer/more complex?
Re: PHP & MySQL site login, security concepts
I Been Using MD5 And I Been Reading That Its Not Strong Enough For Large Websites, What Method Can I Use For Large Sites?
- allspiritseve
- DevNet Resident
- Posts: 1174
- Joined: Thu Mar 06, 2008 8:23 am
- Location: Ann Arbor, MI (USA)
Re: PHP & MySQL site login, security concepts
SHA256dsick wrote:I Been Using MD5 And I Been Reading That Its Not Strong Enough For Large Websites, What Method Can I Use For Large Sites?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP & MySQL site login, security concepts
Hi everyone
Sorry for resurrecting this old thread but there's a bit more info I'd like to get on this topic.
I'm sorted now in terms of hashing and securing the password. I'll be using sha256 and creating a per user salt, dynamic salting which will update every login and also have a file system salt (pepper)
1) So to check if the login is correct, is this the right comparison?
Where $sql_data is the data returned from my SQL query for looking up the username from the DB. $pepper is the FS salt stored in my global config.php file.
2) My next question is... how to properly and securely regenerate/destroy the session on login and logout?
Here's what I've got on logout to destroy the session (untested)... is this correct?
But how do I go about regenerating the session when a user logs in?
3) When I've been messing about with sessions on our intranet application I've never used the session_name() function or worried about the session cookie.
I've only ever used sessions in this fashion:
Am I missing something here?
4) Should I store session IDs in database table to record which sessions are logged in?
I noticed there's a table in phpbb which records session IDs and I was wondering what the purpose of that is?
Sorry for all these questions but this is something I really want to make sure I get correct in my head before I start building this application
Thanks everyone
Sorry for resurrecting this old thread but there's a bit more info I'd like to get on this topic.
I'm sorted now in terms of hashing and securing the password. I'll be using sha256 and creating a per user salt, dynamic salting which will update every login and also have a file system salt (pepper)
1) So to check if the login is correct, is this the right comparison?
Code: Select all
if ( hash('sha256', $_POST['pass'].$sql_data['salt'].$pepper) === $sql_data['pass'].$sql_data['salt'].$pepper) {
// login successful - regenerate session and set a session['auth'] token
} else {
// login failed
}2) My next question is... how to properly and securely regenerate/destroy the session on login and logout?
Here's what I've got on logout to destroy the session (untested)... is this correct?
Code: Select all
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if ( isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();3) When I've been messing about with sessions on our intranet application I've never used the session_name() function or worried about the session cookie.
I've only ever used sessions in this fashion:
Code: Select all
// START SESSION
session_start();
$_SESSION['blah'] = 'some data';
// access data on another page
session_start();
$blah = $_SESSION['blah'];4) Should I store session IDs in database table to record which sessions are logged in?
I noticed there's a table in phpbb which records session IDs and I was wondering what the purpose of that is?
Sorry for all these questions but this is something I really want to make sure I get correct in my head before I start building this application
Thanks everyone
Re: PHP & MySQL site login, security concepts
No, it's not right. You have users' passwords stored as hashes - salt&peper'ed. So... think againbatfastad wrote:1) So to check if the login is correct, is this the right comparison?Where $sql_data is the data returned from my SQL query for looking up the username from the DB. $pepper is the FS salt stored in my global config.php file.Code: Select all
if ( hash('sha256', $_POST['pass'].$sql_data['salt'].$pepper) === $sql_data['pass'].$sql_data['salt'].$pepper) { // login successful - regenerate session and set a session['auth'] token } else { // login failed }
2) http://php.net/manual/en/function.sessi ... ate-id.php
3) You need different session names only if you have more than one WWW interface (i,e, different logins) in a single domain.
There are 10 types of people in this world, those who understand binary and those who don't
Re: PHP & MySQL site login, security concepts
@VladSun
1) Gotcha... good spot. Glad I checked
How's this?
2) So for creating/re-creating/destroying the session, do I need to bother with manually updating/expiring the session cookie?
I thought PHPs session functions dealt with that automatically?
That snippet of code I pasted above with S_COOKIE[session_name()] (written as an example on another site... sorry can't remember the URL) suggests that I need to manually deal with the cookie.
Should I just use PHPs session functions on their own or are there known security problems which mean I should expire the cookie myself?
4) For a secure login system, do I need to be recording current/logged in sessions IDs and IP addresses in a DB?
I think phpbb does something like this.
Or is that only needed if I want method of providing auto-logins?
Thanks everyone
Cheers, B
1) Gotcha... good spot. Glad I checked
Code: Select all
if ( hash('sha256', $_POST['pass']).$sql_data['salt'].$pepper === $sql_data['pass'])I thought PHPs session functions dealt with that automatically?
That snippet of code I pasted above with S_COOKIE[session_name()] (written as an example on another site... sorry can't remember the URL) suggests that I need to manually deal with the cookie.
Should I just use PHPs session functions on their own or are there known security problems which mean I should expire the cookie myself?
4) For a secure login system, do I need to be recording current/logged in sessions IDs and IP addresses in a DB?
I think phpbb does something like this.
Or is that only needed if I want method of providing auto-logins?
Thanks everyone
Cheers, B
Re: PHP & MySQL site login, security concepts
Nope, not rightbatfastad wrote:@VladSun
1) Gotcha... good spot. Glad I checkedHow's this?
Code: Select all
if ( hash('sha256', $_POST['pass']).$sql_data['salt'].$pepper === $sql_data['pass'])
Look at your code where you store the user's password into the DB - you should have the same into the left operand in the IF statement above.
I have had no issues using pure PHP session management.batfastad wrote:2) So for creating/re-creating/destroying the session, do I need to bother with manually updating/expiring the session cookie?
I thought PHPs session functions dealt with that automatically?
That snippet of code I pasted above with S_COOKIE[session_name()] (written as an example on another site... sorry can't remember the URL) suggests that I need to manually deal with the cookie.
Should I just use PHPs session functions on their own or are there known security problems which mean I should expire the cookie myself
Well, some would say that IP/SID pairing would increase security - I think it's true, but I also think it could lead to a DoS in some cases.batfastad wrote:4) For a secure login system, do I need to be recording current/logged in sessions IDs and IP addresses in a DB?
There are 10 types of people in this world, those who understand binary and those who don't
Re: PHP & MySQL site login, security concepts
Ok another go...
Great news on the PHP session functions.
I did think that was strange. I hadn't seen manual session cookie manipulation mentioned in any other tutorials I'd read.
So if I wanted to implement an auto-login feature, obviously I don't store the username/password anywhere. If the user has their browser set to remember username/password then that's their problem and there's not much I could do about that
So how would it work?
Would I store the user's session ID in a separate cookie. Then when the user returns, compare their IP address with a session_id/IP pair stored in a database?
Code: Select all
if ( hash('sha256', $_POST['pass']).$sql_data['salt'].$pepper === $sql_data['pass'].$sql_data['salt'].$pepper)I did think that was strange. I hadn't seen manual session cookie manipulation mentioned in any other tutorials I'd read.
So if I wanted to implement an auto-login feature, obviously I don't store the username/password anywhere. If the user has their browser set to remember username/password then that's their problem and there's not much I could do about that
So how would it work?
Would I store the user's session ID in a separate cookie. Then when the user returns, compare their IP address with a session_id/IP pair stored in a database?
Re: PHP & MySQL site login, security concepts
Left!

There are 10 types of people in this world, those who understand binary and those who don't