TalkPHP
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
» Vulnerable methods and the areas they are commonly trusted in.
» Simple way to protect a form from bot
» The Basics On: How Session Stealing Works
» How to keep your forms from double posting data
IRC Channel
IRC Speech Bubble Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.
Associates
Associates
CSS Tutorials
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 06-27-2009, 01:00 AM   #1 (permalink)
The Contributor
 
cecilia's Avatar
 
Join Date: May 2009
Location: LA, CA
Posts: 87
Thanks: 0
cecilia is on a distinguished road
Default username and password

I know this sounds so basic but... Im just wondering if this approach is right, Id really like to know if I did something wrong. Its the way users log in:


1. Users login at login.php.

2. It gets submitted to home.php which has validate.php included at the top which checks the database for the user and password match. The sanitation for all the POSTs is there too.

3. The validate.php is on every page from then on and the login/password gets passed through the pages as hidden POSTs. So on every page, it gets checked - the user and password match.

4. If you dont get the password right you just get bounced back to the login.



What was I thinking back then:

1. Im passing the password and the user instead of just posting loginsuccessful = 1, coz users can just modify this right?

2. Im making it check every page too in case the user is already logged in, and I need to kick him/her out of the site for some reason.

3. I didnt use GET, sessions and cookies coz I read they can be hijacked so its not safe. So all I have left was the POST.


Thanks
cecilia is offline  
Reply With Quote
Old 06-27-2009, 01:20 AM   #2 (permalink)
The Addict
 
Join Date: May 2009
Posts: 287
Thanks: 5
adamdecaf is on a distinguished road
Default

Cookies and Sessions can only be hacked if you use them incorrectly. (For secure data that is)
__________________
My Site
adamdecaf is offline  
Reply With Quote
Old 06-27-2009, 01:23 AM   #3 (permalink)
Wizard
Top Contributor 
 
Village Idiot's Avatar
 
Join Date: Sep 2007
Posts: 1,299
Thanks: 17
Village Idiot is on a distinguished road
Default

1. That is correct. However, never store raw passwords in the database or the cookie so that a hacker can not see them. Hash the password via SHA1 or MD5 in both the database and the cookie, that way even if the hacker gets the hash he doesn't know the user's password.

2. Always validate the information with the database on every page which they need to be logged in on.

3. You can edit POST just as easily as GET, but POST is not as visible so use it. Just validate the data you get from POST and you will be fine.

I prefer using database sessions to validate the user. This may be a tad too advanced right now, but every time the user logs in make a randomly generated key, store that key in both the cookie and the database (along with the user's ID), use those to match the login with. That way if a hacker grabs the users cookie (or even gets your database), it is useless after the user logs out.
__________________

Village Idiot is offline  
Reply With Quote
Old 06-27-2009, 04:22 PM   #4 (permalink)
The Addict
 
Join Date: May 2009
Posts: 287
Thanks: 5
adamdecaf is on a distinguished road
Default

@VI Would you suggest binding the random ID to an IP to prevent black-hats from using the session when the user is logged in?
__________________
My Site
adamdecaf is offline  
Reply With Quote
Old 06-27-2009, 10:46 PM   #5 (permalink)
The Contributor
 
cecilia's Avatar
 
Join Date: May 2009
Location: LA, CA
Posts: 87
Thanks: 0
cecilia is on a distinguished road
Default

I use sessions on my personal site already, with the random key for the cookie but never thought of storing it on the database too. Curious, Ill actually try that. I would most likely consider applying this to my other sites. Thanks.

Thank you both for the ideas.
cecilia is offline  
Reply With Quote
Old 06-28-2009, 02:08 AM   #6 (permalink)
Wizard
Top Contributor 
 
Village Idiot's Avatar
 
Join Date: Sep 2007
Posts: 1,299
Thanks: 17
Village Idiot is on a distinguished road
Default

Quote:
Originally Posted by adamdecaf View Post
@VI Would you suggest binding the random ID to an IP to prevent black-hats from using the session when the user is logged in?
No, IP is not a good method of validating. IPs can change in a session and there are ways to spoof them. This method is about as secure as it comes, it is very similar to what we are doing for an internal file transfer site for our company (a mortgage banker).

HTTP is a stateless connection meaning there is no possible way to know for absolute certain that you are talking to the same person. The only way you can know is to have very hard to spoof data to validate on both ends, this data can always be stolen or faked. To circumvent this the data should change as often as possible so that a cracker's attempt will prove useless before long.

I personally stick away from server side sessions, they have harder to find insecurities and have been less realiable in regards to consistancy from my experience.
__________________

Village Idiot is offline  
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Password Hashing Normo General 5 12-17-2008 11:00 AM
vBulletin: Problem with register : "That username is already in use or does..." Fpac.afrikano Feedback 1 11-29-2008 03:58 PM
Password salts h0ly lag General 9 06-27-2008 07:27 PM
Single way password storage DragonBe General 3 11-21-2007 01:42 PM
Cryptography's Sodium Chloride Wildhoney Tips & Tricks 7 09-26-2007 05:19 PM


All times are GMT. The time now is 09:38 AM.

 
     

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Inactive Reminders By Icora Web Design