Author Topic: Secure PHP Logins (Read 5640 times)

jitspoe · « **on:** June 12, 2006, 07:24:58 PM »

I'm going to need to create a web frontend for managing clans and whatnot with the global login system. I've never done anything related to logins or security with PHP, so I'm a bit in the dark here. A quick google search turns up this: http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/ Would that be sufficient? Better yet, is there some kind of already-functional base code I could work off of?

Smokey · « **Reply #1 on:** June 12, 2006, 09:02:18 PM »

when i was learning php and needed to figure out how to do a login syste, http://evolt.org/node/60265 helped me alot
you can probally just modify it. for any help you can ask me, or im sure jesse wouldent mind =]

jitspoe · « **Reply #2 on:** June 12, 2006, 10:39:38 PM »

That example, like most I've seen, sends the password in plaintext. It doesn't "encrypt" it until it reaches the server. That's really almost pointless. All it does is prevent somebody with just access to the database from obtaining your password. Anybody with a packet sniffer anywhere along the lines can nab it.

The only way I can think of to prevent that is a) use https, or b) use some javascript encryption algorithm. They both accomplish the same thing, more or less, but https is kind of a pain because it makes browsers pop up all kinds of security info. Though... some might find that useful. *shrug*

XtremeBain · « **Reply #3 on:** June 12, 2006, 10:51:18 PM »

Just have a company sign your SSL certificate.
For comparison goto http://whichssl.com/index.html

Javascript encryption works too, and is cheap

. Include a js md5 function from somewhere online. "Salt" the string that you're encrypting with md5() in the javascript, then salt the incoming md5 with something secret within the web-app.

bug · « **Reply #4 on:** June 13, 2006, 07:49:29 AM »

Oy! I built my entire website from scratch with PHP/JavaScript... it's like this topic was made for me! Anyway, for JavaScript encryption, check out some of these links:

http://home.versatel.nl/MAvanEverdingen/Code/
http://www.movable-type.co.uk/scripts/TEAblock.html
http://pajhome.org.uk/crypt/md5/
http://www.fourmilab.ch/javascrypt/
http://www.blingo.com/search?q=javascript+encryption&sourceid=firefox&s=0&s=0

P.S.
I like coding PHP. Hint, hint.

TinMan · « **Reply #5 on:** June 13, 2006, 11:35:18 AM »

I like exploiting php, so once you're done I'll put it to the test for ya.

jitspoe · « **Reply #6 on:** June 13, 2006, 01:31:00 PM »

While MD5 is probably sufficient, Javascript RSA almost seems too clever to pass up.

Smokey · « **Reply #7 on:** June 13, 2006, 02:19:28 PM »

very nice, but for ease, i would use md5. Also, php designer 2005 or notepad++ would help you code it

bug · « **Reply #8 on:** June 13, 2006, 03:19:24 PM »

I would suggest Programmer's Notepad

TinMan · « **Reply #9 on:** June 13, 2006, 03:28:09 PM »

I would suggest vi, but I'm just a *nix sexually promiscuous person...
<--edit--> word filter in pink, Jits, your filters are hilarious, lol
also, gedit can be very sweet when you enable some plugins and kill the wordwrap

jitspoe · « **Reply #10 on:** June 13, 2006, 07:47:00 PM »

Hehe, I don't think the editor makes that much of a difference (unless it has something really handy like MSVC's intellisense).

I'm not sure if this is exactly what Bain was suggesting or not, but here's what I'm thinking if we go the MD5 route:

- Password hash stored on the server as MD5(salt+pass).
- When generating the login page, the server creates a random string (I think you can handle this with a session, but I'm not sure -- never used sessions before).
- User enters password into form, javascript hashes password as MD5(random+MD5(salt+pass)).
- Server compares that to MD5(random+stored_hash).

While probably not as secure as RSA, it should be sufficient enough to stop people from sniffing a reusable MD5 hash and logging in. The only downside is that the salt string can't be kept secret.

Smokey · « **Reply #11 on:** June 13, 2006, 07:52:49 PM »

do you need javascript to hash the md5? $md5() does it correct?

jitspoe · « **Reply #12 on:** June 13, 2006, 08:02:19 PM »

$md5() does it in PHP on the server.

Eiii · « **Reply #13 on:** June 13, 2006, 08:05:06 PM »

Quote from: jitspoe on June 13, 2006, 07:47:00 PM

While probably not as secure as RSA, it should be sufficient enough to stop people from sniffing a reusable MD5 hash and logging in. The only downside is that the salt string can't be kept secret.

You could have the 'salt string' be a random number based off of the current date, GMT.

TinMan · « **Reply #14 on:** June 13, 2006, 08:08:44 PM »

This new login system could use GUID's like those of Quake 3, Wolf:ET, and various other games, this could be hashed and used in the login too.

supertanker · « **Reply #15 on:** June 13, 2006, 08:15:36 PM »

I know something about PHP, and alot about sessions.

I can help if u need...

TinMan · « **Reply #16 on:** June 13, 2006, 08:21:41 PM »

Jits, try to make the login like temporarily ip based, or have some really strong cookie setup, otherwise people might just send other players links to cookie grabbers and then they'd have their cookie.

XtremeBain · « **Reply #17 on:** June 14, 2006, 09:47:41 AM »

Quote from: jitspoe on June 13, 2006, 08:02:19 PM

$md5() does it in PHP on the server.

No. $md5() does it in mIRC, md5() does it in PHP.

jitspoe · « **Reply #18 on:** June 14, 2006, 12:38:04 PM »

Whoa, mirc has an md5 function?

TinMan: Don't cookies have to be from the same domain to work? Or is that security only available in certain browsers?

bug · « **Reply #19 on:** June 14, 2006, 01:00:51 PM »

It's a browser-specific security setting I believe, and setting the domain for a cookie is only an optional step in writing a PHP cookie (you can assign domainless cookies). Using PHP's session functions over a home baked cookie the best way to go.