Security When Checking Privileges

[cberube09]

I have a general question that I would like to ask...

On the site that I am working on, I set a cookie to determine if a user has logged in, or if a user is an administrator, it sets another cookie. 

 

Privileges in the site are determined by using a simple isset() function to check for the cookie.

 

I'm wondering about the security of this.  My form inputs do not allow html or javascript, but my web host is a shared host on godaddy and I'm wondering if I should be worried about stolen cookies?

 

What would you do?  Thanks!

[The Little Guy]

I would use sessions to check if a user is an administrator, because users can modify cookies.

 

session_start();
if($_SESSION['group'] != 1){   // Assuming 1 equals administrator group
     header("location: /");
     exit;
}

[cberube09]

Thanks, that is quite interesting.  Should I also be implementing some king of session regeneration?

 

What if I wanted to have a "Remember Me" feature, how could I use a cookie but keep the application secure?

[revraz]

The Remember Me would have to use a cookie, and you can store their ID and some type of authentication key to go with it, but separate from their PW.

[cberube09]

Thanks, I'm going to do a little more research and coding on the issue now and we'll see what happens.

[The Little Guy]

What I do... is when the user logs in, there is a unique id (different from id #) that he/she is assigned to.

 

if the cookie for this is set and the user is not currently logged in, when the user comes back to the site, I automatically log him/her in using that unique id stated above.

[cberube09]

What I do... is when the user logs in, there is a unique id (different from id #) that he/she is assigned to.

 

if the cookie for this is set and the user is not currently logged in, when the user comes back to the site, I automatically log him/her in using that unique id stated above.

 

This is very interesting.  I understand the concept, but I still am relatively new to PHP.  Could you elaborate on the process of doing this a little?  I can't  tell you how much I would appreciate it.

[PFMaBiSmAd]

Your cookie should only indirectly (don't put a username or a row id or any other easy to determine or guess direct identifying value into it) identify who a visitor is. Your cookie or a value in it should not determine if they are logged in. Your cookie or a value in it should not determine if they are an administrator. Your cookie or a value in it should not determine their privileges on your site.

 

The sites that put easily determined or guess direct identifying information into cookies, or use cookies to indicate you are logged in, an administrator, or what your privileges are on the site are quickly taken over by hackers.

 

What you should do is generate a unique id that is stored in the cookie and in the visitor's row in your user table. This unique id ties the identifying cookie to the actual visitor's information in your user table. Values in the row in the user table determine if the visitor is logged in, if they are an administrator, and what their privileges are on your site.

 

When a visitor first comes to your site, if they have an identifying cookie that matches a row in your user table, check the values in the user table. If they are not currently logged in, require that the login in form be submitted. Once they submit the log in form, use a session to remember that they are logged, that they are an administrator, and what their privileges are on your site.

[cberube09]

I feel like such an idiot...So I make a row in the database for the identifying id.  I could then generate a random number and assign it to a variable that places it into both a cookie and the database under the correct user.  Then I can check if the cookie id matches what is in the database, and if it does, I can assign session privileges, and if not (or if the cookie is expired) I delete the id from the database.

 

Is that right?

[The Little Guy]

First we want to place this on EVERY page:

 

session_start();
// Next line will check the following:
// Is the user logged in?
// Is a cookie for remember me set?
// Is this the login page? (don't redirect to login page if we are already there, creates an endless redirect loop)
if(!$_SESSION['logged'] && isset($_COOKIE['loginInfo']) && $_SERVER['SCRIPT_NAME'] != '/login.php'){
     header("Location: /login.php");  // Go to login page
     exit; // Stop rest of script for sure
}

 

Next we will want to log the user in if he/she is returning...

 

errors may follow, I didn't test this, but the theory behind it should be correct...

session_start(); // Start a session
$dbID = mysql_real_escape_string('kj34i4984jr09rjfd90r0404g76ado8s');    // Our fake unique login id (replace with $_COOKIE['loginInfo'])
if(isset($_COOKIE['loginInfo']) && !$_SESSION['logged']){
     $sql = mysql_query("SELECT * FROM dbName WHERE remember = '$dbID'");
     if(mysql_num_rows($sql) < 1) // ID doesn't exist, possible hack attack cookie
          setcookie ("loginInfo", "", time() - 3600); // Delete the hack attack cookie
}else{
     // Cookie was not set user must be logging in using a user name and password from the form provided.
     $user = mysql_real_escape_string($_POST['username']);
     $pass = mysql_real_escape_string($_POST['password']);
     $sql = mysql_query("SELECT * FROM dbName WHERE user = '$user' && pass = '$pass'");
     $row = mysql_fetch_array($sql);
     if(isset($_POST['remember'])){ // Check to see if the user checked the "Remember Me" check box, set a cookie if he/she did.
          setcookie('loginInfo', $row['uniqueid'], strtotime("now +20 years"),'/','.domain.com'); // set a cookie that expires in 20 years
     }
}

if(mysql_num_rows($sql) == 1){
     mysql_data_seek($sql, 0);
     $row = mysql_fetch_array($sql);
     $_SESSION['first'] = $row['first'];
     $_SESSION['last'] = $row['last'];
     $_SESSION['id'] = $row['id'];
     $_SESSION['email'] = $row['email'];
     // etc, etc...
     $_SESSION['logged'] = TRUE;
     header("Location: /user.php"); // Login is good! go to users page....
     exit;
}else{
     header("Location: /login.php"); // Login is bad. go to login page....
     exit;
}

[cberube09]

Okay, thanks!  Would it be beneficial to add

session_regenerate_id(true)

after the session is started?

[The Little Guy]

its entirely up to you... I don't see it as a bad thing.

[xylex]

session_regenerate_id() is a necessary thing to do to prevent session fixation attacks, so yes, this is really important to include if you have a forever cookie.

 

Also, make sure that your algorithm to generate a unique key for a forever login cookie is sufficiently difficult to figure out and should probably include some part of the user's password in the pre-hash value.  Recently, there was a commercial CMS that went open source, and showed that the forever cookie was just an md5 of the publicly available user id salted with a 6 digit number picked on install, so that would take someone about two minutes to get admin access.

[PFMaBiSmAd]

The unique id you put into a cookie for identification purposes should be periodically regenerated for the same reason a session id is periodically regenerated, so that it is not just a static value that can eventually be picked apart and reproduced for any other user.