php+mysql authentication script

klansman

hi everyone!

I have just developed an authentication script to protect some php content...

It authenticates users against a mysql database using php sessions and session_cookies.

What i would like to know is simply whether it is safe or not. What are the potential most serious security flaws?

Let me describe the authentication process (which may be familiar to most of the readers)...

session_start()
not authenticated? -> login request form
after the request form, pass entered username and password to some session variables
check against database if there is any entry matching entered username+password strings
4.1. If there is a match, pass some other variables from the database into session variables.
4.2. If there is no match, remove all session variables and give error message. Script ends
intended content is rendered. Script ends

The way i built it makes it usable via an include() or require() call in any php file. That include() does all the authentication work. If the authentication comes out true, the script simply allows the execution of the rest of the file. If not, it stops... i think you know what i mean.

Another feature is that it allows one to stay "logged in" in every page requesting that script. The thing is that once you login, the session is created with your data, so that when you try to include() the script again in another file, it executes the session_start() and the variables are there. The verification is then made transparently, no login form this time.

This is where i think the script fails... There is allways the username+password among the session variables. Is there a way to access those variables from the outside??

Another thing is that if i login with that script from one browser window, and make a new window, i try to login again and i am already logged. This is another flaw... i figured out that the browser sends some kind of a hash and that the php sessions use that hash to identify a session... or something like that.

Is there any way to create a unique session_name everytime i log in? Of course, that name must be maintained so that the "login" effect stays.

How are "professional" authentication scripts made? What kind of php functions do the pros use??

Sorry for the long post, sorry for the lousy english and please relocate this form if the moderators/admins think it is out of place.

Thank you very much!

[]

sfhc

I just have a few general commments.

The overall flow of your authentication scheme is not majorly flawed.

First, I can't think of a concieveable reason to have the password in the session.

For most of my log in scripts I only add the user name to the sesion. Most of the time there is also a user type associated with user accounts ( ie. 1 for admin, 2 for regular user... ), that also gets placed in the session.

As far as opening another browser window and the session from the other window persisting, I have see that happen and not happen depending on browser and OS.

One way to keep this from happening, is to use php's uniqid() function. phpAds does something similiar to that.

klansman

Hi again.

well... i appreciate the comments. I am pleased to see that the script is not "majorly flawed" because it was, in fact, the first attempt.

Two things i would like to clear up:

i keep the password in the session so i can re-authenticate the user in every page that is protected.

Can i replace this procedure with only one authentication (the first) and an "authenticated=bool" variable in the session? Then, each protected page would just look at the "authenticated" variable to see the login...

That way... i think one bad thing will happen... If i authenticate a user as an admin and logout without leaving the browser window, then login again as a regular user, i can hit the back button twice (or more times) and i can be using an admin-protected page with a regular user.... Will uniqid() help me on this?? i guess so.

How is that used?? can anybody give me an example??

i only distinguish 3 types of users (super-admin (or root), admin and users), but the "user level" is a good idea.

thanks!

[]

sfhc

You said:

This is exactly what you should do

A simple routine may be:

if(empty($_SESSION[userID]) || $_SESSION[loggedIn != 1){
  // user is not logged in....
  exit;
}

if($_SESSION[userType] != "superAdmin")){
   // user is not an admin
   // go on to user function or exit
}

By turning register_globals to of and using php defined vars such as $SESSION, $POST you further prevent spoofing.

klansman

oh, yes, absolutely. Register_variables is off since i started learning php... no problem there...

The thing is that phpnuke and siteseed won't work with register_variables off... that's a big shame!

Something i noticed is that phpnuke stores the session id in the users's info under the database. Why is that for??

The authentication variable is already changed. It works as well as with the session_password. Another thing i did was to generate a uniqid(md5(rand())) to $_SERVER["UNIQUE_ID"] each time a user wants to login, so that a new browser window allways asks for a login. In case you forget to logout, all you have to do is to close that browser window... it should be ok.

What more can i do to improve the script, in terms of security?

[]

sfhc

Yes it is a shame about most popular scripts not being compaitable with the register globals thing.

There is not a whole lot else you can do with the script.

May be this, I use crypt() on my passwords going into the db on account creation, so the log in script must use crypt() to convert the text before the query.

klansman

the user level thing is done and works fine.

thanks for the tips.

the encryption scheme i use is encrypt().
i tried md5() and then crypt(). The reason why i use encrypt() is because of the salt parameter. for the salt i use something from each user, something that changes from user to user but does not change between logins for one user. (like the username)
With md5() or crypt() if you have 2 equal passwords, the encrypted versions are also the equal. That does not happen with encrypt().

again, thank you for the tips. After checking things out looking for loose-ends and cleaning up the code a little bit, it will be available soon on my website:
http://arrakis.dhis.org

[]