ridgey28 Posted April 26, 2010 Share Posted April 26, 2010 Hi I want to create a user authentication (PHP & MYSQL) script for a project that I am working on. I would like it to be secure my main questions are. Do you recommend using sessions or cookies? How about password encryption? MD5 or sha1 with or without $salt variable, others maybe. The best way around a password reset / forgot password (Definitely want the most secure way) My thoughts about the latter would be to enter the username /email in the forgotPassword page along with the secret question, mothers maiden name etc. (Created when setting the script up). Get the details right -> send a password reset link to the users email address -> user click on link within a certain time -> taken to a page where you can change password Does anyone recommend any other way or any further steps that I should take or think about? Thanks in advance Tracy Quote Link to comment Share on other sites More sharing options...
de.monkeyz Posted April 26, 2010 Share Posted April 26, 2010 Password: sha1 minimum, md5 is pretty dead. Salts in my opinion are pointless. Password forget: enter their email address and username is secure enough. A time limit might be an idea. You'll also want to authenticate users when registering, a captcha + email verification is good security. Quote Link to comment Share on other sites More sharing options...
laPistola Posted April 26, 2010 Share Posted April 26, 2010 My opinion is sessions are always more secure but to have "stay logged in" you will need to use cookies or store there IP address in the DB which as IP's can change i see that as a big security risk now what i do with cookies: Set 3 1- an auth code generated at login which has say there name in md5 then random stuff then there location in md5 then random then there second name in md5 then md5 the lot. this gets inserted into the DB aswell 2- there username or email depending on the details required to login 3- there IP address (no stored in DB) Then when they visit a page upon returning to the site it checks there is a username or email of ....... from cookie then makes sure the auth code matches from db to cookie then make sure the IP address matches. anyone fails your booted out. I tend to use the same method as you for password resets (i make sure the email gets sent to the email address they signed up with not just supplied) but i always do it all with SSL cert installed. All my passwords are md5 stored but salt would be more secure combined with md5 or even a combination with sha1. Quote Link to comment Share on other sites More sharing options...
ignace Posted April 27, 2010 Share Posted April 27, 2010 Password: sha1 minimum, md5 is pretty dead. Salts in my opinion are pointless. Scenario #1: mySuperPassword -> sha1 -> e6fbf7ef9bfacf587a826bede3203aae8cd70d45 Rainbow Table or some other means tells the hacker this thisWorksToYouKnow -> sha1 -> e6fbf7ef9bfacf587a826bede3203aae8cd70d45 and he succesfully logs in. Scenario #2: mySuperPassword . WithSalt -> sha1 -> 542674b7c33a88e907348f2a82200173da9409ee Again the hacker looks up the string: thisWillWorkYouKnow -> sha1 -> 542674b7c33a88e907348f2a82200173da9409ee The hacker enters thisWillWorkYouKnow (the system adds) . WithSalt -> 26089a503756b435698137c041bbf20b867db080 (sha1(concat(sha1($password), password_salt))) Can't login username/password incorrect. Ofcourse this is not entirely 100% safe because the hacker then can try to find a password (or brute-force) that matches a string that when concatinated with the salt turns up as 542674b7c33a88e907348f2a82200173da9409ee. The thing however is that it will take longer then if he had to just use some sort of RainbowTable. Mchl would say security through obscurity Quote Link to comment Share on other sites More sharing options...
ignace Posted April 27, 2010 Share Posted April 27, 2010 Do you recommend using sessions or cookies? Sessions. Also don't store more in them then needed and don't make the mistake of storing username/password in the session as a means to re-login as it doesn't work just extend the lifetime of the session. The best way around a password reset / forgot password (Definitely want the most secure way) de.monkeyz advices username/e-mail address I seriously discourage you to follow this because usually when I have forgotten my password I also can't remember my username (actually I press forgot password whenever I forgot my username due to my name seems to be popular around the web and I always have to go for ignace435, ignace67, ignace347, .. IF I EVER GET MY HANDS ON... ) The best is that any changes to an account have to be confirmed through e-mail. In all security is great but make sure you make it harder for hackers not for your users, if you do then they will just go to your competitor who's only one-click away. Quote Link to comment Share on other sites More sharing options...
ridgey28 Posted April 28, 2010 Author Share Posted April 28, 2010 Thanks guys You have given me plenty to work on. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.