Forged Cookies? How to secure this?

everknown

I'm using the code snippet from the libary:

http://www.phpbuilder.com/snippet/detail.php?type=snippet&id=4

So after it verififes the user name and password it supplied it sets these cookies....one: "user_name" and one for "ID_HASH"....

But i can't see anywhere in the code how you are supposed to verfify that a user with a cookie is really legimate? I imagine it relates to the second cookie that is set (ID_Has) but there is no documentation!

I dont want someone to forge a cookie and get access to mysite if they guess the right user name.

Can Anyone tell me how this ID_HASH thing works and what I need to do to double check that the user with the cookie is indeed who they are supposed to be?

Thanks!

PHPMagician

From what I can see, it relies on the variable $hidden_hash_var, which resides on the 3rd line. This is an internal password.

Within the functions, hash is compared with id_hash. hash is

$hash=md5($user_name.$hidden_hash_var);

In english, a MD5 (one-way encryption) hash of the users user_name and the hidden hash value.

To forge a cookie which will log a user in, the hidden_hash_var value will have to be known. If that is found out, then anyone can login as anyone.

Hope you understand

laserlight

To start with, the code you're using is legacy code that should be revamped, if anyone is kind enough to volunteer.

The system is inherently insecure since all one needs to do is the obtain the username and id_hash data, and these are passed in the clear between web browser and web server.

On the other hand, it may be secure enough to be used on a personal website where it doesnt really matter if someone works hard enough and manages to break into an account and do something silly.

PHPMagician

Originally posted by laserlight
The system is inherently insecure since all one needs to do is the obtain the username and id_hash data

SSL would eliminate that problem. The problem is that most applications use similar methods in the end. (ie. this forums uses sessions, which use a session id and a username basically). To maybe secure the code more, do additional checks which may help (but often, only go to complicate the situation more so):

Check to see if the Referer changed suddenly
Check to see if the IP address changed (though this can happen for valid reasons like network load balancing)
etc

They won't make it actually secure at the end of the day, but they can help to keep it secure. Things like session management are almost impossible to make fully secure because the user is simply the weak link and his or her actions are out of your control.

laserlight

SSL would eliminate that problem.

The requirement of a username and hash_id pair isnt the problem that SSL solves; the problem is that these tokens are passed in the clear.

PHPMagician

Originally posted by laserlight
The requirement of a username and hash_id pair isnt the problem that SSL solves; the problem is that these tokens are passed in the clear.

And SSL would allow them to be passed encrypted (preferably at 128 bits, maybe 40).😕

PHPMagician

Wait, I think I get what you mean. When you refered to getting the values of these tokens you didn't neccessary mean by sniffining them but by other methods, such as physically obtaining them or via XSS or similar. Unfortunetly, any application I can think of which is that automatic suffers the same fate. Can you think of a way to keep it that automatic and yet not suffer the same flaw? Thinking of methods to stop session fixation (which is basically what this is about) is a viable option to reduce the risk (often greatly, never completely) of a session (or similar concept) being hijacked.

laserlight

When you refered to getting the values of these tokens you didn't neccessary mean by sniffining them but by other methods, such as physically obtaining them or via XSS or similar.

Actually I was just referring to packet sniffing (hence the phrase "passed in the clear").

everknown

Hi everyone. Thanks for all your advice. I don't think I want to use SSL since it is adds a good amount of expense to my web hosting provider fees (which i find inexplicable, but oh well)

How is this code legacy? Is it because it does not use sessions? I'm having all sorts of problem with the cookies. For example, when i delete the cookie, it comes back as 'deleted' until i close my browser and come back.

I posted this in a different thread but i didn't get any responses.

I guess for security i'm going to restrict my admin account by IP address and just hope for the best.

PHPMagician

Then I am confused. How, then, would SSL not solve the problem of passing these values. This would eliminate the problem of variables being passed to and from the client and server in clear text form.

The system is inherently insecure since all one needs to do is the obtain the username and id_hash data

This is the quote I am refering to. At that point, did you mean by packet sniffing or via any method. I meant via packet sniffing, and hence offered SSL as the most obvious solution. It then occured to me that maybe you meant by any method (ie. XSS, direct access to the cookie, social engineering), which is why you said SSL did not solve the problem. Now, I don't really know what is being said. :p