Login authorization security & preventing crackers

aktome2001

I'm working on implimenting some security measures on a control panel app that my company is building. I know that it's pretty much impossible to prevent a skilled cracker from getting in if they really want to, but we're looking at doing our best. If anyone can give me some feedback on our plans, that would be very helpful.

The main focus right now is on the login area of the control panel. The login page is pretty much a simple form with a username field and a password field. When the form is submitted the script will check the username against a database. If a match is found, then the password will be hashed using the MD5 algorithm to check agaist the hashed password in the database. If they both match, then the user gets access. If not, then they get a generic message stating that the login was unsuccessful. No matter what the reason is for the failed attempt, the same message will be sent back so that if a person was trying to hack in, they wouldn't have any idea that they guessed on a valid username.

The first security measure that we're taking is to prevent automatic attempts to hack into the control panel. If there are 2 unsuccessful attempts on a username, then a CAPTCHA image will be used. On following attempts, if the form field for the CAPTCHA image isn't given, then no attempt will be made to verify the username or password and the generic login failed message will be returned. This won't prevent someone from using a program to try and gain access, but it should prevent them, or make it more difficult for them to get in. I guess that we could use the CAPTCHA image on every login attempt, but we're trying to make is as user-friendly as possible.

The next method would be used if it is a human still trying to login and they are giving the correct CAPTCHA text. If there are 3 more (a total of 5) unsuccessful login attempts then the account will be locked and will need to be unlocked by a administrator. A email will be sent to the user telling them that their account is locked. This way if it wasn't them, then they can notify an administrator that someone tried to hack into the control panel.

A third method would be to create a session id and store it in the database when the user first gets to the control panel. Their IP address will also be stored. A cookie with the session id will also be stored on the users computer. Each time the user tries to login, the script will check to see if the cookie session id matches the session stored in the database, and if the referring URI is correct. If none of these pass, then the generic login failed attempt will show. Otherwise, the script will try to validate the user.

These are just a few ideas that we have. If anyone has and suggestions, or better ideas on how to make an authorization system more secure, please share them.

Thank you

halojoy

there are so many ways.
I think I have downloaded like 20-30 free php applications
for login systems and authorization

Also you can use Apache built in Auth function.

data to 'set a user as logged in' can be stored in:
-session variable
-session cookie
-normal temporary cookie
-normal remember me cookie
-database, like SQLite or mySQL
-flat file, text file
or any combination of these

What is best?
Well, that is up to you.

How much security or double-security do you need?
If you have not much valuable data or would be harmless if anyone read it,
there is not needed to spend a lot of coding on 'super-safe' system.
How many users and how many different type of user permissions do you need?
For a simple message board, we can often do well, with 1 admin, members and rest are guests.

There are plenty of nice free login systems in ZIP for download.
Do a google search, and you see what i mean.
There are Classes written for user systems, that are easy to add-on.

Only at this site, there are Tutorials as well as 100-reds of topics, threads
about this subject.

Do a forum Search here, and you will know.

/halojoy - thinks SESSIONS are quite enough in 90% of all cases.

aktome2001

halojoy,

Thanks for your reply. What we're primarily concerned with here is the initial authorization process and preventing someone or some program from hacking into the control panel.

We're going to be storing session information in the database as well as in a cookie. The security must be pretty high for this app, so I know that some of our methods may be more than a lot of other apps need.

halojoy

Okay.
you know best what you need
and you are also familiar with mentioned methods

either you can start making your own system, from scratch
or download an open source application from web ( search in sourceforge projects http://sf.net )
Modify this application for your special needs and idea.
Or use as is.

Myself, usually download a pretty simple system and build on to it.
I think this is better, than download a highly complicated and strip it down.

I have devloped a mini-mini user login, using 'ordinary.php' as database.
This data is included, when needed.

If you want a little more security
this on top, will make it impossible to call directly. Can only be included:

<?php
if ( strstr( $_SERVER[ 'PHP_SELF' ] , 'policy.php' )) die ( 'hmmmm' );
// your stuff to include
?>

This include should be saved as 'license.php' 'policy.php' 'boringstuff.php' or something like that.
you can try to surf to this .php and read it.
Will not work!
data can be like

<?php
if ( strstr( $_SERVER[ 'PHP_SELF' ] , 'policy.php' )) die ( 'hmmmm' );
$userdat [0][0] = 'admin'; $userdat [0][1] = 'adminpass';
$userdat [1][0] = 'user1'; $userdat [1][1] = 'user1pass';
$userdat [2][0] = 'user2'; $userdat [2][1] = 'user2pass';
?>

Used like this:

<?php
include 'policy.php';
// start checking submitted user/pass
// against  $userdat [0][0] and $userdat [0][1]
?>

this can be a quite good solution for most of us.

=========================================

I know this is not what you need, aktome.
But someone might have use for it.
Good luck with your system.

mtmosier

Overall sounds good to me. You didn't mention it, perhaps because it's overly obvious, but the login form should be used over ssl if possible. I'd also check at the beginning of the page to ensure that ssl is enabled, as an outside website / email could link to a non-ssl version of the page, and many users will never notice the lack thereof.

The password storage obviously isn't going to affect remote attackers, but make sure you salt your passwords. Also consider using something more secure than md5. While md5 is still secure for passwords, there are too many attacks against it for comfort. Sha1 is better, but even that has come under fire lately.

You didn't mention any session fixation protection. Very important.

You said you are storing the IP, but didn't say whether you were using it for anything other than logging purposes. Remember that multiple users may come from a single IP (proxies), and a single user may come from multiple IPs (proxy farms).