[RESOLVED] PHP Security

Kerant

Hey,

I have registration and login forms on the website I am developing, but I would just like some help with the security side of things.

Basically I have an admin control panel which I want to make as secure as possible and I'm wondering how I can go about that.

At the moment, when the user logs in a session is set and they are re-directed to the admin panel using the following code:

$_SESSION['email'] = $_POST['email'];

$id = session_id(); 
$url = "Location: admin-panel.php?sid=" . $id;
header($url);

Then, on the admin control panel, the following code is used to see if the session is set:

<?php
session_start ();
if (!isset($_SESSION['email']))
{
session_unset ();  

session_destroy ();
$url = "Location: login.php";
header ( $url );
}
else //otherwise, they can see the page
{
?>

This works but it just doesn't feel enough. I want to make the admin panel literally as secure as possible, so is there any suggestions you can give me to help me make it more secure?

Thanks very much,

Kieron

dougal85

are you validating all the input is real? ie. its a real email?

Kerant

dougal85;10880652 wrote:
are you validating all the input is real? ie. its a real email?

Yeah. On the registration form there is full validation for each field to check if it is a real email, passwords match, etc etc. The same applies for the log in form.

dougal85

you never really seem to check for a password or anything? I don't really understand how your login process works from the above code. Perhaps you've only showed us a tiny bit of it?

How do you validate it is the admin?

Why did you put the session id in the URL?

Kerant

dougal85;10880654 wrote:
you never really seem to check for a password or anything? I don't really understand how your login process works from the above code. Perhaps you've only showed us a tiny bit of it?

Yes I only put up the bit of the code relating to the sessions. I check the passwords and validate the email address etc during both the registration and log in files.

dougal85;10880654 wrote:
How do you validate it is the admin?

Well I was hoping for some input on this. At the moment I was just thinking of having a seperate table with admin users in, then on the log in page have a drop down to select whether to log in as a standard user or admin user. Would this be a good idea?

dougal85;10880654 wrote:
Why did you put the session id in the URL?

I'm honestly not sure about that one. I think I read somewhere that I should do it and haven't thought too much about it. Should I remove it?

dougal85

Often the security problems are in the SQL or the checking passwords. You need to validate all input to make sure you don't have potential problems SQL injection hacks.

There isn't really anything fancy you need to do with sessions, just set them when you need them and destroy them after.

why not just keep all the users in the one table and have some way of assigning admin to the admins? ie a table with a FK to the user table or even just a boolean value for each user specifying an admin or not. I don't think it would look good to 'normal' users if they need to tell you what type of user they are!

You don't need to put the session ID in the url. It's handled by PHP anyway, I think the only problem is if cookies are disabled in the browser... but honestly, who doesn't enable cookies these days? Every website needs them, just try out something like the FireFox extension Firecookie and you'll see just how many cookies website set!

Kerant

dougal85;10880657 wrote:
Often the security problems are in the SQL or the checking passwords. You need to validate all input to make sure you don't have potential problems SQL injection hacks.

There isn't really anything fancy you need to do with sessions, just set them when you need them and destroy them after.

why not just keep all the users in the one table and have some way of assigning admin to the admins? ie a table with a FK to the user table or even just a boolean value for each user specifying an admin or not. I don't think it would look good to 'normal' users if they need to tell you what type of user they are!

You don't need to put the session ID in the url. It's handled by PHP anyway, I think the only problem is if cookies are disabled in the browser... but honestly, who doesn't enable cookies these days? Every website needs them, just try out something like the FireFox extension Firecookie and you'll see just how many cookies website set!

Thanks for your reply mate, much appreciated.

It sounds good and makes sense what you mentioned there.

My main concern was unwanted users accessing restricting pages on the website. I read that I could maybe add some HTTP authentication login aswell as using sessions to stop people getting on the page. Is that something that is worthwhile doing? I really just want to make it as secure as possible.

dougal85

Oh, of course... You should store a hash of the password in the session too. Then re validate this on each page, much like how you validate it when they log in.

Kerant

dougal85;10880674 wrote:
Oh, of course... You should store a hash of the password in the session too. Then re validate this on each page, much like how you validate it when they log in.

Sorry, but what do you mean by storing a hash of the password? Could you please give me an example?

Cheers

dougal85

something like this might help, http://phpsec.org/articles/2005/password-hashing.html

or straight to PHP's function, md5 http://uk.php.net/md5
and the more secure sha_1 http://uk.php.net/manual/en/function.sha1.php

dougal85

I am making the assumption you are already storing the passwords in a database as a hash. ie. your not storing them in the database in a readable form...

Kerant

dougal85;10880680 wrote:
I am making the assumption you are already storing the passwords in a database as a hash. ie. your not storing them in the database in a readable form...

Yeah the passwords are stored with md5 encryption. Thanks for the links, I will read through them now.

dougal85

md5 should be refered to as a hash rather than an encryption

bradgrafelman

And should then be dropped in favor of at least [man]sha1/man. :p

It's like WEP for wireless - used to be considered a security measure, now it's just a laughable attempt at one.

Weedpacket

NIST recommends the SHA2 family for nonclassified government work (SHA-224, etc.) - at least until their hash competition has completed (which will be a hew years yet).

Kerant

bradgrafelman;10880797 wrote:
And should then be dropped in favor of at least [man]sha1/man. :p

It's like WEP for wireless - used to be considered a security measure, now it's just a laughable attempt at one.

So is sha1 more difficult to implement than md5 I take it?

Is there any good sha tutorial links you could provide me with? I'd like to use it for the passwords in my database if possible.

Thanks for the input everyone by the way.

laserlight

So is sha1 more difficult to implement than md5 I take it?

Not really, but thankfully you do not need to implement it in PHP anyway. Just as you can use the [man]md5/man function for MD5, you can use the [man]sha1/man function for SHA-1. For the SHA-2 family of hash algorithms, use the [man]hash[/man] extension (which usually also supports SHA-1, and MD5 for that matter).

Is there any good sha tutorial links you could provide me with? I'd like to use it for the passwords in my database if possible.

Consequently, it is not so much about implementing SHA-1, but about using it properly. dougal85 provided a link to an article on Password Hashing. Towards the end of the article, the author suggests the use of a salt with the application of the hash algorithm chosen. I consider this the minimum requirement where password hashing is concerned.

Kerant

Thanks for your help 🙂