0

I plan to offer my website designs and if someone is interested in an easy-to-manage blog (or just doesn't want to make new html files for new posts on his/her own) this simple login/blog system is what I will offer them as an addition.

It's main purpose is to enable only one user to log in by providing the password (the username cannot be changed) and allow him/her to edit a few account settings (displayed name, avatar, bio) or make new pages/posts by just writing new content into the window. This is supposed to be a very simple system with no registration forms - a framework which I want to provide to all clients who would choose to buy my designs.

Since the login system is so simple, I dare to say that there is little authentication needed - just the password entry (+any other forms where the user enters, for example, the content of a new post). So basically, it should have the following functions: trim(),htmlspecialchars(),mysql_string_escape(), checking for valid characters with a regular expression and a user session (by the way, is a user session even needed on a site with only one user?). What else is needed on such a simple website? I was thinking about a self-signed SSL certificate, however, it causes a security warning. Is it even needed in such a situation?

This system would be reused in every HTML/CSS design project I'd work on, so it needs to be decided now, since I'm going to provide this framework along with the website for those people who just want to run their personal website/blog without learning all that wordpress stuff.

I know websites should be encrypted, but since the only encryption needed here is for the password, what should I use?

Broncha
  • 3,794
  • 1
  • 24
  • 34
Onion
  • 1,714
  • 1
  • 23
  • 42

4 Answers4

3

Unless you want the customer's login password flying through the wire in plaintext, then yes you need an SSL certificate. You can use a self-signed one (as you mentioned), and instruct your customer to verify the information in the certificate before they actually log in if you didn't want to buy a proper certificate. Once you have the https session open, why not just leave it open and the user does their work in relative security?

OrionRogue
  • 398
  • 4
  • 14
  • I've seen many websites which do not use https:// and I'm almost sure they don't have an SSL certificate - yet they still provide login forms. For example, stackoverflow - there is no https://. And no warnings! I'm pretty much lost in this area. – Onion May 08 '12 at 12:25
  • There have been a number of calls for securing SO a bit better. In addition, the login itself can be over SSL, depending on the OpenID provider. There is an open issue about this: http://meta.stackexchange.com/q/128733/148833 – Bruno May 08 '12 at 13:23
3

Please don't roll your own login system:

http://cubicspot.blogspot.com/2012/05/dear-web-developers-stop-making-login.html

You can also obtain free SSL certificates that are signed by a browser root certificate authority:

http://cubicspot.blogspot.com/2011/02/truly-free-ssl-certificates-are-here.html

CubicleSoft
  • 2,274
  • 24
  • 20
2

If its supposed to have only one user who can login, then you can put all the administration stuff in a separate folder and password protect that folder using .htaccess

In your .htaccess file use this

AuthUserFile /full/path/to/.htpasswd
AuthName "Please Log In"
AuthType Basic

The .htpasswd is the file where you would store the password for the user.

For more information see this: http://www.addedbytes.com/lab/password-protect-a-directory-with-htaccess/

Broncha
  • 3,794
  • 1
  • 24
  • 34
  • Thanks. So why is this SSL encryption even needed if all that stuff can be secured with .htaccess? I supposed there are much less security threats on simple login systems as these, aren't there? – Onion May 08 '12 at 12:20
  • 2
    SSL is not for securing contents primarily. Its for encrypting the data that is transferred between client and server to avoid man in the middle attack. They secure the transfer of data. And since they use private keys mechanism they can be used for authentication as well. – Broncha May 08 '12 at 12:24
  • I guess I understand that, but is the login system I'm developing too simple to need SSL? Should I really be afraid not to use it? – Onion May 08 '12 at 12:29
  • Thats totally optional as the SSL authentication will not affect your application or its structure. Looking at the complexity of your project you dont need to worry about that. But whenever needed or demanded by your client, you can install self signed certificate and tell the client accordingly that they will need to trust the certificate issuer. That should not affect the development of your application in any way. – Broncha May 08 '12 at 12:32
  • 1
    @user1020567 using HTTP Basic authentication as suggested in this answer can be acceptable, but it won't protect the password in transit. Any one in a position to eavesdrop the traffic will be able to see the user's password. – Bruno May 08 '12 at 13:21
1

The level of security you need is not so much to do with the complexity of the mechanism, as with the value of the thing you're protecting.

If you're offering this as a service, you're probably not going to want a weak authentication system which allows the websites your customers create to be taken over by hackers. If you don't encrypt user passwords in transit, you've made the life of a hacker very, very easy - all they have to do is set up in Starbucks, crack the WIFI, watch your cutomers log in, and take over their website. So, please use an SSL certificate; self-signed protects your data, but does lead to security warnings - splash out on a proper certificate.

In general, users are right to distrust self-signed certificates, as this is a way that a (fairly unsophisticated) hacker might attack you. For instance, if you wanted to steal the credentials of StackOverflow.com users, you might register the domain stack0verfl0w.com, and issue a self-signed certificate for the login page. Users would see that certificate, it would match the (bogus) domain, and if they are used to accepting self-signed certificates, they'd go ahead and enter their details on the hacker's site.

So, yes, you can use a self-signed certificate, it will encrypt the web traffic, but it is not a good idea to train your users to ignore the browsers' security warnings. The definition of "self signed" is that they aren't registered anywhere.

Secondly, please do not store passwords in plain text. The common way of doing this is to store the password using a one-way hash (PHP has this built in); even if a hacker can steal your database, the hash function is one-way; there's no (easy) way to retrieve the plaintext password. When a user logs in, you hash their password using the same algorithm, and if the hash in the database matches, you let them in.

Thirdly, consider using an off-the-shelf framework for authentication. http://hybridauth.sourceforge.net/index.html seems to fit your requirements. In general, it's best to work with off-the-shelf solutions for this kind of thing, because your users have expectations, and meeting those expectations through custom code is expensive, and error prone...

Licensing is a bit of a dark art, but in general, open source frameworks can be re-distributed subject to very lenient requirements (typically, you just need to tell people you're including an open source component).

Neville Kuyt
  • 29,247
  • 1
  • 37
  • 52
  • Thanks. I know about md5 and sha algorythms already, just forgot to mention them. The websites I plan to offer are for regular people who just want to have their own personal blog, nothing more. I don't think such websites would gain thousands of users, however, it appears that SSL is still needed. Can I provide a self-signed SSL certificate in every project? I'm asking this because I don't know whether such free certificates should be registered somewhere or whatever. – Onion May 08 '12 at 12:34
  • At first, I wanted to use a login system like the one you mentioned, because I was afraid that the framework coded by me would contain just too much errors and be insecure. However, since I'm going to take requests by clients, design the website for them and then sell the design along with the login system, wouldn't it be against the license of that login system? I would need to include a free framework into a project that is going to be sold. I'm just not sure about the licensing stuff. – Onion May 08 '12 at 12:38
  • Avoid MD5 and SHA-1 for hashing (see [this answer](http://stackoverflow.com/a/10471744/372643)). Setting up the certificate for SSL is up to the domain owner. – Bruno May 08 '12 at 13:25