Login and security

________

Hi,
I got a problem with a login scrip... When a user login to my site, the script creates a session with user id, username and password... which is checked against the database on every page. It works fine... but I have read the sessions is easy to hack and read - so I need to make the member area safer... how do I do that?
I'm thinking of one solution where I add the IP address of the user both to a database and the session when the user login. Then on every page check the user id, username and password against the user table, and IP address against the login table?
Is that a good solution or is there any better way to do that?`

Where can I find info about how to protect the sessions?

Thanks!

DoD

For extra security, dont stick a password into a session.

Passwords are confidential - and at most, if you use a password in a script, its best to have it used, processed and cleared by the 3rd line. A god thing to look at with passwords is md5()

When i had my own login, i assigned a number between 0 and 100000 to every user (random number) and checked the one in the cookie with the one in the db. Unless they knew my db password, host, name and login, then they couldnt find out this random number.

________

🙂
Thanks,
that's a good idea!

By the way... I'm not storing the password uncrypted in the session!

I like DoD's idea... but I'm open for other suggestions!

Pests

Heres how I do it, I use a cookie, but the same thing can be applied to a session:

//Store the secret in an include file so you can use it later
$secret = "Blue Eyed Butterflies"; //Completly random

$md5Password = md5($password); 
$store = base64_encode("$userId:$userName:$md5Password";)
$hash = md5($store.$secret);

setcookie("login", "$store:$hash");

Then, when I validate:

/* 
	You need the $secret variable here, I suggest including it so you can 
	change it without having to change all the others
*/

/*
   This checks to see if the base64'ered version of the cookie matchs
   the hashed version of it, the only way it wouldnt match is if someone
   changed either the base65'ered part or the hash
*/
$parts = explode(":", $_COOKIE['login']);
if(md5($parts[0].$secret) == $parts[1])
{
	$base = base65_decode($parts[0]);
	$split = explode(":", $base);
	/*
		Now:
		  $split[0] = userId
		  $split[1] = usermame
		  $split[2] = md5(password + secret)

	Now you need to test it against the datbase
	  "SELECT * FROM user WHERE userid = '$split[0]' AND username = '$split[1]' AND password = '$split[2]'"
*/
} else {
	die('Hacking attempt');
	//Might also be some strage cookie error
}

The only problem with this is that every use always gets the same hashed cookie unless you change the secret or there username/password/id changes. I would suggest updating a table in the database with the time they logged in and using that as $secret, or use $secret and the time. Then when you validate your going to have to get the time out of the database and then check to see if the info is correct.

Arc

Only check the Username and password once in the login page. If the username/pass excist then create the session with the Username.

Then on all your other pages just check to see if the session is registered. and if not redirect them to the log in page.

session_start();
if (!session_is_registered("SESSION"))
{
// if session check fails, invoke error handler
header("Location: login.php");
exit();
}

Weedpacket

Secure your server well enough to prevent people from getting in to read the session data in the first place 🙂

________

I would like to secure the server well enough... but there is so many ways to hack the server it even possible to "listen to your network traffic" - ( from the php manual, Sessions, Sessions and security), so I'm trying to make it as secure as I can with php.

Has anyone got any experience with using SSL to secure sessions?