Secure authentification/sessions

blackened

Hi, I've code this authentification system for a website and I want to get feedback on the methods used.

SSL is used to access the website (AES-256). Times out after 10 minutes of idling.

MD5 hash are used to store password in DB and compare with user input when loggin in.

Once connected/authenticated, the session is kept open by verifying PHP Session ID, IP that was used when first authenticated, and SSL Session ID. If any of those doesn't math up, the session is invalid and the user must log back in.

One session beeing defined by going to the web site, loggin in, and ending when the user clicks on the "Logout" button or closes the browser (or goes to another website, this will brake the SSL connection and when the user returns he'll get a new SSL Session ID making the session invalid).

I'd apreciate any feedback...

This website doesn't really needs to be that secure but I'm really curious to see what else can be done. I also wonder how banks secure their website for e-transactions.

Matt

devinemke

Originally posted by blackened
Once connected/authenticated, the session is kept open by verifying PHP Session ID, IP that was used when first authenticated, and SSL Session ID. If any of those doesn't math up, the session is invalid and the user must log back in.

won't this effectively disallow anyone who uses dynamic IP addressing from using your site?

blackened

Originally posted by devinemke
won't this effectively disallow anyone who uses dynamic IP addressing from using your site?

Someone's IP wont change during one Session. One session beeing defined by going to the web site, loggin in, and ending when the user clicks on the "Logout" button or closes the browser (or goes to another website, I think this will brake the SSL connection and when the user returns he'll get a new SSL Session ID making the session invalid).

I'm not using those "Remember me next time" features. So users have to login each time they go to the web site.

devinemke

sorry, i thougt you meant you were storing IP's in a database (from a user's first login) and checking that aginst a user login back in later. my bad. your right, within each session the IP is not likely to change.

blackened

Originally posted by devinemke
sorry, i thougt you meant you were storing IP's in a database (from a user's first login) and checking that aginst a user login back in later. my bad. your right, within each session the IP is not likely to change.

No problem, I didn't defined "Session", so it could've been interpreted different ways.

blackened

Originally posted by blackened
Hi, I've code this authentification system for a website and I want to get feedback on the methods used.

SSL is used to access the website (AES-256). Times out after 10 minutes of idling.

MD5 hash are used to store password in DB and compare with user input when loggin in.

Once connected/authenticated, the session is kept open by verifying PHP Session ID, IP that was used when first authenticated, and SSL Session ID. If any of those doesn't math up, the session is invalid and the user must log back in.

I'd apreciate any feedback...

This website doesn't really needs to be that secure but I'm really curious to see what else can be done. I also wonder how banks secure their website for e-transactions.

Matt

I just found one problem with the combination of SSL and IE. I configured apache's mod_SSL to timeout after 10 minutes of idling, works fine with firefox, but in IE after a couple of minutes if I refresh any page, the SSL Sessions ID has already changed and therefore the session has become invalid. Any thoughts on that?

I found this on microsoft's website:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q265369#kb2

I think that I have no other choice but to forget about the SSL Session ID because of that bug :queasy:

mtmosier

The problem with authenticating against IP address even within a session is that some isps are now using transparent proxy farms (notably aol), so the user's IP may actually change during the session.

Storing the password in plain md5 format potentially leaves you open to dictionary attacks. Its better to salt the hash. (Sorry for the .net link. First decent link to come up in search.)

As far as other security measures to implement, I would suggest reading pretty much everything on the OWASP website.

blackened

Originally posted by mtmosier
The problem with authenticating against IP address even within a session is that some isps are now using transparent proxy farms (notably aol), so the user's IP may actually change during the session.

Storing the password in plain md5 format potentially leaves you open to dictionary attacks. Its better to salt the hash. (Sorry for the .net link. First decent link to come up in search.)

As far as other security measures to implement, I would suggest reading pretty much everything on the OWASP website.

My bad, forgot to mention I was using the crypt function of PHP with MD5 + salt.

Also, I stoped using SSL Session ID since there's a bug in IE 5.x+ that renew it every 2 minutes. I'm now using a timestamp in the database that gets updated to the current time everytime the user loads a page. When the user tries to load another page and the time that has passed since that last timestamp update is greater than N, the session times out.