Jump to content

Security When Checking Privileges

cberube09

By cberube09
in PHP Coding Help

 Share

Recommended Posts

cberube09 Newbie

cberube09

Posted
Posted

I have a general question that I would like to ask...

On the site that I am working on, I set a cookie to determine if a user has logged in, or if a user is an administrator, it sets another cookie. 

 

Privileges in the site are determined by using a simple isset() function to check for the cookie.

 

I'm wondering about the security of this.  My form inputs do not allow html or javascript, but my web host is a shared host on godaddy and I'm wondering if I should be worried about stolen cookies?

 

What would you do?  Thanks!

Link to comment
Share on other sites
cberube09 Newbie

cberube09

Posted
  • Author
Posted

What I do... is when the user logs in, there is a unique id (different from id #) that he/she is assigned to.

 

if the cookie for this is set and the user is not currently logged in, when the user comes back to the site, I automatically log him/her in using that unique id stated above.

 

This is very interesting.  I understand the concept, but I still am relatively new to PHP.  Could you elaborate on the process of doing this a little?  I can't  tell you how much I would appreciate it.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Your cookie should only indirectly (don't put a username or a row id or any other easy to determine or guess direct identifying value into it) identify who a visitor is. Your cookie or a value in it should not determine if they are logged in. Your cookie or a value in it should not determine if they are an administrator. Your cookie or a value in it should not determine their privileges on your site.

 

The sites that put easily determined or guess direct identifying information into cookies, or use cookies to indicate you are logged in, an administrator, or what your privileges are on the site are quickly taken over by hackers.

 

What you should do is generate a unique id that is stored in the cookie and in the visitor's row in your user table. This unique id ties the identifying cookie to the actual visitor's information in your user table. Values in the row in the user table determine if the visitor is logged in, if they are an administrator, and what their privileges are on your site.

 

When a visitor first comes to your site, if they have an identifying cookie that matches a row in your user table, check the values in the user table. If they are not currently logged in, require that the login in form be submitted. Once they submit the log in form, use a session to remember that they are logged, that they are an administrator, and what their privileges are on your site.

Link to comment
Share on other sites
cberube09 Newbie

cberube09

Posted
  • Author
Posted

I feel like such an idiot...So I make a row in the database for the identifying id.  I could then generate a random number and assign it to a variable that places it into both a cookie and the database under the correct user.  Then I can check if the cookie id matches what is in the database, and if it does, I can assign session privileges, and if not (or if the cookie is expired) I delete the id from the database.

 

Is that right?

Link to comment
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
Posted

First we want to place this on EVERY page:

 

session_start();
// Next line will check the following:
// Is the user logged in?
// Is a cookie for remember me set?
// Is this the login page? (don't redirect to login page if we are already there, creates an endless redirect loop)
if(!$_SESSION['logged'] && isset($_COOKIE['loginInfo']) && $_SERVER['SCRIPT_NAME'] != '/login.php'){
     header("Location: /login.php");  // Go to login page
     exit; // Stop rest of script for sure
}

 

Next we will want to log the user in if he/she is returning...

 

errors may follow, I didn't test this, but the theory behind it should be correct...

session_start(); // Start a session
$dbID = mysql_real_escape_string('kj34i4984jr09rjfd90r0404g76ado8s');    // Our fake unique login id (replace with $_COOKIE['loginInfo'])
if(isset($_COOKIE['loginInfo']) && !$_SESSION['logged']){
     $sql = mysql_query("SELECT * FROM dbName WHERE remember = '$dbID'");
     if(mysql_num_rows($sql) < 1) // ID doesn't exist, possible hack attack cookie
          setcookie ("loginInfo", "", time() - 3600); // Delete the hack attack cookie
}else{
     // Cookie was not set user must be logging in using a user name and password from the form provided.
     $user = mysql_real_escape_string($_POST['username']);
     $pass = mysql_real_escape_string($_POST['password']);
     $sql = mysql_query("SELECT * FROM dbName WHERE user = '$user' && pass = '$pass'");
     $row = mysql_fetch_array($sql);
     if(isset($_POST['remember'])){ // Check to see if the user checked the "Remember Me" check box, set a cookie if he/she did.
          setcookie('loginInfo', $row['uniqueid'], strtotime("now +20 years"),'/','.domain.com'); // set a cookie that expires in 20 years
     }
}

if(mysql_num_rows($sql) == 1){
     mysql_data_seek($sql, 0);
     $row = mysql_fetch_array($sql);
     $_SESSION['first'] = $row['first'];
     $_SESSION['last'] = $row['last'];
     $_SESSION['id'] = $row['id'];
     $_SESSION['email'] = $row['email'];
     // etc, etc...
     $_SESSION['logged'] = TRUE;
     header("Location: /user.php"); // Login is good! go to users page....
     exit;
}else{
     header("Location: /login.php"); // Login is bad. go to login page....
     exit;
}

Link to comment
Share on other sites
xylex Newbie

xylex

Posted
Posted

session_regenerate_id() is a necessary thing to do to prevent session fixation attacks, so yes, this is really important to include if you have a forever cookie.

 

Also, make sure that your algorithm to generate a unique key for a forever login cookie is sufficiently difficult to figure out and should probably include some part of the user's password in the pre-hash value.  Recently, there was a commercial CMS that went open source, and showed that the forever cookie was just an md5 of the publicly available user id salted with a 6 digit number picked on install, so that would take someone about two minutes to get admin access.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The unique id you put into a cookie for identification purposes should be periodically regenerated for the same reason a session id is periodically regenerated, so that it is not just a static value that can eventually be picked apart and reproduced for any other user.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.