www.webdeveloper.com
Results 1 to 14 of 14

Thread: php session login security help

  1. #1
    Join Date
    Jul 2011
    Location
    0xf72408d5eb9d0ae5
    Posts
    30

    php session login security help

    Hi, i am trying to set up a php login session securely.
    This is to mean, i want to prevent session hijacking and fixation.

    Eventually, i want to use both a username and a password, but now it just has a password.

    here is my code
    everything seems to work fine, but how do i test for security flaws like hijacking and fixation?
    what does checking for an IP and using session_regenerate_id() actually do?
    am i better off doing this with cookies? if so, wont the password/username be vulnerable to sniffing?
    what tips do you have for making this better?

    I want this to be as secure as possible. (hosting doesn't allow SSL - shared)

    live demo: http://bp.businessconsultingllc.com/...al/session.php
    PHP Code:
    <?
        session_start
    ();
        if (!isset(
    $_SESSION['created'])) {
            
    $_SESSION['created'] = time();
        }
        
        if(
    time()-$_SESSION['created']>30)
        {
            
    session_destroy();
            
    session_unset();
            exit(
    'TIMEOUT<br /><a href="?pass=pass">login</a>');
        }
        
        if(isset(
    $_SESSION['pass']) && $_SESSION['pass']=='pass' && $_SESSION['ip']=$_SERVER['REMOTE_ADDR'])
        {
            
    session_regenerate_id();
            echo 
    'Already Logged In<br />';
            echo 
    session_id ()."<br />";
            
    $_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
        }
        else if(isset(
    $_GET['pass']) && $_GET['pass']=='pass')
        {
            
    session_regenerate_id();
            echo 
    session_id ()."<br />";
            
    $_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
            echo 
    $_SESSION['ip']."<br />";
            
    $_SESSION['pass']=$_GET['pass'];
            echo 
    $_SESSION['pass']."<br />";
        }
        else
        {
            
    session_destroy();
            
    session_unset();
            exit(
    'Failed<br /><a href="?pass=pass">login</a>');
        }
        
    ?>

  2. #2
    Join Date
    May 2011
    Location
    With Hobbits
    Posts
    125
    Most people on here will say that sessions are the way to go and they are in most cases, But for me when it comes to logins i just use cookies multiple cookies and make sure they all match as it has never failed me. so if one dosent match they cant get in.. end of story. once again though sessions are alot more secure if you have one of those websites everyone wants to hack. Just remember the more variables that have to match the more secure it can become. (the best way to learn security is to learn hacking)
    Albert Einstein ~ "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction."

    Things To help you on this Site

    1. Place all php code in [php] Tags
    2. Place all html code in [html] Tags
    3. Remember to mark all your Threads Resolved using thead tools at the top when your problem is solved

  3. #3
    Join Date
    Jul 2011
    Location
    0xf72408d5eb9d0ae5
    Posts
    30
    thanks for your response. Cant cookies be sniffed? the hacker could then just put those into his browser and login as a that valid user. Or am i missing something?

    I *think* the code i have works to prevent session hijacking and fixation, but i want verification. Can anyone verify?

  4. #4
    Join Date
    May 2011
    Location
    With Hobbits
    Posts
    125
    hacking can happend no matter what if somone is determined enough. cookie sniffing is one of many ways that cookies are vulnerable. Most hackers sniff by planting other cookies that sniff it out. the one way to prevent that is to make the ip one of the things the server checks against, like yours does. A good way of being secure is to break up your security into multiple parts by grabbing a variable from a session and comparing it to a cookie. its a good way to trick hackers who think there getting everything with your cookies and are blinded by your hidden session. the other way is to completely dump somones cookies when they login to your site.. although that can piss some people off.
    Albert Einstein ~ "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction."

    Things To help you on this Site

    1. Place all php code in [php] Tags
    2. Place all html code in [html] Tags
    3. Remember to mark all your Threads Resolved using thead tools at the top when your problem is solved

  5. #5
    Join Date
    Jul 2011
    Location
    0xf72408d5eb9d0ae5
    Posts
    30
    Suppose i wanted to use asymetric encryption (RSA) to get login and registration data.
    Is it safe to store the private key in a session? or is a database better?

    Assuming i have less than 1000 users and less than 100 at a time, will this be a significant load on the server if i save private keys in the database?

  6. #6
    Join Date
    May 2011
    Location
    With Hobbits
    Posts
    125
    You will be fine mysql servers can deal with quite a bit of traffic. Databases are always safer, just make sure to escape everthing.
    Albert Einstein ~ "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction."

    Things To help you on this Site

    1. Place all php code in [php] Tags
    2. Place all html code in [html] Tags
    3. Remember to mark all your Threads Resolved using thead tools at the top when your problem is solved

  7. #7
    Join Date
    Jul 2011
    Location
    0xf72408d5eb9d0ae5
    Posts
    30
    yea, about that. Whats better? addslashes() or real_mysql_escape_string()?

    Whats the real difference?

  8. #8
    Join Date
    Jan 2009
    Posts
    3,346
    Quote Originally Posted by deller View Post
    yea, about that. Whats better? addslashes() or real_mysql_escape_string()?

    Whats the real difference?
    Don't use addslashes. Always use the *_escape_* methods available for the specific DB. Add slashes doesn't properly escape many cases and can cause extra slashes to appear in your content that can be terribly difficult to track down and correct.

  9. #9
    Join Date
    Jul 2011
    Location
    0xf72408d5eb9d0ae5
    Posts
    30
    OK, thanks.

    Do you guys know of any other ways to protect sessions than the ones i used? i still dont know what sessionregenerateid does exactly?

  10. #10
    Join Date
    Jan 2009
    Posts
    3,346
    Quote Originally Posted by deller View Post
    OK, thanks.

    Do you guys know of any other ways to protect sessions than the ones i used? i still dont know what sessionregenerateid does exactly?
    sessionregenerateid cause the sessid to be recreated. This is particularly useful when switching between access levels (such as from guest to admin or back). This will prevent a man-in-the-middle attack allowing a hacker to grab the sessid from a non-authenticated user and continuing to use it after the user has authenticated giving the attacker a higher privilege level then they were entitled.

    I would recommend reading Essential PHP Security by Chris Shiflett. It is a relatively cheap book and a quick read but covers lots of security principles as they can be applied to PHP scripts.

  11. #11
    Join Date
    Mar 2011
    Posts
    79
    I'm a noob so i have to ask, but does security require creating any kind of function or separate application? just wondering cause sometimes when creating scripts it gets hard to get by all the garble and get straight to the scripting cause of all the technical stuff.

    is just escaping a string good enough for security or is this a patch thing similar to dealing with windows( pretty much never gonna be solved so deal with the risk).

  12. #12
    Join Date
    May 2011
    Location
    With Hobbits
    Posts
    125
    escaping is really all you need to keep people from doing sql injection
    Albert Einstein ~ "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction."

    Things To help you on this Site

    1. Place all php code in [php] Tags
    2. Place all html code in [html] Tags
    3. Remember to mark all your Threads Resolved using thead tools at the top when your problem is solved

  13. #13
    Join Date
    Jul 2011
    Location
    0xf72408d5eb9d0ae5
    Posts
    30
    Escaping will only prevent sql injection attacks.

    Escaping does not, however prevent session fixation/hijacking or other sniffing/man in the middle attacks.

    Basically, you need to ask yourself how secure you want your website to be? do you just want to host a discussion forum? or are you trying to conduct ecommerce or banking on your website? or something in the middle?

    for forums and other low security things, a simple login script using hashed passwords would probably be ok.

    For online banking or ecommerce you want strong encryption for every message that goes between the server and client. SSL is popular, but expensive.

  14. #14
    Join Date
    Mar 2011
    Posts
    79
    well that was my problem. I found SSL and they made it seem like once you had the certificate on your site they handled everything.

    But I'm like that wouldn't be good enough for sites like google, facebook, or even paypal. so what else is missing in creating secure sites. kinda felt like theres this secret coding language that only a few developers know and we are just dealing with the baby stuff.
    like super xml C/cocoa omega alpha beta coding and stuff.

    But i'm just a noob whos not sure of his site security, thanks for the out look. Kinda feel safer to build my sites now.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles