so i have been reading up on how to authenticate users securely. My question is - which way should I go. I've read about sessions in php and cookies and all of them have their flaws.

I was wondering if anyone could point me in the direction of a system they have used in the pass.

I want to basicly auth. users against a mysql database. only 5 pages will need to be secured.

Thanks for the help and suggestions ahead of time!

-Ryan R.
mw-dnb.com

    Hello,

    If you've only got a small number of pages to protect, why not just use apache authentication, this takes care of all worries.

    If not then, you can just write your own simple authentication script in PHP. PHP handles sessions transparantly if you have version 4+, you do not need to worry about session cookies etc unless you really want to get down to the nitty gritty.

    Easy Peasy.

    If you need specifics just ask.

      first off, there is not such thing as a secure way. and php's method of handling sessions, set session_id in a cookie, map that session_id to data on the database, is as good as you can get

      even with apache style basic authentication, you are still pretty insecure, more so than using a cookie to store a session id. The browser remembers the username and password and simple sends them plain across the internet included in the page request, in an equivalent manner to POSTING them every page request..... the cookie sends your session id, but that does not include your name or password in it.

      php can actually get access to these variables in $_SERVER, see PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_AUTH_PWD (or something, i don't know if thats right off the top of my head)

      so you could write your own browser based authentication methods similar to apache's mod_auth using just php

      read up here about apache authentication:
      http://www.apacheweek.com/features/userauth

        Sessions or Apache AUTH are both viable options but only if you are using SSL. Sessions is usually the more attractive option for me where I can control permissions dynamically from the database.

          I read over session variables and they seem the most viable direction to take. Lots of sites and tutorials also say that you should write an entire script and then require it in each protected file.

          I just want to protect a couple areas of a peice of software I'm writing for musicians to make profiles about themselves.

          I'm going to go ahead and start on session variables tonight and I appreciate everyones suggestions and information!

            Just out of curiosity, how would something like this work?

            Username and Password are MD5 encrypted and stored in MySQL database.
            An SSL cert on the site exsists.
            Client visits a webpage, types username and password into a form..

            <input type='text' name='username'>
            <input type='password' name='password'>

            anyway, when the form is submitted, php does a MD5 on it..

            $U = MD5($username);
$P = MD5($password);

            then does a mysql select to see if they match..

            // Open_MySQL_Connection();
$Query = "SELECT username, password from USER_TABLE WHERE username = '".$U."' AND password = '".$P."'  ";
$Result = MySQL_Query($Query) OR DIE('ERROR: '."<HR>".mysql_error()."<BR>".$Query."<BR><HR>");

// that little OR DIE part comes in handy when testing 
// new and complicated queries
$RCount = MySQL_NUM_ROWS($Result);

if ($RCount <1) {
echo "ACCESS DENIED!";
// Close_MySQL_Connection();
exit();
} ELSE {
echo "ACCESS GRANTED!";
include ("../../my_file.php");
echo "click <a href='".$MY_HTTPS_URL."'><B> HERE </B></a> to enter pages..<P>";
// Close_MySQL_Connection();
}

            the $MY_HTTPS_URL vaiable can be stored in a different file (my_file.php) that has the url stored in it.. not sure if that does any good or not, but it can't hurt...

            // filename: my_file.php
$MY_HTTPS_URL = "https://www.my_secure_server.com";

function Open_MySQL_Connsction() {
// stuff here to connect to MySQL..
}

function Close_MySQL_Connsction() {
// stuff here to dis-connect from MySQL..
}
// #EOF #

            Would something like that be conscidered secure?

            just curious...
            maybe it will be useful to somebody.. maybe not, but I hope so..

            -Mystic

              yes and no.... encrypting the password by any means is good, so an MD5ed password is better than a plain one. you can still check it, but you can't read it alone

              you need to worry about two types of security in general..

              1) stop a hacker from intercepting your data

              2) assume hacker is in your computer, stop hacker from getting too much useful data in the first place

              encrypting the username i don't know about. you can't get to your raw usernames, when you want to in your database. and im assuming you would key off them, you could always assign a fake interger key and md5 both u and p.

              if you are using ssl then you are encrypting things before transfer... this is very good... blocks transfer hacking for the most part, unless the hacker is around to intercept the originial key passing.

              when the data gets to you only encrypt the password in the database... if you encrypt anything else... how will you get to it later when you want to read it, you can get away with the password (and maybe username) because they are sent everytime by even user... you would be hard presses to secure any other data unless you used a program to generate public and private keys for each user... then stored the keys in secure areas of your harddrive and used them each login to re-decrypt all data in the datatabase about a user

              but at this point you lose any searching capabilities of a RDBMS...

              enough from me...

                Well, since the data doesn't seem too sensitive, I'm confident that sessions and SSL should be more than sufficient for you. I'm not really sure how the md5 function hashes the data, but I don't believe you can md5 the data, throw it in a database and expect a later md5 function call to match up to the same encrypted string that the database is storing. Unless it uses the same cypher text to encode. If this is the case, you've tested it, and it works, please let me know. I'd be very interested in exploring this more. (ednark mentioned "you can still check it" so I guess I'll take it as a yes.)

                Anyway, you can probably store the passwords plain text on the database since they will be encrypted via SSL accross the wire. If you need a "I forgot my Password" link, clear text passwords might be good (I suppose you could reset their account with a temporary password and make them change it later if you wanna follow the md5 model).

                I agree with ednark emphatically on this point:

                2) assume hacker is in your computer, stop hacker from getting too much useful data in the first place.

                Doesn't matter what you do in between if the hacker has access to your machine. In fact, I had a Win32 Apache server running, and according to my logs, my buffer got overrun and then attacker was making requests to my http server via my machine ! So be careful with your file permissions and watch security posts carefully as well.

                  i just wanted to thank everyone who posted for the help!

                  I finally have a grasp on how sessions work 😃 😃

                  After much confusion and a lot of soda's I have authentication working (roughly) on my site.

                  Thanks a lot guys!

                  -Ryan R.
                  mw-dnb.com

                    Write a Reply...