freelance84 Posted May 27, 2010 Share Posted May 27, 2010 The site I am creating requires users to register and login before they can really use the site. Regarding security, so far I have learnt about: . password salting . session hijacking . session fixation . session timeout if the user does not log out . duplicate login on multiple machine prevention . sanitizing user input to database My question is, have I missed off anything? Is it possible for somebody to duplicate a browser thus "stealing" all a users logged in settings meaning they become logged into the site? Regarding all things security I am very new (few days) so would very much appreciate any advice anyone could give me. Cheers, John Quote Link to comment Share on other sites More sharing options...
Adam Posted May 27, 2010 Share Posted May 27, 2010 With regards to "stealing a user's browser", that would depend upon the implementation. Really you shouldn't depend upon them just having the right session cookie, you could for example also validate them based upon IP. Cookies can be stolen and manipulated, you should never trust them. . duplicate login on multiple machine prevention Why is this a problem? What if I were to login in at home, leave my machine on, and come to work. I'd be unable to log-on. Or what if I just moved to another machine in my house? Have you read about XSS (cross site scripting)? Quote Link to comment Share on other sites More sharing options...
ixicoding Posted May 27, 2010 Share Posted May 27, 2010 Here's a couple basic things to make sure you're secured: Custom Post/Get Requests It may not be a big problem for you, but if you have an admin page for viewing registered user's accounts, you will want to check who's logged in and trying to access the page. I've created a couple custom POST and GET requests to pages that would just spit out all the information on a given users account without checking for any authentication. You can solve this by suppressing PHP errors so potential 'hackers' can't get your file structure, or ensuring there is an active/elevated session/account trying to access the information. Simple SQL Security If you're not accessing your database from anywhere other than the local machine then it is good practice to make sure the database users are only able to log in from localhost. It's also good to make a custom user for the website that only has certain privileges, that way if they manage to get in control they cannot do too much anyway. Also, it may be common sense but always password protect the database users. .htaccess Protection I'm not going to go too deep into how to set this up but using .htaccess to restrict directories that a user can access via password protection also helps you out as far as unwanted people snooping. You basically set up a .htpasswd file and point to it with your .htaccess file. Put a copy of the .htaccess file in any directory you want to further password protect beyond sessions etc. 404/Directory Redirect This is debatable and somewhat redundant but set your 404 page to redirect to your index page as well as any directory that you do not want people accessing. When people just randomly go through paths on your site they will always hit the index page. This can get pretty discouraging for someone looking for a hidden gem directory. If you have a directory called includes, link it to your index page unless a specific file is requested so they don't actually know if that directory is real or not. To answer your question, yes it is possible to steal cookies, which is why it is always good to double check the $_SERVER[REMOTE_ADDR] (this gives the users current I.P. address) variable or wherever you have it stored in your session variables constantly. You want to compare the one held to the one the current user has, this way you can determine if the cookies have been stolen or not. You can further check browser type, operating system etc. if you really want to go in depth on this but generally if someone is stealing the cookies they aren't going to be on the same computer as the victim so the I.P address should suffice. Hope this helped a bit. EDIT: Sorry if any of this has been mentioned, a few posts were made while i was typnig this out. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted May 27, 2010 Share Posted May 27, 2010 http://www.phpfreaks.com/tutorial/php-security Quote Link to comment Share on other sites More sharing options...
freelance84 Posted May 27, 2010 Author Share Posted May 27, 2010 Brilliant thanks for the help! checking the $_SERVER[REMOTE_ADDR]: I've put in the following into my authenticate which is then checked on each page: $unique = sha1($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']); $_SESSION['ip'] = $unique; That tutorial page looks pretty in depth, thanks. I've never noticed the tutorials on this site I've always searched the forum in google so never saw the home page ha! Thanks again for the help Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.