Security Issues.

hoboman

Ok, I've been running a website for over two years now..switching from HTML, TO ASP and now to PHP..but all this time I had a huge security leak, allow me to explain:

My site has a user registration system, when a user logins I set a cookie containing their username and some other ifnromation (Like what skin they are using on the site). Now the problem occurs, since I'm just storing the username wouldn't someone simply be able to go into their cookies folder, edit the value of the cookie username to be set to another user registered on the site and be able to use their account?

My resolution to this is to now store the users password when they login, then in my header file I would do a check like so: (This isn't actual code, just a overview)

if cookieUsername != ""
Select * from members where username = cookieUsername
Grab the password

if cookiePassword != passwordFromDb
Send them to a 'hacked' page
other wise, continue with the site.

I was wondering if this would work or if anyone has any solutions to security problem.

Thanks in advance for any input.

[deleted]

Putting the password in the cookies would make your security hole a LOT bigger, because now of someone gets the cookies, they have everything they need to logon.

What you need to logon is a username and a password.
Once a user is logged on, all you have to do is recognise him.
A common way to do that is to set create some sort of 'secret' string and place that in a cookie on the client. Then you store that secret in a database, along with the IP number of the client.
Then when a client does another request (clicks to another page) you receive the secret from the cookie. Then you can compare that secret and the IP with the secret and IP stored in the database. If either one is not correct, you should refuse access and request a login.

Anon

The problem with logging the IP is that some ISP's use caching proxies, so during a single session a user may appear to switch IP depending on which proxy at their ISP they are hitting.

[deleted]

You would use his computer's IP, not the proxy's IP ofcourse.

Anon

Depends if the proxy is configured to pass the client IP

[deleted]

Most (if not all) of them are, because you don't get very far on 'authorized' webservers without it.

cordex

IP tracking is like cookie tracking: Works most of the time, but when it doesn't, it really doesn't.

Sometimes you've got to pull a vincent and say "to hell with those paranoid freaks".

-Alpha Ben

[deleted]

Very true, very true.

If someone doesn't like to make himself known, then why should you bother to remember him? :-)

Anon

Well, after a bit of work I decided to use encryption methods to store the usernames, but I made my own custom script.

cordex

Remember who?

grin

In this context, that is absolutely correct, vincent.

[deleted]

Cute, but still, without tracking IP's you cannot be sure that people are who they say they are, encryption or no encryption.

Anon

and if people a laptop where they use it at home, and then travel to work?
Also, strangely I know for sure my IP gets garbled sometime - I'm on a static cable IP 146.115.x.x, and some sites that show you your ip show it correctly, while others show me some weird 207.x.x.x numer (also owned by my ISP).
Anyway, definately, I would not be able to use your site if you implemented the IP, or if you did, I'd have to register twice...once when I'm at work, and once when I'm at home to log the IP at work and at home.

Which brings me to another question - is it possible to obtain the MAC address of a computer?

Anon

The IP would be read when you log in - you don't need to register twice. You're not going to move from work to home during the course of a session!

--Mike

Anon

Ah, I thought it was a case of "keep me logged in on this computer" scenario".....

so how does one secure those cookies?

Anon

At login, you record the IP address (I would record it in the session).

On every page access, you compare the IP of the remote client with the IP at login. If they match, great. If not, kick them out. :-)

Anon

but that wouldn't work for a dynamic ip dial-up isp, or travelling laptop, using a keep-me-logged-in approach. I suppose the only way for that would be a random key

Anon

There is no way to do a 'keep-me-logged-in' approach securely. Even a random key can be sniffed. You're best logging in once per session.

[deleted]

", I'd have to register twice...once when I'm at work, and once when I'm at home "

and what do you do for PHPbuilder? exactly the same...

[deleted]

But loggin in once for every session is plain annoying :-) secure, but annoying.

The only thing about a client that cannot easily be faked by hackers is the IP.
Everything else can be sniffed and copied.

Thus a combination of a cookie and the IP is best.

Yes the IP can change from one PC to another, or one location to another, but remember: this function is not just to prevent you from having to log on all the time, it is also to prevent hackers from hacking your account. If that means you have to log in twice on two different locations, I think that is a very small sacrifice to make for a system that will be much more secure than just having a cookie with encrypted data.

Anon

conceded
BUT
if you're on a unix command line, type
/sbin/ifconfig -a
and the line pertaining to the MAC address, ie:
ether 00:03:93:64:0d:44
on BSD
or it may output as
HWare 00:03:93:64:0d:44
if the machine is linux

either way, would be an ideal candidate for a more secure replacement to the IP - IPs can be spoofed I guess, but hardware addresses are absolutely unique and unspoofable (as far as I'm aware).
Not quite sure how to obtain it though, or even return it, but there must be a way given that ifconfig can read it....

anyone?