I was just wondering what the best method of a secure login would be. In the past I've used normal sessions but recently doubted that it would be enough.
I was wondering whether cookies would be enough ... but then these can be easily replicated ... so can basic session names, so what would be a decent compromise? Randomized codes throughout pages also stored in cookies ... I'm not sure.
Anyone have any ideas on the subject?
Full Version: Best Method of Protection
Sessions have been known to be fairly save... The only problem is that they can be hijacked by evil sites... by placing a link on your site... In some occasions php will show the sessionID in a link, and if that link is displayed (with SID) it becomes vulnerable... take a look at this link:
www.evildeveloper.com/storesession.php... not much to worry about, but what if an user without the session cookies accepted would click it, it wouldn't go just to www.evildeveloper.com/storesession.php but it would add a variable ?SID=b14mmh234klnbhbk23lkvj or w/e
so if that site uses a referrer it'd be capable of "stealing" the userid or w/e there is stored in the session just by going to the referrerpage... then he'd suddenly be logged in as the user who clicked the link!!
I hear you think, omg that's bad news but we have to be real... the chances of hijacking a session aren't huge.. But you could make the chances even slimmer by setting a different session name in the ini file... the default seems to be PHPSESSID, set it to w/e you want in php.ini.... it's against automated hijack scripts... but a hacker could easily recognize the session... and hijack it anyway, so we need something more complicated than changing the session name...
Why not set the session.referer_check in php.ini? I think it should only allow session from that site... so... no more hijacking, please read this at php.net/sessions because my English could be failing me, but I do think this ini option is the solution to the hijacking of sessions.
Well that's about it, with the right configuration sessions should be safe.. Hope this was of any help...
Cheers, Jeroen
www.evildeveloper.com/storesession.php... not much to worry about, but what if an user without the session cookies accepted would click it, it wouldn't go just to www.evildeveloper.com/storesession.php but it would add a variable ?SID=b14mmh234klnbhbk23lkvj or w/e
so if that site uses a referrer it'd be capable of "stealing" the userid or w/e there is stored in the session just by going to the referrerpage... then he'd suddenly be logged in as the user who clicked the link!!I hear you think, omg that's bad news but we have to be real... the chances of hijacking a session aren't huge.. But you could make the chances even slimmer by setting a different session name in the ini file... the default seems to be PHPSESSID, set it to w/e you want in php.ini.... it's against automated hijack scripts... but a hacker could easily recognize the session... and hijack it anyway, so we need something more complicated than changing the session name...
Why not set the session.referer_check in php.ini? I think it should only allow session from that site... so... no more hijacking, please read this at php.net/sessions because my English could be failing me, but I do think this ini option is the solution to the hijacking of sessions.
Well that's about it, with the right configuration sessions should be safe.. Hope this was of any help...
Cheers, Jeroen
For a secure login?
Well I can come up with a few things...
First
To protect your passwords, in case of an SQL injection, having a key added to the password when you're creating it before hashing would help.
So in the MySQL database you'd have 3 rows
Username | Password | Key
Even knowing the key wouldn't help the hacker figure out the password because it's a hash.
So, when the user logs in, take the password they use to login with, concate the key onto it, then hash it and compare it to the saved password.
If you use a secure password (something relatively large and full of letters and digits) you have no real use for this system but many people use easily crackible passwords so if this is a user system it's smart to do it. Extra protection hurts no one too...
Second
Another way to protect against stolen cookies (if you want to use a save password feature on your site) is to link it to an IP. If the user constantly changes their IP this could be a problem but otherwise could help protect the user.
Third
Another way to protect the user while not binding their IP to their session is simply to only show non-sensitive data to users when they come back to your site... When they want to change information have them login for extra security... This could be tedious for the user, however.
All in all, I'd personally say you should always have a key attached to your passwords just because it's easy to do and efficient. I'd also suggest that you give your users the option of binding their session to their IP while not forcing them to. As for the third thing I mentioned, I think it should be used for password changes but besides that it is annoying as hell after awhile.
-Tim
Well I can come up with a few things...
First
To protect your passwords, in case of an SQL injection, having a key added to the password when you're creating it before hashing would help.
So in the MySQL database you'd have 3 rows
Username | Password | Key
Even knowing the key wouldn't help the hacker figure out the password because it's a hash.
So, when the user logs in, take the password they use to login with, concate the key onto it, then hash it and compare it to the saved password.
If you use a secure password (something relatively large and full of letters and digits) you have no real use for this system but many people use easily crackible passwords so if this is a user system it's smart to do it. Extra protection hurts no one too...
Second
Another way to protect against stolen cookies (if you want to use a save password feature on your site) is to link it to an IP. If the user constantly changes their IP this could be a problem but otherwise could help protect the user.
Third
Another way to protect the user while not binding their IP to their session is simply to only show non-sensitive data to users when they come back to your site... When they want to change information have them login for extra security... This could be tedious for the user, however.
All in all, I'd personally say you should always have a key attached to your passwords just because it's easy to do and efficient. I'd also suggest that you give your users the option of binding their session to their IP while not forcing them to. As for the third thing I mentioned, I think it should be used for password changes but besides that it is annoying as hell after awhile.
-Tim
I use a combination of session variables and check and validate them every time. So as well as storing the session ID I store a hashed password and hashed username and then validate aginst them on every page and if they validate then check them against the stored values as well. it seems pretty safe, having the session id alone would get you nowehere unless you also have the hashed password and username. I think soem random hasher than re-generated the hash and corresponding value would be even safer but hard work.
Yeah, I was considering using encrypted usernames and passwords within cookies along with the current session IP address. Seems like a pretty safe idea to me.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.