Is my login code secure?

ukphp

Hi,

I've created a login/logout area and was wondering if it's ok from a security point of view? The password is run through MD5. Also please let me know if it can be improved in any way. If the login attempt fails, it takes you to a page called "check-login.php" and waits 5 secs before redirecting back to "login.php". I think this could be improved so it does the check on the same page and shows an error, possible using AJAX/jQuery, but I'm a but unsure how to do this.

login.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Login</title>
    </head>
        <body>
            <form name="login" action="check-login.php" method="post">
                <fieldset>
                    <legend>Login form</legend>
                    <label for="username">Username:</label>
                    <input type="text" name="username" id="username" />
                    <label for="password">Password:</label>
                    <input type="text" name="password" id="username" />
                    <input type="submit" value="Login" />
                </fieldset>
            </form>
        </body>
</html>

db-connection.php

<?php

// setting variable for db connection
$host = "localhost";
$username = "root";
$password = "myPass";
$database = "myDatabase";

// connect to database
$conn = mysqli_connect("$host", "$username", "$password", "$database");
if (!$conn) {
    die("Could not connect: " . mysqli_error());
}

?>

check-login.php

<?php

require_once 'db-connection.php';

// user and pass sent from login page
$username = $_POST['username'];
$password = $_POST['password'];

// encrypt password using md5
$encrypt_password = md5($password);

// sanatise data function
function cleanInput($data, $conn) {
    if (get_magic_quotes_gpc()) {
        $data = stripslashes($data);
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    } else {
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    }
    return $data;
}

// sanatise data
$username = cleanInput($_POST['username'], $conn);
$password = cleanInput($_POST['password'], $conn);

$sql = "SELECT * FROM users WHERE username = '$username' and password = '$encrypt_password'";
$result = mysqli_query($conn, $sql);

// check for username and password if match found
$count = mysqli_num_rows($result);
if ($count == 1){
    session_register("username");
    session_register("password");
header('Location: securepage.php');
} else {
    ?>  

<script language="javascript">
var time_left = 5;
var cinterval;

function time_dec(){
time_left--;
document.getElementById('countdown').innerHTML = time_left;
if(time_left == 0){
    clearInterval(cinterval);
}
}
cinterval = setInterval('time_dec()', 1000);
</script>
<p style="color: red;"><strong>Incorrect username or password</strong></p>
<p>Redirecting back to login page in <span id="countdown">5</span></p>


 <?php
header('refresh: 5; url=login.php');

}

?>

logout.php

<?php
session_start();
session_destroy();
?>

securepage.php

<?php
session_start();

if(isset($_SESSION['username'])){
// do this
} else { // if user not logged in
    header('Location: login.php');
}

?>

gammaster

Use type="password" in your form password field.

Drop the check-login page and put the code in login.php and redirect to secure page after login.

Use a CAPTCHA script and save the value in a session variabel to check against.

Use $_SESSION['xx'] = ... instead of session_register when working with sessions.

From php.net
This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0

MD5 is not seen as secure anymore....

Your cleaning of the password in check-login.php is useless. First you clean the password after you already have defined and set a value to $encrypt_password. Second... $encrypt_password will always contain a 32-character hexadecimal number because of the md5 function and have no need to be sanitised.

laserlight

gammaster wrote:
Use $_SESSION['xx'] = ... instead of session_register when working with sessions.

From php.net
This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0

MD5 is not seen as secure anymore....

Heh, you probably should have written "sessions:" instead of "sessions." or otherwise clarified as I scrambled to find where php.net stated that md5 has been deprecated for removal in PHP 5.4.0 🙂

Anyway, ukphp, in terms of security you are probably better off using say, crypt with CRYPT_BLOWFISH, but if you have concerns that your algorithm of choice might not be available with crypt or hash, just use sha1 with a salt value (unique to each user) and some key stretching instead. To account for the salt during authentication, you have to modify your code.

Bonesnap

laserlight;10998863 wrote:
as I scrambled to find where php.net stated that md5 has been deprecated for removal in PHP 5.4.0 🙂

I also did this :o.

When it comes to stuff like this I use a combination of md5, sha1, and a salt.

ukphp

Thanks for the feedback. I'm quite new to PHP so apologies if I'm not seeing the obvious.

So would something like this be ok? I don't have (or need) a registration page, therefore I'm just inputting the user password into the MySQL database manually, therefore if I use a salt would this work as doesnt the salt add an extra string to the password? Also how many charactors do I need to allow for in my database using SHA1? Is it 64? Would SHA512 be better using 128 charactors in my database?

Not sure how to use rypt with CRYPT_BLOWFISH so any help would be handy.

// sanatise data function
function cleanInput($data, $conn) {
    if (get_magic_quotes_gpc()) {
        $data = stripslashes($data);
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    } else {
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    }
    return $data;
}

// sanatise data
$username = cleanInput($_POST['username'], $conn);
$password = cleanInput($_POST['password'], $conn);

// encrypt password using sha1
$salt = '$%hgy5djk3tgbG^bhk';
$hashed_pwd = sha1($password . $salt);

$sql = "SELECT * FROM users WHERE username = '$username' and password = '$hashed_pwd'";
$result = mysqli_query($conn, $sql);

// check for username and password if match found
$count = mysqli_num_rows($result);
if ($count == 1){
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $hashed_pwd;
header('Location: securepage.php');
} else {

Thanks for your help everyone 🙂

Weedpacket

Bonesnap wrote:
When it comes to stuff like this I use a combination of md5, sha1, and a salt.

Why not something from SHA-2? That's what has been recommended for the past few years, ever since flaws in MD5 and SHA1 started showing up - until the AHS competition is completed.

Lord_Yggdrasill

Well you can use a salt, pepper, and sha512 to make a secure password encryption. The difference between a salt and a pepper is that the former is user-specific, it usually is generated from a code generator and varies with each user. The pepper is hard coded into the script, or stored in database as global settings.

Bonesnap

Weedpacket;10998892 wrote:
Why not something from SHA-2? That's what has been recommended for the past few years, ever since flaws in MD5 and SHA1 started showing up - until the AHS competition is completed.

Hmm, didn't know about that. I'll have to look into it.

Weedpacket

Bonesnap;11000008 wrote:
Hmm, didn't know about that. I'll have to look into it.

http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

The fourth edition of FIPS-180 has just been published.

Announcement of a new standard is expected later this year:
http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

Bonesnap

Weedpacket;11000036 wrote:
http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

The fourth edition of FIPS-180 has just been published.

Announcement of a new standard is expected later this year:
http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

Perhaps a stupid question but how would I utilize this in PHP? The only sha-related functions I can find are sha1() and sha1_file().

Weedpacket

[man]mhash[/man]

laserlight

You may be able to use [man]hash[/man]. Check [man]hash_algos[/man] for sha224, sha256, sha384, and sha512.

Bonesnap

Weedpacket;11000054 wrote:
[man]mhash[/man]

laserlight;11000056 wrote:
You may be able to use [man]hash[/man]. Check [man]hash_algos[/man] for sha224, sha256, sha384, and sha512.

Awesome, thanks! I'm going to update my latest project with this.