[RESOLVED] Members area Security questions

Rictus

Hi everyone I have a couple of questions regarding a login script I’m making for the member section of a website. I need it to be secure so I was wondering if anyone could help me with this….

The passwords will be store along with the proper username on a MySQL database. The password will be encrypted using Md5. MD5 is the best way to encrypt something, right?

When someone login I will compare the entered password with the one on the database and if their match…the user will be taken to the “secure area”. I was thinking to use sessions to temporary store the information of the user….is this save or is better to use cookies?

What I’m missing..I had review several examples on this websites and it seem that all of them contains more or less this format…but anyways any suggestion will be appreciated.

bradgrafelman

Rictus wrote:
MD5 is the best way to encrypt something, right?

Depends what you're encrypting and how hard to crack you want it to be. If you're the government, you probably would laugh at the thought of using something as simple as MD5. If you're the average website wanting to protect its users, MD5 might not be too bad of a choice.

Rictus wrote:
I was thinking to use sessions to temporary store the information of the user….is this save or is better to use cookies?

I would say sessions are 'safer' than cookies, since the data provided by cookies can easily be altered by users. The session data, however, is stored on the server so you only have to worry about users hijacking session ID's.

Weedpacket

But if you're considering MD5 you might as well consider SHA1. That hash algorithm is considered good enough for government work, at least for unclassified material.

Roger_Ramjet

Both MD5 and SHA1 have been cracked and no longer secure. MySQL now has AES_ENCRYPT which is 128 bit and still resonably secure. It is also reversable in your code so you can decrypt it when you need to, eg for encrypted session ids.

pcthug

SHA1 combined with a Salt should be strong enough to evade any standard dictionary attacks, although if someone has gained access to your database it is likley they also have access to your filesystem and therefore your salt.

If you wish to store credentials in a cookie you should use a salt and encode them like so:

// set cookie
$salt = 'NHx39sjHde';
$time = time(); 
$hash = sha1($salt . $username . $time); 
setcookie('userdata', base64_encode("$hash-$username-$time"), time()+3600);

// retrieve cookie
$salt = 'NHx39sjHde';

if (isset($_COOKIE['userdata']))
{
   $args = explode(base64_decode($_COOKIE['userdata']));

   if (sha1($salt . $args[1] . $args[2]) == $args[0])
   {
      // authentic user
      $username = $arg[1];
   }
   else
   {
      // remove bad cookie
      setcookie('userdata', false, time()-3600);
}

Weedpacket

Roger Ramjet wrote:
It is also reversable in your code so you can decrypt it when you need to, eg for encrypted session ids.

There's no point having it then, because if anyone gets your code they've got your decryption algorithm.

The SHA1 attack isn't yet practical (it only reduces the size of the problem by five orders of magnitude - out of 24), and the algorithm is still regarded as good enough for general use until a replacement is developed.

Update: Okay, so "not good enough for government work except in certain cases" would be a better way of putting it. NIST's current position is that until something better is developed, the SHA2 series of hash algorithms (SHA-224, -256, -384 and -512) are the ones to be going on with; all except the first of these are available in PHP via [man]hash[/man]

Roger_Ramjet

Weedpacket, I'm only going on what it says in the manual (see the link in my post). This is a recent update of the mysql manual so I took it to be the latest gen on the subject.

Hashing user session data seems to be a bit problematic to me - how do you reverse it to get the data back??

pcthug

Hashing user session data seems to be a bit problematic to me - how do you reverse it to get the data back??

Depends what type of data you are passing via sessions. If it's something simple like a username or password, just hash your comparitive data like so:

// expecting username element to be a sha1 hash
if (isset($_SESSION['username']) && ctype_xdigit($_SESSION['username']))
{
   $sql = "SELECT username FROM users WHERE SHA1(username) = '{$_SESSION['username']}'";
   $result = mysql_query($sql);

   if (mysql_num_rows($result) === 1)
   {
      // authentic user, assign username to variable
      list($username) = mysql_fetch_row($result);
   }
   else
   {
      // bad session data
   }
}
else
{
   // no session data
}

Rictus

Thanks everyone, I guess this information is all I need. Thanks a lot

Weedpacket

Roger Ramjet wrote:
Hashing user session data seems to be a bit problematic to me - how do you reverse it to get the data back??

If your encrypted data is to be decrypted by the very same application that encrypted it in the first place - what's the point of encrypting it? If you're anticipating someone getting hold of the data you should also anticipate them getting hold of the application that put it there - and gets it out.