Please help with login method

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bestrong
Forum Newbie
Posts: 2
Joined: Fri Apr 24, 2009 12:44 pm

Please help with login method

Post by bestrong »

Hello Everyone!

I am new to this forum (first post actually)...so please forgive me if I post this in the wrong spot.

I am working on the user/login portion now, and am trying to figure out a way to prevent account hijacking/secure login.

I have a user database with structure user_id, username, password, secret_id ...name birth_date, etc

I want somehow to prevent session hijacking by having the session hold a random secret_id that changes every page reload and saves that value in the database and somehow have that tie in to some cookie value holding the user_id...

I have a login system now, but I am sure it is very vulnerable...It just sets a session variable holding the secret_id that changes every time a page loads, but if someone gets ahold of the secret_id, the server will think he is the valid user and keep sending him new secret values in his own session...

Please help,

Thanks,

Ben
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Please help with login method

Post by kaisellgren »

Hash your passwords before passing them into the database. Use PHP's session engine. Use session_regenerate_id() to prevent Session Fixation attacks. I would recommed you to read some books: http://www.amazon.com/s/ref=nb_ss_b?url ... ty&x=0&y=0

There are a couple of things to do. Maybe you should first create the login script, and once it's done, show us your code so that we can evaluate it.
coalgames
Forum Newbie
Posts: 8
Joined: Sun Apr 26, 2009 12:22 am

Re: Please help with login method

Post by coalgames »

For beginners, the php's built in session functions are fine. But in the future, you might want to make your own functions (warning, that takes quite a while).

If you are inputting a password into a database, I recommend you use either the md5 function or the hash function. (Ex: md5($somepassword) and hash('md5',$somepassword).)

If you want to identify a person, you should probably use the person's user agent and their IP address. An easy way to do this and a way that I use in my website is to get the person's ip address and browser agent.

To generate a random 32 character string, just use md5(uniqid(microtime)));.

Good luck.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Please help with login method

Post by kaisellgren »

coalgames wrote:I recommend you use either the md5 function or the hash function. (Ex: md5($somepassword) and hash('md5',$somepassword).)
Forget MD5. Just jump to the hash function and use a compressor SHA-256, SHA-512 or Whirlpool.
coalgames wrote:If you want to identify a person, you should probably use the person's user agent and their IP address.
Just bear in mind, that approach is not a bullet proof solution.
coalgames wrote:To generate a random 32 character string, just use md5(uniqid(microtime)));
If you care about security, you should not generate random strings based on weak random sources.
Post Reply