Secure Login without SSL

cafrow

OKay, I am trying to get a somewhat secure login system with a secure Admin section where my whole site can be updated from. Below is a couple of things that I am working on, I have added some lines just now and have not tested them yet. Please let me know what you think and what I could do better.

<?php
session_start();

if (!$_session['login'] == "true"){

$username=$_REQUEST['username'];
$userpass=$_REQUEST['userpass'];
$random=md5($_REQUEST['random']);
include'mconnect.php';

$SelectTable = mysql_query("SELECT * FROM Users WHERE user ='$username' ");
$row = mysql_fetch_array ($SelectTable);

$correctpassword= $row["password"] . $random;
$correctpassword= md5($correctpassword);

if ($userpass == $correctpassword){
$_SESSION['login']="true";
$_SESSION['user']=$username;
$_SESSION['status']=$row["status"];
}
else{
$_SESSION['error'] = "Password Incorrect";
}

mysql_close($mconnect);
}

header("LOCATION: control.php");
?>

my Login page where the user types his / her name and password get a Random number from the server that is Hashed and then added to the already hashed password and hashed together using a Java script. Basicly I want to make sure that the password is not send in plain text and is not the same thing everytime and make it a little bite of a challange to reverce the MD5 hash.
( ClientSide hash Explained )

Take Users Password and MD5 Hash it.
Then hash the Random number and add it to the END of the Password Hash and hash those 2 combined.

Now for my security check system where I see if the user is loged in and allowed to view a site I am getting kind of stuck, as of now here is what I have.

<?php
if (!$_SESSION["login"] == "true"){
header("LOCATION: index.php");
exit();
}
?>

I was thinking that I could add a little more security by saving the IP address of the client in someway on the server and checking to see if the clients IP address is the same when they run thru the security.

This is a work in progress, I have looked around and was not able to find someone posting a whole security system. I know that nothing is un-hackable, even SSL is not completely secure. I just want something that is decent for security.

if you have any suggestions please post it here, as I keep working on the code I will keep updating it here.

Weedpacket

In short it turns extracting the password into an MD5-cracking exercise, in which the attacker needs to guess a password p such that
MD5(p.(intercepted random)) = (intercepted hash)

clauslund

Be careful about implementing any kind of session restrictions based on the user's IP.
Users from some ISPs can potentially have a new IP on every request. So there would be no guarantee that the user has the same IP doing their stay at your site.

cafrow

thanks for that bit of info, I did not know that certain ISPs would do something like that. I had a new Idea last night. Can Javascript use cookies or Read cookies? What I would like to do we be the fallowing if it could.

When a user registers for an account my server will set a cookie on that users computer with a long random number in it. Now if javascript could read that cookies info and the users password to create a hash. The cookie is client side and is only send when the user deletes it or when a new account is made. The server will have the value stored locally so that it is not always send over the net in plain text. Now I would also include a random number just so that the hash is not always the same. Would that work at all? and if I did get it to work would it be a good way of doing it?

not sure if that above made sence but it would looks something like this

Hash (RandomNumberFromServer + (Hash(password) + Hash(cookienumber))

thanks for any input, now that I keep thinking of all these ways I might as well just do it the simple way, but this is just kinda fun.

EDIT: PS. this is also not a login system for just anyone, I want this to be the way that ADMINs login, not just general public because I know that not everyone has Javascript and Cookies turned on.

I just added the Edit, not on time because someone had already replied. 😃

planetsim

Im not sure about reading but yes Javascript can create a cookie. However not the best way to do it though. Javascript can be turned off

gabriel_koen

What happens if your Admins change computers, clear out their cookie caches, install a new browser, reformat their harddrive, buy a new computer? How would they get a new random string cookie without re-registering?

aliahmad

Dear Sir
I checked your post on this forum and understand you can solve my problem. If you have solution of my problem then please send me reply as soon as possible.
I want to enable authentication username and password on my HTML page. I am using this code, which is given below. I just get this code from Internet. I don’t know about this code. When I uploaded this code page on my domain only login page appeared. I also don’t know what the user name and password is set in this code to access my page. That HTML page name is admin.html, which I want to access from this login page. But I didn’t enter anywhere in this code. Please understand my problem and reply me as soon as possible. My email address is support@ezzimail.com. I will be very thankful to you.

<?php
if (!isset($SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>ali {$_SERVER['PHP_AUTH_PW']}.</p>";
}
?>

Thanks

synergypoint

I would go so far as to say that a "secure" login that doesn't use SSL isn't secure at all.

As long as you are passing information back and forth between the browser and server it can be intercepted.

Weedpacket

Originally posted by synergypoint
I would go so far as to say that a "secure" login that doesn't use SSL isn't secure at all.

As long as you are passing information back and forth between the browser and server it can be intercepted.

There's no such thing as "secure". There's "more secure" and "less secure". This is more secure than sending the password in clear. It doesn't encrypt anything else, but that's not its intention.