Secure Login...

Chud37

Hello, I have no code to show I just wanted to discuss a good method for a secure login page. I currently one im building, and it works pretty much. Here is the method:

Page loads.
Check whether session vars are created, if not, create them.
Check whether login form is submitted, if so, goto function doLogin()

the doLogin() function then checks all the correct $_POST vars are set, I even put a randomly generated variable into the form which was a hidden input box (i dont actually see the point in it but i threw it in there anyway) which it checks against a session variable. It then goes to a database, finds the user, md5's the password, compares that to the hash in the DB, and then changes a session variable to LOGGEDIN.

thats the index.php. All the other pages are includes. I have a variable that is set to 1 if its logged in, (a non session variable) and that is checked inside the include pages.

Logout/Login works fine.. But im not sure if this is entirley secure? Can anyone suggest ways in which i can make it better? Im aware that md5 is outdated but its not a government website or anything so im not bothered if it takes someone a few hours to get into it. If they want it that bad, then they can have it lol.

But i just wanted to brush up on the theory. If anyone cares to help out I would most appreciate it.

~Chud37

Chud37

Oh, the passwords are salted for extra crispyness too. 🙂

laserlight

Chud37 wrote:
Logout/Login works fine.. But im not sure if this is entirley secure? Can anyone suggest ways in which i can make it better?

Use SSL/TLS. If you do not need to provide anonymous users with sessions, then only create the session after the user has been authenticated.

Chud37 wrote:
Im aware that md5 is outdated but its not a government website or anything so im not bothered if it takes someone a few hours to get into it.

Password hashing only protects the passwords when the database is compromised. If the database is never compromised, storing them as-is would actually be fine. Anyway, the hash extension is likely to be available, but if you suspect that the script may be used where it is not, you might as well use sha1() instead of md5().

Chud37

laserlight;10957472 wrote:
Use SSL/TLS. If you do not need to provide anonymous users with sessions, then only create the session after the user has been authenticated.

But dont i need to buy SSL/TLS? im not in the business here of buying something, I just want to make a good secure login (or as good as i can) with PHP.

🙂

thanks for the input though.

laserlight

Chud37 wrote:
But dont i need to buy SSL/TLS? im not in the business here of buying something, I just want to make a good secure login (or as good as i can) with PHP.

You could use a self-signed certificate, though this is of limited value as a user who blindly accepts self-signed certificates (or more generally, those from an untrusted CA) could accept one from an attacker and thus be susceptible to a man-in-the-middle attack. But as you say, you do not need to worry about this, so you're fine.