Author Topic: Secure PHP Logins  (Read 5643 times)

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Secure PHP Logins
« on: June 12, 2006, 07:24:58 PM »
I'm going to need to create a web frontend for managing clans and whatnot with the global login system.  I've never done anything related to logins or security with PHP, so I'm a bit in the dark here.  A quick google search turns up this: http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/  Would that be sufficient?  Better yet, is there some kind of already-functional base code I could work off of?

Smokey

  • Autococker
  • Posts: 1172
Re: Secure PHP Logins
« Reply #1 on: June 12, 2006, 09:02:18 PM »
when i was learning php and needed to figure out how to do a login syste, http://evolt.org/node/60265 helped me alot
you can probally just modify it. for any help you can ask me, or im sure jesse wouldent mind =]

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Secure PHP Logins
« Reply #2 on: June 12, 2006, 10:39:38 PM »
That example, like most I've seen, sends the password in plaintext.  It doesn't "encrypt" it until it reaches the server.  That's really almost pointless.  All it does is prevent somebody with just access to the database from obtaining your password.  Anybody with a packet sniffer anywhere along the lines can nab it.

The only way I can think of to prevent that is a) use https, or b) use some javascript encryption algorithm.  They both accomplish the same thing, more or less, but https is kind of a pain because it makes browsers pop up all kinds of security info.  Though... some might find that useful.  *shrug*

XtremeBain

  • Developer
  • Autococker
  • Posts: 1470
Re: Secure PHP Logins
« Reply #3 on: June 12, 2006, 10:51:18 PM »
Just have a company sign your SSL certificate.
For comparison goto http://whichssl.com/index.html

Javascript encryption works too, and is cheap ;).  Include a js md5 function from somewhere online.  "Salt" the string that you're encrypting with md5() in the javascript, then salt the incoming md5 with something secret within the web-app.

bug

  • 68 Carbine
  • Posts: 335
Re: Secure PHP Logins
« Reply #4 on: June 13, 2006, 07:49:29 AM »
Oy! I built my entire website from scratch with PHP/JavaScript... it's like this topic was made for me! Anyway, for JavaScript encryption, check out some of these links:

http://home.versatel.nl/MAvanEverdingen/Code/
http://www.movable-type.co.uk/scripts/TEAblock.html
http://pajhome.org.uk/crypt/md5/
http://www.fourmilab.ch/javascrypt/
http://www.blingo.com/search?q=javascript+encryption&sourceid=firefox&s=0&s=0

P.S.
I like coding PHP. Hint, hint.

TinMan

  • Autococker
  • Posts: 1347
Re: Secure PHP Logins
« Reply #5 on: June 13, 2006, 11:35:18 AM »
I like exploiting php, so once you're done I'll put it to the test for ya.  :)

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Secure PHP Logins
« Reply #6 on: June 13, 2006, 01:31:00 PM »
While MD5 is probably sufficient, Javascript RSA almost seems too clever to pass up.

Smokey

  • Autococker
  • Posts: 1172
Re: Secure PHP Logins
« Reply #7 on: June 13, 2006, 02:19:28 PM »
very nice, but for ease, i would use md5. Also, php designer 2005 or notepad++ would help you code it :)

bug

  • 68 Carbine
  • Posts: 335
Re: Secure PHP Logins
« Reply #8 on: June 13, 2006, 03:19:24 PM »
I would suggest Programmer's Notepad

TinMan

  • Autococker
  • Posts: 1347
Re: Secure PHP Logins
« Reply #9 on: June 13, 2006, 03:28:09 PM »
I would suggest vi, but I'm just a *nix sexually promiscuous person...
<--edit--> word filter in pink, Jits, your filters are hilarious, lol
also, gedit can be very sweet when you enable some plugins and kill the wordwrap

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Secure PHP Logins
« Reply #10 on: June 13, 2006, 07:47:00 PM »
Hehe, I don't think the editor makes that much of a difference (unless it has something really handy like MSVC's intellisense).

I'm not sure if this is exactly what Bain was suggesting or not, but here's what I'm thinking if we go the MD5 route:

- Password hash stored on the server as MD5(salt+pass).
- When generating the login page, the server creates a random string (I think you can handle this with a session, but I'm not sure -- never used sessions before).
- User enters password into form, javascript hashes password as MD5(random+MD5(salt+pass)).
- Server compares that to MD5(random+stored_hash).

While probably not as secure as RSA, it should be sufficient enough to stop people from sniffing a reusable MD5 hash and logging in.  The only downside is that the salt string can't be kept secret.

Smokey

  • Autococker
  • Posts: 1172
Re: Secure PHP Logins
« Reply #11 on: June 13, 2006, 07:52:49 PM »
do you need javascript to hash the md5? $md5() does it correct?

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Secure PHP Logins
« Reply #12 on: June 13, 2006, 08:02:19 PM »
$md5() does it in PHP on the server.

Eiii

  • Autococker
  • Posts: 4595
Re: Secure PHP Logins
« Reply #13 on: June 13, 2006, 08:05:06 PM »
While probably not as secure as RSA, it should be sufficient enough to stop people from sniffing a reusable MD5 hash and logging in.  The only downside is that the salt string can't be kept secret.

You could have the 'salt string' be a random number based off of the current date, GMT.

TinMan

  • Autococker
  • Posts: 1347
Re: Secure PHP Logins
« Reply #14 on: June 13, 2006, 08:08:44 PM »
This new login system could use GUID's like those of Quake 3, Wolf:ET, and various other games, this could be hashed and used in the login too.

supertanker

  • VM-68
  • Posts: 127
Re: Secure PHP Logins
« Reply #15 on: June 13, 2006, 08:15:36 PM »
I know something about PHP, and alot about sessions.

I can help if u need...

TinMan

  • Autococker
  • Posts: 1347
Re: Secure PHP Logins
« Reply #16 on: June 13, 2006, 08:21:41 PM »
Jits, try to make the login like temporarily ip based, or have some really strong cookie setup, otherwise people might just send other players links to cookie grabbers and then they'd have their cookie.
 

XtremeBain

  • Developer
  • Autococker
  • Posts: 1470
Re: Secure PHP Logins
« Reply #17 on: June 14, 2006, 09:47:41 AM »
$md5() does it in PHP on the server.
No.  $md5() does it in mIRC, md5() does it in PHP.

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Secure PHP Logins
« Reply #18 on: June 14, 2006, 12:38:04 PM »
Whoa, mirc has an md5 function?

TinMan: Don't cookies have to be from the same domain to work?  Or is that security only available in certain browsers?

bug

  • 68 Carbine
  • Posts: 335
Re: Secure PHP Logins
« Reply #19 on: June 14, 2006, 01:00:51 PM »
It's a browser-specific security setting I believe, and setting the domain for a cookie is only an optional step in writing a PHP cookie (you can assign domainless cookies). Using PHP's session functions over a home baked cookie the best way to go.