Check login query

knowj

Basically I am writing a multiuser login for an e-commerce system. I basically check the users ip against the database (is set on login) then if the ip matches it checks the database hash against the session.

The current issue i can think of is if their are multiple users on 1 ip address.

public function checklogin($hash, $ip, $table)
		{
			if ($results = $this->database->query("SELECT * FROM `$table` WHERE ip='$ip'"))
				{
					$row = $results->fetch_array(MYSQLI_ASSOC);
					if ($row['hash'] === $hash)
						{
							return 1;
						}
					unset($_SESSION['hash'], $_SESSION['level']);
					return 0;
				}
			unset($_SESSION['hash'], $_SESSION['level']);
			return 0;
		}

halojoy

I know too little of HASH you are using
and details of your setup.

But in your code you can remove 2 lines, and it will not effect the operation.
Inside the if( ..... ) you can remove:
unset($SESSION['hash'], $SESSION['level']);
return 0;

public function checklogin($hash, $ip, $table)
		{

		if ($results = $this->database->query("SELECT * FROM `$table` WHERE ip='$ip'"))
			{
				$row = $results->fetch_array(MYSQLI_ASSOC);
				if ($row['hash'] === $hash)
					{
						return 1;
					}
			}

		unset($_SESSION['hash'], $_SESSION['level']);
		return 0;
	}

regars
halojoy

knowj

Good point thanks oversight by me.

The hash is just a basic MD5 $this->hash = md5(rand(11111, 99999).date('Ymdhis')); and this is set on login + stored in the database against the users account along with their IP address.

laserlight

The hash is just a basic MD5 $this->hash = md5(rand(11111, 99999).date('Ymdhis')); and this is set on login + stored in the database against the users account along with their IP address.

You might want to read my reply to mawdryn's Code security question.

knowj

What would be a viable alternative though store the SSID within the database?

I just realised i was using a technique that should be using a cookie to prevent session hijacking. With the hash.

Is the only reliable method to prevent session hijacking to use cookies and sessions to ensure the SSID isn't passed on?

laserlight

What would be a viable alternative though store the SSID within the database?

I am not sure what you mean. Why would you want to store the session id in your database? It is already stored in the filesystem along with the session data.

Is the only reliable method to prevent session hijacking to use cookies and sessions to ensure the SSID isn't passed on?

Using cookies (enable session.use_only_cookies) to store the session id instead of the query string eliminates the possibility that a naive user will pass a link to another user that includes his session id.

However, there are more issues involved than just session hijacking. I recommend that you read this PDF document: Session Fixation Vulnerability in Web-based Applications.

halojoy

knowj wrote:
Good point thanks oversight by me.

The hash is just a basic MD5 $this->hash = md5(rand(11111, 99999).date('Ymdhis')); and this is set on login + stored in the database against the users account along with their IP address.

I think your check function is alright and should work.

I see you create hash, adding a value changing with time().
with your format new time value is produced every 1 second.
MD5 of 5 digits number 11111-99999 + date( 'Ymdhis', time() )

I personally do not think this will be more UNIQUE,
than using this example from Official PHP Manual, http://docs.php.net/manual/en/
At least this is shorter: $token = md5( uniqid() );

This uniqid uses current time to generate value.
So it is a higher string value for each new micro-second, uSec ( 1/1.000.000 sec )
Now, md5 of this will change value, so string will not be anymore a constantly increasing value ...!!!!

<?php
//Example#1 uniqid() Example

// works only in PHP 5 and later versions
$token = md5( uniqid() );

// better, difficult to guess
$better_token = md5( uniqid( rand(), true ) );

?>

Note!
Here is the function [man]uniqid/man
Always be sure to read the Comments and CODING submitted by readers.
Especially later comments from 2007 and 2008.
Many times the code submitted can be better, than php.net default examples .....

regars ..to knowj 🙂
from halojoy

laserlight

Before jumping to decide on how to generate a hash, be certain that you need such a hash in the first place. The session id itself is generated with a hash function, typically MD5, though you can use SHA-1 (and apparently any of the hash algorithms provided by the hash extension in PHP 6). From what I see, this additional hash is useless to begin with because you already have the session id.

knowj

I can see your point lazerlight the ssid is possibly the biggest hole in the security of the system.

I will remove the hash and the ip setting just the users Unique user id to the session which will check against the database. If someone wants to hack the session they will do. SSL isn't an option in this case.

But I have a new potential method for security reasons after reading the document provided by laserlight.

Use session_regenerate_id(TRUE) to regenerate the session ID on login to ensure a valid user has a fresh ID.

laserlight

Use session_regenerate_id(TRUE) to regenerate the session ID on login to ensure a valid user has a fresh ID.

That should be correct.