Jump to content

ajoo

Members
  • Content Count

    834
  • Joined

  • Last visited

Everything posted by ajoo

  1. Hi Guru Jacques, Thanks for the reply. I must be getting paranoid about security. Now that you mention it and I am thinking about it I am not so sure which threat I am worried about. I think I had in mind someone impersonating the pages related to password resetting, be it the password email request page or the page in response to that request. Since these pages are public and can be accessed directly I was getting a bit worried. If that's OK so long as the form and fields authentication / validation is good and if you think there is nothing else that needs to be looked into then I am good. Thanks.
  2. Hi all ! I would have liked to continue this question on my previous post but since it became too long I thought I'ld post a new one. I would like to add the following bit of code on my reset page $current = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; if(isset($_SERVER['HTTP_REFERER'])) $referrer = $_SERVER['HTTP_REFERER']; if ( $referrer === $current ) { }else { } to ensure that the page is being called from where it should be called. Is this OK or is there a better ( read more secure ) way to do it? (I think I read in one of the posts, quite some time ago, that this was not altogether secure). Since the password reset page is publicly accessible what other security concerns can turn up because of that and what care should be taken. Thanks all !
  3. Hi Psycho, Thanks for the advice. I think you are referring to a second channel of authentication like maybe via an sms. As of now, I would be more than pleased if I can just get this logic to be implemented correctly. Certainly I would like to implement that at a later stage maybe. I have that in mind already. Thanks again !
  4. Thanks funster for all the help and discussion & for being such a sport
  5. Hi Guru Jacques and Funster, Thanks for the replies and the discussion. Your discussion on the various techniques will go a long way to clear the doubts of many New comers like me, especially for issues that are related to security so closely. Thanks very much. I think I will stick with the advise offered by Guru Jacques since that relates more to the security of applications on the internet. I think I have made up my mind, with the input from all who replied to this, to keep it simple, all in one table. This is how I think I will do it: Have just one field for the hashed token and time stamp which I guess can be used both for account activation and password reset. There can be no confusion in the tokens since the password reset can only take place after the account activation. Have 2 boolean fields: one for account activation and one for password resetting. The password reset field can be toggled for each valid password reset request. And later reset back once the password has successfully changed. Once the account is activated i'll change the related token field to null. Same for password reset. So that would be a total of 4 additional fields in the table. If there is still a flaw here in the logic, kindly alert me. Thanks a lot every one.
  6. Thanks Guru Jacques & Funster for the inputs. Funster if you don't store the tokens, then what does the link compare to once it's been clicked by the user? I believe it's not possible to retrieve the data once it has been hashed. Any particular reason for for being so averse to storing tokens. Guru Jacques, I'll read up on the link and revert. Thank you both.
  7. Thank you Guru Jacques for clarifying the subtle but huge differences between the two procedures. Are you suggesting that checking and changing (resetting to NULL once used) the token be an atomic operation? I have also tried to use a bit of logic which prevents multiple tokens from being generated till a certain time period has lapsed. I was thinking of keeping the tokens and its time stamp in separate table and updating the account activation field in the users table once the token had been authenticated and also deleting that row with the token and time stamp from the table (with just token & ts ) all at one go. Reason being that 1. the tokens once used are not needed and are in fact a security hazard if kept. 2. only relevant data is stored in the users table preventing clutter. After psycho advised against using the delete operations I am thinking of forgetting about the deletions and just setting the tokens to NULL. Please advise. Thank you.
  8. Thank you Psycho for that detailed information especially about the delete operations. I'll have to decide about using or not using them but as of now I think i'll just let them be. Thanks
  9. Hi ginerjm, Thanks for the revert. Since the token, once verified & used is no longer required, so I thought if I would create a new table (say temp ) to keep that data ( token with a time stamp) and I would update the activate field in the users table ( the main table with user details. ) Once it's been activated ( for account activation ), the values in the temp table are no longer needed and so that can be deleted. In fact I delete the record as soon as the activation has been achieved. I have no idea so I asked. If I forgot my plain text password and google has no way of knowing it since they don't store plain passwords, how would an old password help? Probably they have the hashes of old passwords stored. So once again, would this be a good or a bad idea to delete the records of the temporary tokens and timestamps for the same. Thanks loads !
  10. Hi all ! It looks to me that sending an activation email and resetting a password are more or less similar operations as both require a token to be returned to the website for verification and thereafter changing the password. The two cannot be confused since password resetting must obviously always, if at all, occur after account activation. The record in the database would in any case be deleted after any of these operations have been executed successfully. So I was wondering if it is alright to use the same table in the database for both these operations. Or do we need to retain some information in the database after these operations are completed. Information that can be handy later for some operations I cannot think of right now. I have noticed that google asks for any old password that a user can recall. What do they do with that? How can they identify a user with that I wonder ? They wouldn't be storing plain passwords would they? Thanks all !
  11. ajoo

    phpmailer

    Thank you Guru Jacques. Happy to take your advice always !
  12. ajoo

    phpmailer

    By numeric I mean the integer and float values. Values stored in a DB, auto increment values etc. I think, I am almost sure, that I have used the number value for all the number inputs but I'll recheck that. What about filter_validate_number? is that a good option too? Thanks !
  13. ajoo

    phpmailer

    Hi Guru Jacques, I think I have asked this before but since I could not find your reply, I'll as ask it once again. For escaping HTML output you suggested a great function html_escape(), that I can use to sanitize all strings. The question is how to validate a numeric output. For example if there is a form field which expects numeric input then we need to check that the input is indeed numeric. Would using the is_numeric() function be sufficient for this purpose ? Anything else that we would need to take care of ? Thanks !
  14. ajoo

    phpmailer

    Hi Guru Jacques, Thank you for the response and sorry for the delayed reply. The echo in the code was only for testing the loop traversed but I get the point. Thanks and will come back for more!
  15. ajoo

    phpmailer

    Hi all ! I used the following script to send a test mail which works fine. <?php require_once('PHPMailer-master/class.phpmailer.php'); require_once('PHPMailer-master/PHPMailerAutoload.php'); define('USER', 'mymail@gmail.com'); // GMail username define('PWD', 'myPassword'); // GMail password $to = 'mee@gmail.com'; $from = 'mymail@gmail.com'; $from_name = 'Ajoo'; $subject = 'Test Message'; $body = 'This is PHP Mailer in Action'; smtpmailer($to, $from, $from_name, $subject, $body); function smtpmailer($to, $from, $from_name, $subject, $body) { global $error; $mail = new PHPMailer(); // create a new object $mail->IsSMTP(); // enable SMTP $mail->SMTPDebug = 0; // debugging: 1 = errors and messages, 2 = messages only $mail->SMTPAuth = true; // authentication enabled $mail->SMTPSecure = 'ssl'; // secure transfer enabled REQUIRED for GMail $mail->Host = 'smtp.gmail.com'; $mail->Port = 465; $mail->Username = USER; $mail->Password = PWD; $mail->SetFrom($from, $from_name); $mail->Subject = $subject; $mail->Body = $body; $mail->AddAddress($to); if(!$mail->Send()) { $error = 'Mail error: '.$mail->ErrorInfo; echo 'Mail error'; return false; } else { echo 'Message Sent'; $error = 'Message sent!'; return true; } } ?> I just want to know if this is secure enough. It was pointed out in a previous mail that the php mail() function was not secure by itself and the variables were vulnerable to various mail injections. So is this safe now just by virtue of the fact that it's using a library and that takes care of the security ? Or Do we need to take some precautions here too. Thanks all !
  16. Hi Guru Jacques, Would this be the correct equivalent ? $mailcode = bin2hex(random_bytes(16)); // Use this to send as a token in the email $s = hash('sha256', $mailcode, true); // Store this hash in the DB for the comparison later. if the above is OK, then I would like to ask what is the need to hash the token before storing it in the DB ? Thank !
  17. Thank you Guru Jacques!! for those inputs. I'll look into them and revert soon with the changes. Thanks !!
  18. Hi Kicken, Would this be the right way to do it and is this good enuff from the security standpoint. $user = 'Jack'; $mailcode = bin2hex(random_bytes(16)); $s = hash_hmac('sha256', $mailcode, $user, true); $s = base64_encode($s); And then use $s as the secure token. Thanks loads.
  19. Thanks for the clarifications once again.
  20. Hi Kicken, Thanks for the reply. The token is being used only to mark the account active. There is no autologin after that. Just a message on a page welcoming the user and a button to redirect to the login page. $mc = md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)); is this method of creating a random token good enough ? I am using the email to check if it's a valid email matching one in the database before I go ahead and actually activate the account but I could do that with the token as well I guess. So maybe I can remove the email in that case as suggested by you. Thanks again.
  21. Hi all, I am using the following code snippet to send a mail on registration for the purpose of account verification by the user. <?php $user = 'Jack'; $pass = 'You may pass'; // a random string to be checked against intself stored in the DB $mc = md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)); function send_mail($from,$to,$subject,$body) { $headers = ''; $headers .= "From: $from\n"; $headers .= "Reply-to: $from\n"; $headers .= "Return-Path: $from\n"; $headers .= "Message-ID: <" . md5(uniqid(time())) . "@" . $_SERVER['SERVER_NAME'] . ">\n"; $headers .= "MIME-Version: 1.0\n"; $headers .= "Date: " . date('r', time()) . "\n"; if(mail($to,$subject,$body,$headers)=== true) return true; else return false; } if(send_mail( 'mymail@gmail.com', 'their@gmail.com', 'Register your Account.' "Click on this link http://www.yoursite.com/registeracc.php?email='their@gmail.com'&mc=".$mc." to activate your account" ) === true) echo "Success"; else echo "Failed"; ?> I would like to know if this is Ok or is there a better and more secure way to do it? Are there any security concerns that should be taken into account here? Thanks all !
  22. Hi Requinix, Thanks for your inputs. I was able to manage it. Thanks !
  23. Hi Requinix, Thanks for that reply. Yes that's happening due to Input[type=submit]. The triangular bit of the arrow disappears. It is retained with button[type=submit] but the arrow is distorted. Please check the new update to the link : https://jsfiddle.net/ajoo/hm11o3oh/9/ . Is it not possible to use the Input[type=submit] without distorting the button? To see the initial button with <a = href='' .. > this link : https://jsfiddle.net/ajoo/hm11o3oh/1/ I mean I need this button to send post values to the page. Thanks.
  24. Hi Requinix, Thanks for the reply and sorry for the delay. I have been struggling with this for quite sometime. I actually need to submit php values using the button, just like a regular button. I have been trying out this on a fiddle and here is the link to it : https://jsfiddle.net/ajoo/hm11o3oh/3/ The triangular part of the button breaks and the button loses its shape. Kindly have a look at the fiddle and guide. Thanks !
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.