Creating a Secure Login Script in PHP

[z01d]

Hi.
I am building a simple session-based user system with php.
To log in users, I take their login and password and then compare the values against values stored in the mysql database. If values match, I register a session and that is it, the user is loged in.

Before rolling it out, I would like to know if these measures are enough securitywise? What else can I do to ensure tight security? The authentication process that I am using is in every PHP book, so I am worrying that hackers must have found a way around this simple step.
I am on a shared host on FreeBSD with Apache, PHP and MYSQL.

Thank you for all your input. I believe this information will be of use to many of us who are making first steps in PHP development.

z01d

[jdiben]

Before rolling it out, I would like to know if these measures are enough securitywise?

It depends on the type of data that you are trying to secure. If you are trying to protect a list of your favorite songs than you don't have anything to worry about. If, on the other hand, you are trying to protect credit card numbers or similar information than no it is not enough security. My point is simply that if the data you want protected is not worth a hackers time than it is safe. Another thing to consider is no matter what kind of security you use your data is still stored on someone elses server.

Joe

[z01d]

Thank you for your reply, jdiben.
I am trying to protect customer logins/passwords, emails and statistics. In general, I'd like to ensure that the system and mysql database cannot be hacked or compromised.

[USALUG]

You could run the server in https and have all transmitted data encrypted also. It's a simple matter of setting up ssl and including a directive in the .htaccess file or in the apache config file. Less prone to traffic sniffing that way.

[williamc]

Why not use standard apache authentication?

Heres some sample code that may help:

for recreating the .htpasswd file when a new member signs up

Code:

// get all users data from the database
$result = mysql_query("SELECT * FROM users", $db);

// declare an array
$htpasswd = array();

// scroll thru all users data and add required user/pass to array
while($row = mysql_fetch_array($meresult)){
  array_push($htpasswd, "$row[login]:" . crypt($row[password], 'AW'));
}

// make a backup of the previous password file if wanted
copy('members/.htpasswd', 'my_backup_dir/htpasswd.bak.' . time());

// Open and get a lock on the passwordfile
$fp = fopen('members/.htpasswd', 'a');
while(!flock($fp, LOCK_EX)){
  sleep(1);
}

// rewrite the file
fseek($fp, 0);
ftruncate($fp, 0);
foreach($htpasswd as $var){
  fputs($fp, "$var\n");
}

// complete the process
fflush($fp);
flock($fp, LOCK_UN);
fclose($fp);

in your members area php scripts you use the below to get the username of this user from apache:

Code:

$username = $_SERVER[PHP_AUTH_USER];

you can then get any of their details from mysql by doing a

Code:

SELECT * FROM users WHERE username='$username'

Thats about as secure as it gets really.

[smo]

Your host also should take care of some points.
Should never allow the warning or error messages to display the full path of the server. If your script sending some error message along with the file name if path is exposed then hacker will get a idea of session dirctory and other sites hosted in the same server. I have seen one host showing this.


If you are allowing members to sign up, then only allow numbers or letters. One of my client once asked me to add this check in signup form as this allows hackers to use sysmbls like / , ? etc and get some info on the server , directory etc.. I don't know how this works.

Life of the session ID is important and it should not last for more than some few minutes if the browser is in no contact with the server.

[Xcalabers]

Smo is right. If you haven't protected against SQL injection your in trouble. Also I would look at saving the password in the database as a hash. Here is an example using mysql's built in function:

mysql> SELECT PASSWORD('mypass');
+--------------------+
| PASSWORD('mypass') |
+--------------------+
| 6f8c114b58f2ce9e |
+--------------------+

I don't see a link to your site though so it's hard to make more sugestions.

[nelsonez]

I am not entirely sure how or what code would be used but I did read the following from a white paper on web security.

It might allow someone to type in something like this into the form "print `cat /etc/passwd`" (or worse) as the input string.

Another common security breach is to do backward directory traversing using ../


Eric

<><><><><><><><><><>
My two companies: Affordable Web Makeovers | Kanantik – Belize Resort

[nelsonez]

One other simple thing that can be done is to apply validation to the forms to make sure your visitors can only input what is needed and/or wanted.

A surprisingly overlooked mistake is to not set a maxlength value to your input boxes. The likelyhood of accidently excluding someone who has an email address of over 40-50 characters is pretty small.

<input type="text" name="MAILFROM" VALUE="" maxlength="40" size="20">

Eric

<><><><><><><><><><><><><><>
My two companies: Affordable Web Makeovers | Kanantik - Belize Resort

[z01d]

USALUG, thanks for your suggestion, I will have to look if my host offers https option for me and how much it costs.
Williamc, good suggestion. I read somewhere that HTTP authentication is the most secure authentication method there is. The problem with HTTP authentication is that I do not want users to be thrown an HTTP Auth password screen nor do I want them to be redirected to a separate “members” area. I would like to have the login and password fields on the main page of the site, in the same as it is done here at webproworld (the top-right “username” and “password” boxes). I recon that if I strive for maximum usability to attract repeat users (and I should, according to the numerous postings on this forum), a user should have access to all frequently-used features of the site on the main page.
Xcalabers, I found another hashing method in PHP through md5() function, which one is better mysql password() or php md5()?
So now, this is what I am going to do (please critique or comment on the below steps, your input is very valued):

1.Limit the maxlength value to the input boxes to say, 15 letters (thank you, nelsonez).

2.Use addslashes() on the variables to prevent mysql injection. Will have to make sure that magic_quotes is turned off in the php directive on my host (thank you, smo).

3.Encrypt the password through md5() and check it against the encrypted passwords stored in the database. I think this is useful because even if someone gets access to the user table, he will not know the initial password, only its encrypted value.

4.Register a session variable, i.e. $_SESSION['valid_user'] and redirect user to the members area.


Z01d