General Qs about Login Security

aidanmcg33

Im designing a login system for my website, and im just wondering what would be the general security concerns that i may have to address when writing my script. One issue i was thinking of was table names. for example would it be better to have a table with a numeric name rather than one called passwords for storing usernames and passwords?

Is there any different programming techniques which are better/worse to use for this type of scripting?

I plan to have several different access levels so different people have access to different parts of the site etc.

I want to make the system secure but at the same time not massively complicated so any ideas/practices/suggestions would be very much appreciated.

visualAd

Giving your tables obscure names is one precaution - however there are other, more important considerations too. Firstly, what version of PHP are you using - I'd recommend 5 if you have a choice 🙂.

How critical is security? For the most critical you should consider SSL as it incorportes data integrity, encryption and identification. The simplest of login system would authenticate the user and store a flag in a session on the server side that tells your application whether or not they have been authenticated. Implement the later over SSL with an encrpyted cookie and you'll have a very secure authentication system.

Heres a few tips:

Use one way encrpytion on passwords such as Md5 and encrypt and sensitive data relating to the user in the database such as credit card details.
Once a user has authenticated you will need to set up a session for them (so they don't have to keep logging in during the same browser session). PHP's session management is more than adequate.
Once the session has been set up it is vulnerable to hijack. The session is identified using an ID and one trivial security precaution you can take is to ensure that the session ID is sent in the HTTP header as a cookie by setting the session.use_only_cookies setting to 1 (this will prevent accidental hijacking only as the session ID will not be contained in the URL).

Other precautions you can take to ensure the session is fixed to one use is tie it to the users IP address and / or their user agent string and whenever they move to a more secure area, give them a new session ID and ask them to reconfirm their password.
Only ever store the data which is need in a session. Sensitive data should remain in the database and fetched only when needed. Doing it this way may encure a slight overhead but it will prevent sensitive data from being leaked should the session data be compromised.
Make your sessions expire. The easiest was to do this to store a UNIX time stamp as one of the variables and check it each time the session is loaded.
When the user logs in, ensure the data to be instered into an SQL sring is escaped using a function like mysql_escape_string() or the equivilent for the database server you are using.
In PHP 5 you should consider using PDO which supports stored procedures. Mysql 5 also supports stored procedures. Stored procedures allow you to execute predefined querys using aset of parameters which are escaped automatically.
Mysql 5 also allows you to define views. As the name suggests you can set up several user accounts and give each one a specific view of the same dtabase. I.e: while a login script will need to see the password field, a scritp which displays the users name and post count need not see it so it can be omitted from the view.

Obviously, the level of security you choose will determine which of these precautions you encorporate into your system. 🙂

NogDog

If possible, use SSL so that communications between client and sever are encrypted.

Don't store passwords in cookies or session variables (where a hacker on the client or server, respectively, would be able to read them), only in encryted form in your database, and make sure only those you really trust know the database user(s) login/password.

cgraz

As visualad mentioned, sessions work by putting a cookie on the user's machine which holds their session id, however, the actual session file is stored on the server. That session id can be hijacked to gain access as a logged in user.

If you're not hosting this on a dedicated server, then don't store the session data in your hosts' default session store. Otherwise, someone may easily grab your session stores and pose a security vulnerability. Use session_save_path( ) to specify a different directory, preferably outside the web root since you have to set write access.

aidanmcg33

Thanks for your suggestions. At the min im just looking into the possibility of using an idea of mine for a project. I know security would be a major issue when writing it up so i just want to make sure i completely understand everything to do with the issue.
On the version of php i can use i dunno. I assume its at least four but i dunno about 5. At the min im just developing on a home machine with version 4.3.10.

Im not aware of this ssl issue? Is there any tutorials you would recommend reading about it?

Also have you any code examples on how the session system would work? I know that its important that i use this, as I want the user to be able to remain signed in but at the same time, if they do not do anything within 15 mins, then they should be logged out of the system.

aidanmcg33

Sorry, someting else i wanted to know was your opinions on how the relevant tables are designed. At the min i have a seperate table for users and antoher one which just holds userids and passwords. I wish to have a form where the user registers and then when they submit the form, they are sent an email which has a link for them to verify their link when they click on this link, i want their account to be ctivated and an email sent to them with a username and password. I dont want them to be able to choose their own usernames and passwords.

aidanmcg33

anyone able to help on this issue?

visualAd

The only concern is that you do not allow the user to change their password. Although there could be a good reason for this.

Crowly

Taken from this thread: PHP Session ID

It's not a security risk per se. But you always should guard yourself against session hijacking. The most easy way to do this is to place this code where you have your session_start() command:

PHP Code:
session_start(); 
if(version_compare('5.1.0', phpversion(), '>')) { 
    session_regenerate_id(TRUE); 
} else { 
    unlink(ini_get('session.save_path').'/sess_'.session_id()); 
session_regenerate_id(); 
} 
This will generate a new session ID for every page visited, effectively making a hijacked session ID useless.