Page 1 of 1

Please help with login method

Posted: Fri Apr 24, 2009 12:56 pm
by bestrong
Hello Everyone!

I am new to this forum (first post actually)...so please forgive me if I post this in the wrong spot.

I am working on the user/login portion now, and am trying to figure out a way to prevent account hijacking/secure login.

I have a user database with structure user_id, username, password, secret_id ...name birth_date, etc

I want somehow to prevent session hijacking by having the session hold a random secret_id that changes every page reload and saves that value in the database and somehow have that tie in to some cookie value holding the user_id...

I have a login system now, but I am sure it is very vulnerable...It just sets a session variable holding the secret_id that changes every time a page loads, but if someone gets ahold of the secret_id, the server will think he is the valid user and keep sending him new secret values in his own session...

Please help,

Thanks,

Ben

Re: Please help with login method

Posted: Sat Apr 25, 2009 2:03 am
by kaisellgren
Hash your passwords before passing them into the database. Use PHP's session engine. Use session_regenerate_id() to prevent Session Fixation attacks. I would recommed you to read some books: http://www.amazon.com/s/ref=nb_ss_b?url ... ty&x=0&y=0

There are a couple of things to do. Maybe you should first create the login script, and once it's done, show us your code so that we can evaluate it.

Re: Please help with login method

Posted: Sun Apr 26, 2009 2:23 am
by coalgames
For beginners, the php's built in session functions are fine. But in the future, you might want to make your own functions (warning, that takes quite a while).

If you are inputting a password into a database, I recommend you use either the md5 function or the hash function. (Ex: md5($somepassword) and hash('md5',$somepassword).)

If you want to identify a person, you should probably use the person's user agent and their IP address. An easy way to do this and a way that I use in my website is to get the person's ip address and browser agent.

To generate a random 32 character string, just use md5(uniqid(microtime)));.

Good luck.

Re: Please help with login method

Posted: Sun Apr 26, 2009 4:39 am
by kaisellgren
coalgames wrote:I recommend you use either the md5 function or the hash function. (Ex: md5($somepassword) and hash('md5',$somepassword).)
Forget MD5. Just jump to the hash function and use a compressor SHA-256, SHA-512 or Whirlpool.
coalgames wrote:If you want to identify a person, you should probably use the person's user agent and their IP address.
Just bear in mind, that approach is not a bullet proof solution.
coalgames wrote:To generate a random 32 character string, just use md5(uniqid(microtime)));
If you care about security, you should not generate random strings based on weak random sources.