PHP Secure Session Login - Best Practice

Question

As part of my web app. This is some code I am considering (I'm not the best of PHP programmers but I programming my own app for a project):

// Start session
session_start();
// Is the user already logged in?
if (isset($_SESSION['username'])) {
    header('Location: members-only-page.php');
}

I want to know, if my login structure is like this, is this secure.

http://site.com/

https://site.com/login.php

https://site.com/login-action.php (MySQL login check, with md5 password check)

http://site.com/cp/members-only-page.php

I am using MD5(); but I am not entirely happy with the whole $_session["user"]="1" approach that scripts use; surely the likes of vBulletin wouldn't do this?

Appreciate a reply. I've not even touched on the idea of this being Ajax ha!

UPDATE - Psuedo code of my approach. Everything on SSL.

// vars
login string post
password string post

// validation aside from ajax now
login string is empty
redirect to login form with error
password string is empty
redirect to login form with error

// mysql
escape strings
clean html strings

mysql connect external mysql server
if login string is user
    if password md5 match with database md5
        session logged in
    else
        session failed password invalid
        redirect to login form user/pass error
    end if
else
    session failed username invalid
    redirect to login form user/pass error
end if

if file called direct
    redirect 404
    alert_admin function type hacking attempt login page
end if

Unfortunately, there is no ONE TRUE ANSWER for this type of question; and as such I'm voting to close it as a discussion piece. You can use my answer, or answers from other community members as a point of reference; but you are going to have to do a lot of research on your own as well. — cbroughton, Nov 14 '11 at 10:03
this md5() you're using has absolutely nothing to do with the site security. and it seems you are escaping your styrings in wrong order — Your Common Sense, Nov 14 '11 at 11:09
what order - my escape strings etc and sanitize is now at the top of my page — TheBlackBenzKid, Nov 14 '11 at 11:15
there shouldn't be "etc" anywhere around escaping. escaping is a distinct matter and shouldn't be mixed with anything else. not to mention that "escaping" alone is not a guaranteed security — Your Common Sense, Nov 14 '11 at 11:56

score 4 · Accepted Answer · edited May 23 '17 at 12:32

4

mysql_real_escape_string() does not safeguard you from all forms of SQL Injection, or other types of attack for that matter. You should use a system in which incorperates code to guard against many safeguards individually, an example of such I use on my testing server (not strong enough for production):
```
function sanitize($str)
{
  $str = trim($str);

  if (get_magic_quotes_gpc())
    $str = stripslashes($str);

  return htmlentities(mysql_real_escape_string($str));
}
```

Please read the accepted answer for this question to see why any way you filter user input is never full-proof.

--

As far as information about securing user logins, please consider the following tips:

Avoid user input whenever possible, and if impossible; sanitize their input.
Do not use only md5 for securing user passwords. It is easy to decrypt.
- Consider using a password salt, unique to each individual user.
Keep your own passwords both long, and diverse.
- Optionally extend these as suggestions to your users' passwords. Example:
  - Must be at least six characters in length.
  - Must consist of a mixed case of characters.
  - Must contain at least one number.
  - (Secure) Must contain at least one symbol.

Rationale and statistics about password strength:

I, (with a nVidia NVS 3100M mobile graphics card), can crack or "brute force" an MD5 or SHA1 hash at a speed of 56,900,000 passwords per second. This means I can complete all passwords of lengths 1 - 6 characters, with a full (a-zA-Z0-9 + symbols) character set; in less than four minutes. Imagine what someone with a decent computer (even a gaming one), or a server could do.

The way to safe against this is to salt your passwords. Depending on how you salt your passwords, the "attacker" would need to try many different means of decrypting before they would be able to guess any of your user's passwords. If your password was not salted, they could brute-force it in the way I have described above.

Read more about PHP Session Security:

PHP Security Guide - Session Security

PHP Session Security (StackOverflow)

Notes on Session Security (SitePoint)

Also Worth Nothing:

You need to decide what your website needs to be secured against. If your website is hosted on a shared server or shared hosting (whether it be a VPN, VPS, or some sort of semi-dedicated solution) you will always be at risk of other malicious users on the system having access to your PHP files, and by extension; your MySQL database. Even on a dedicated server, without proper internal network security you are just as screwed.

edited May 23 '17 at 12:32

Community

1
1

answered Nov 14 '11 at 09:58

cbroughton

1,726
1
12
19

Your password about extending user passwords is bad for UI/UX - eConsultancy posted about this - Users want to enter their own passwords so let them, just warn them that they should try to make it more secure. Thanks for the reply though. – TheBlackBenzKid Nov 14 '11 at 10:06
1

I should reword that, it was meant as a "extend these suggestions to your users" not .. requirements (per-se). – cbroughton Nov 14 '11 at 10:07
Also the brute force sounds like a dictionary attack - I will limit 5 password attempts and then an IP block for 15mins. – TheBlackBenzKid Nov 14 '11 at 10:08
What do you think of my HTACCESS method below... "also I am going to place the login-form.php under a htaccess rule - so site.com/login and use htaccess to allow only internal scripts and internal server to use that URL which ports to login-form.php - what do you think?" – TheBlackBenzKid Nov 14 '11 at 10:09
1

Not exactly, I was speaking as if they had your database; or somehow DID gain access. This is the only reason that how you salt your passwords would even matter. If they get the hashes out of your database, then this is what kinds of speed you would expect them to get your passwords at. HTACCESS is only so secure... I personally would not trust it alone. Heh, if I edit my question any more it might turn into a Community wiki -_-. – cbroughton Nov 14 '11 at 10:09
well we will leave it at that. the graphics card thing was a big eye opener for me. back in the day we were thought that 128bit hash takes a PC 32 years to crack! SLi technology and QUADsli makes that feat happy real time! A++++ repped haha! – TheBlackBenzKid Nov 14 '11 at 10:23
1

That's only with one video card. You can test yourself for **educational purposes only** of course. Generate a few simple passwords (password, 123456, asdf123) and see how long your GPU takes. http://www.golubev.com/hashgpu.htm Note that in the screen-shot he is doing 43.6 BILLION per second. Obtaining 1 quadrillion per second is not impossible on a computer built for cracking (in a $4,000 budget) – cbroughton Nov 14 '11 at 10:27
3

mysql_real_escape_string() requires WHAT?! – Your Common Sense Nov 14 '11 at 11:06
People do that, even if your answer is legitimate, full / complete, and answers the user's question. Sadly you've just got to ignore those people. – cbroughton Nov 14 '11 at 12:42
1

You answer starts a bit wrong : mysql_real_escape_string() DOES NOT REQUIRE magic_quotes. This is insanity, sorry. Also, your "sanitize-all" function, mixing everything regardless of the scope, is another wrong thing. Sanitize specifically for the target. -1. Your answer is full/complete but contains errors; – Damien Pirsy Nov 14 '11 at 13:30
@DamienPirsy I don't know how new / old you are to this, but isn't that what you edit an answer for? I did specify that my santiize function was only for testing and NOT good enough for production environments. But yeah, why down-vote an answer because it has two words you don't like? "requires magic_quotes_gpc", just edit. – cbroughton Nov 15 '11 at 01:09
I didn't cast 3 downvotes, so I must not be the only one :) Anyway, since you edited your post, I removed my -1. I have to say, though, that it's not a matter of "words I don't like": answers (and accepted ones!) have a responsability here, so leaving errors (doesn't matter if big or small) decreases the value of what is being thaught, and for the good of the Community one should strive to make them as error-free as possibile, and those DV were signalling you that. Moreover, no matter if for test or production, the idea of a "universal sanitizer" is wrong, period. – Damien Pirsy Nov 15 '11 at 06:28

PHP Secure Session Login - Best Practice

1 Answers1

Linked