Login security

[mika]

Can someone please help to find the most important login precautions in terms of security. For example, I'think the most important is:

1. string escaping, prevent SQL injections

2.

3.

...

 

I know It's hard to find and consider all of them, that's why I'd like to have a list of the most important.

[laffin]

1. Sanitize external data, so it is inserted into db properly

2. Validate data, so data isnt out of bounds/meets a specification

3. Storage Areas, Beware of Cookies

[mika]

  Quote

3. Storage Areas, Beware of Cookies

 

Can you be more specific, any examples?

[scootstah]

String escaping and SQL sanitation has nothing to do with user authentication; it is necessary for any interaction with a database.

 

User authentication is hard, and easy to do incorrectly. Use existing secure solutions. Look at the code to see what they are doing, and why they are doing it.

 

With that said, these are the most important in my opinion (in no particular order):

1. Password storage

2. Persistent logins

3. Active sessions

4. User permissions

[laffin]

All those fall within the 3 steps for security

 

Storage Areas, I have seen many ppl who validate a login with a cookie, however since cookies are stored on client side, this makes them very vulnerable to editing. Use a Session base system to authenticate the user. Don't store any sensetive information in a cookie. (Sessions can use built in or one of the custom session handlers out on the net).

 

Its just a matter of not leaving much for the user to alter.

 

[mika]

  Quote

All those fall within the 3 steps for security

 

Storage Areas, I have seen many ppl who validate a login with a cookie, however since cookies are stored on client side, this makes them very vulnerable to editing. Use a Session base system to authenticate the user. Don't store any sensetive information in a cookie. (Sessions can use built in or one of the custom session handlers out on the net).

 

Its just a matter of not leaving much for the user to alter.

 

 

 

Are PHP sessions safe? Session ID is automatically sent to the server via session cookies. Is there any safer and at the same time efficent method? Is sending session IDs via url more secure? I believe it is not very practical.

[scootstah]

There's nothing wrong with using cookies. Just make it so if someone tries to spoof the cookie, they don't get away with it.

 

PHP session's are safe if you take precautions. If you're on a shared server, store them in a database and not on the file system (it stores in the file system by default). This is because on a shared server other users could theoretically access the session data. Read up on session hijacking and how to avoid it. This is a good read.

[floridaflatlander]

As a note I posted this about a db to hold session data in not long ago. http://www.phpfreaks.com/forums/index.php?topic=350129.msg1652266#msg1652266, also if you're not logging the user out when they log out or when they close their browser like I am then I would see where a db would be a better idea. I also went to the link scootstah had above and it was a big help.