Page 2 of 5

Re: PHP & MySQL site login, security concepts

Posted: Thu Mar 19, 2009 6:34 am
by batfastad
Hi everyone

Ok I've been thinking about this and learning loads but I have some further questions.

1) Salting
kaisellgren: I read your article about hashing (http://www.phptalk.net/2009/01/24/every ... and-myths/) and that gave me some more understanding of salting, and it's definitely something I'll do. Probably dynamic salting.
But how is the salt stored in the DB?
Is it stored appended onto the password hash? Or is it stored in a separate field?

So when the user attempts to login I hash their plaintext password, add the salt from the DB to the end of that user plaintext hash, and compare that to the value of hash.salt stored in the DB
If login is successful I then set $_SESSION['auth'] = 1, generate a new salt and password hash, and update the DB.
Is that correct?

2) Regenerating session ID
So I'll be regenerating the session ID after every login/logout, that seems easy enough. But I also want to be regenerating the session ID every 10-15 minutes
In practice though, how do I do that without logging the user in/out every 20 mins?

3) Auto-login / remember username
For this particular project I don't want to have an auto-login system, but it would be cool to remember the user's username somehow.
Is it possible to do that without storing the username in a cookie?

Thanks everyone!
Ben

Re: PHP & MySQL site login, security concepts

Posted: Thu Mar 19, 2009 7:08 am
by kaisellgren
batfastad wrote:Probably dynamic salting.
Remember that it is not required and only recommended for applications, which require high security. If you are sure you require all that security, then:
batfastad wrote:But how is the salt stored in the DB?
For instance,

Code: Select all

passwd_hash VARCHAR(255) NOT NULL DEFAULT ''
salt VARCHAR(255) NOT NULL DEFAULT ''
I do not recommend using CHAR, because if later you might want to store longer salt, it would require changes to the database unless it is CHAR(255), which could be a lot less inefficient than VARCHAR(255) equivalent.
batfastad wrote:So when the user attempts to login I hash their plaintext password, add the salt from the DB to the end of that user plaintext hash, and compare that to the value of hash.salt stored in the DB If login is successful I then set $_SESSION['auth'] = 1, generate a new salt and password hash, and update the DB.
After a successful logon, read the filesystem salt, which you should have (it is far more important to have a file system salt than to have dynamic salts), then do hash($pass.$db_salt.$filesystem_salt) and update the database passwd_hash with the result of that. Also, remember to update the salt column to $db_salt. Do the login system before updating any values. That is, update the new values after you have made sure the login was successful.
batfastad wrote:So I'll be regenerating the session ID after every login/logout
Why would you need to regenerate an identifier if he logs out? You just destroy the whole session.
batfastad wrote:But I also want to be regenerating the session ID every 10-15 minutes.
Are you working on a bank site? I doubt you need to regenerate the ID every 10-15 minutes as long as you make sure the identifier is strong.
batfastad wrote:3) Auto-login / remember username
For this particular project I don't want to have an auto-login system, but it would be cool to remember the user's username somehow.
Is it possible to do that without storing the username in a cookie?
I do not recommend that. It violates certain security principles. Typing the username or having it saved in the browser should not be a problem for your visitors. Usernames may not be stored within cookies.

Re: PHP & MySQL site login, security concepts

Posted: Thu Mar 19, 2009 7:41 am
by batfastad
Ok got it!
Glad to know I don't need to regenerate the session every 10-15 minutes, I was struggling to get my head round that.

I was wondering how sites like Gmail and eBay can get away with auto-logins... if it's secure enough for them then surely it's secure enough for our small subscriber-only database system?

Thanks for the further information about salting, I'll go with your suggestion. So for the filesystem salt, I just generate it in the same way as the DB salt.
But where do I store it? In a PHP variable in my main config file?
Or does it need to be a separate PHP file and brought in using require()?

Thanks, Ben

Re: PHP & MySQL site login, security concepts

Posted: Thu Mar 19, 2009 8:11 am
by kaisellgren
batfastad wrote:I was wondering how sites like Gmail and eBay can get away with auto-logins... if it's secure enough for them then surely it's secure enough for our small subscriber-only database system?
When you login to Gmail automatically, the browser is giving a session identifier through cookies. This is the right approach. The session identifier Gmail uses is 182 characters long and uses characters A-Za-z0-9-_ making total of (26*2+10+2)^182 combinations = 64^182 which is roughly 5.3*10^328 combinations (thats over 5.3 sexvigintillion^4 combinations). So how strong is this session identifier? Provided that you can do math, you should end up in a figure of 1092-bits of strength. Now that along with SSL/TLS will make sure that Session Hijacking attempts remain as attempts. ;)
batfastad wrote:But where do I store it? In a PHP variable in my main config file?
Or does it need to be a separate PHP file and brought in using require()?
It is up to you as long as it is never exposed to anyone and is kept safe and is kept in the file system.

Re: PHP & MySQL site login, security concepts

Posted: Thu Mar 19, 2009 8:38 am
by batfastad
So storing the FS salt in my global site config.php file sounds fine.

I was planning on using PHP's built-in session generating functions.
Should I be doing something different to make the session ID longer/more complex?

Re: PHP & MySQL site login, security concepts

Posted: Thu Mar 19, 2009 8:53 am
by kaisellgren
batfastad wrote:Should I be doing something different to make the session ID longer/more complex?
How secure important is your application? PHP session system has proven to be rather good. If you want the extra security, read this: viewtopic.php?f=34&t=88685

Re: PHP & MySQL site login, security concepts

Posted: Fri Mar 27, 2009 10:17 pm
by dsick
I Been Using MD5 And I Been Reading That Its Not Strong Enough For Large Websites, What Method Can I Use For Large Sites?

Re: PHP & MySQL site login, security concepts

Posted: Fri Mar 27, 2009 11:44 pm
by allspiritseve
dsick wrote:I Been Using MD5 And I Been Reading That Its Not Strong Enough For Large Websites, What Method Can I Use For Large Sites?
SHA256

Re: PHP & MySQL site login, security concepts

Posted: Sat Mar 28, 2009 3:26 am
by kaisellgren
+Whirlpool

Re: PHP & MySQL site login, security concepts

Posted: Sun Oct 18, 2009 7:55 am
by batfastad
Hi everyone
Sorry for resurrecting this old thread but there's a bit more info I'd like to get on this topic.
I'm sorted now in terms of hashing and securing the password. I'll be using sha256 and creating a per user salt, dynamic salting which will update every login and also have a file system salt (pepper)

1) So to check if the login is correct, is this the right comparison?

Code: Select all

if ( hash('sha256', $_POST['pass'].$sql_data['salt'].$pepper) === $sql_data['pass'].$sql_data['salt'].$pepper) {
// login successful - regenerate session and set a session['auth'] token
} else {
// login failed
}
Where $sql_data is the data returned from my SQL query for looking up the username from the DB. $pepper is the FS salt stored in my global config.php file.

2) My next question is... how to properly and securely regenerate/destroy the session on login and logout?
Here's what I've got on logout to destroy the session (untested)... is this correct?

Code: Select all

// Unset all of the session variables.
$_SESSION = array();
 
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if ( isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}
 
// Finally, destroy the session.
session_destroy();
But how do I go about regenerating the session when a user logs in?

3) When I've been messing about with sessions on our intranet application I've never used the session_name() function or worried about the session cookie.
I've only ever used sessions in this fashion:

Code: Select all

// START SESSION
session_start();
$_SESSION['blah'] = 'some data';
 
// access data on another page
session_start();
$blah = $_SESSION['blah'];
Am I missing something here?

4) Should I store session IDs in database table to record which sessions are logged in?
I noticed there's a table in phpbb which records session IDs and I was wondering what the purpose of that is?

Sorry for all these questions but this is something I really want to make sure I get correct in my head before I start building this application
Thanks everyone

Re: PHP & MySQL site login, security concepts

Posted: Mon Oct 19, 2009 11:43 am
by VladSun
batfastad wrote:1) So to check if the login is correct, is this the right comparison?

Code: Select all

if ( hash('sha256', $_POST['pass'].$sql_data['salt'].$pepper) === $sql_data['pass'].$sql_data['salt'].$pepper) {
// login successful - regenerate session and set a session['auth'] token
} else {
// login failed
}
Where $sql_data is the data returned from my SQL query for looking up the username from the DB. $pepper is the FS salt stored in my global config.php file.
No, it's not right. You have users' passwords stored as hashes - salt&peper'ed. So... think again ;)

2) http://php.net/manual/en/function.sessi ... ate-id.php
3) You need different session names only if you have more than one WWW interface (i,e, different logins) in a single domain.

Re: PHP & MySQL site login, security concepts

Posted: Mon Oct 19, 2009 1:57 pm
by batfastad
@VladSun
1) Gotcha... good spot. Glad I checked ;) How's this?

Code: Select all

if ( hash('sha256', $_POST['pass']).$sql_data['salt'].$pepper === $sql_data['pass'])
2) So for creating/re-creating/destroying the session, do I need to bother with manually updating/expiring the session cookie?
I thought PHPs session functions dealt with that automatically?
That snippet of code I pasted above with S_COOKIE[session_name()] (written as an example on another site... sorry can't remember the URL) suggests that I need to manually deal with the cookie.
Should I just use PHPs session functions on their own or are there known security problems which mean I should expire the cookie myself?

4) For a secure login system, do I need to be recording current/logged in sessions IDs and IP addresses in a DB?
I think phpbb does something like this.
Or is that only needed if I want method of providing auto-logins?

Thanks everyone
Cheers, B

Re: PHP & MySQL site login, security concepts

Posted: Mon Oct 19, 2009 3:51 pm
by VladSun
batfastad wrote:@VladSun
1) Gotcha... good spot. Glad I checked ;) How's this?

Code: Select all

if ( hash('sha256', $_POST['pass']).$sql_data['salt'].$pepper === $sql_data['pass'])
Nope, not right ;)
Look at your code where you store the user's password into the DB - you should have the same into the left operand in the IF statement above.
batfastad wrote:2) So for creating/re-creating/destroying the session, do I need to bother with manually updating/expiring the session cookie?
I thought PHPs session functions dealt with that automatically?
That snippet of code I pasted above with S_COOKIE[session_name()] (written as an example on another site... sorry can't remember the URL) suggests that I need to manually deal with the cookie.
Should I just use PHPs session functions on their own or are there known security problems which mean I should expire the cookie myself
I have had no issues using pure PHP session management.
batfastad wrote:4) For a secure login system, do I need to be recording current/logged in sessions IDs and IP addresses in a DB?
Well, some would say that IP/SID pairing would increase security - I think it's true, but I also think it could lead to a DoS in some cases.

Re: PHP & MySQL site login, security concepts

Posted: Mon Oct 19, 2009 4:35 pm
by batfastad
Ok another go...

Code: Select all

if ( hash('sha256', $_POST['pass']).$sql_data['salt'].$pepper === $sql_data['pass'].$sql_data['salt'].$pepper)
Great news on the PHP session functions.
I did think that was strange. I hadn't seen manual session cookie manipulation mentioned in any other tutorials I'd read.

So if I wanted to implement an auto-login feature, obviously I don't store the username/password anywhere. If the user has their browser set to remember username/password then that's their problem and there's not much I could do about that
So how would it work?
Would I store the user's session ID in a separate cookie. Then when the user returns, compare their IP address with a session_id/IP pair stored in a database?

Re: PHP & MySQL site login, security concepts

Posted: Mon Oct 19, 2009 4:43 pm
by VladSun
Left!
:P