paddy_fields Posted January 6, 2014 Share Posted January 6, 2014 I'm about to start making a login system for my site. I've created one before but it was a simple SESSION system using session_start() and storing the username in SESSION['username']. My new system has to be secure as secure as possible as the clients data is sensitive, so i don't think this old method will suffice. I've found this tutorial for secure session login on wikiHow.... http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL Could anyone give me their opinion on this before I start making it? If it's not a good method then I'd rather not waste the time trying to implement it. Any advice would be great Quote Link to comment Share on other sites More sharing options...
davidannis Posted January 6, 2014 Share Posted January 6, 2014 It looks good to me at a glance. They salt and hash the passwords, guard against brute force attacks, etc. Quote Link to comment Share on other sites More sharing options...
Dowlat Posted January 6, 2014 Share Posted January 6, 2014 (edited) That code looks pretty solid and I'll throw in a few pointers maybe some food for thought. One has to realize there is never a system out there that will guarantee 100% security from the client side, because you as the Coder/Developer can only implement so many security measures. Many people if you look at statistics online use the same password for multiple sites varying from social networks, email, forums, online services...etc One of the many ways you can prevent this is forcing your clients to change their password every month or so, and preventing the same passwords from being used. If someone is trying to access your clients information and the theft/criminal knows the individual on a personal level, He can attack other sites which have his information and haven't implemented proper security measures, and the cyber criminal will most likely try it on other sites he knows the victim is using the password on. If you can manage to steal the password from 1 site, you can try that password on several other websites regardless of how secure your code is. There was a case not too long ago that the CEO of Yahoo refused to use a Passcode on her iphone, and alot of confidential information such as emails with co-workers was on her phone. Yahoo implements a great security system for login, but the security hole could be the CEO. Imagine someone stole her phone. So think about this carefully if you are worried with security, alot of people believe its the code itself, in most cases its not. Edited January 6, 2014 by Dowlat Quote Link to comment Share on other sites More sharing options...
paddy_fields Posted January 7, 2014 Author Share Posted January 7, 2014 Thank you both. Dowlat - I appreciate the detailed run through it's very helpful. i was referring more to the technical strength of the code in question but I will make sure to implement expiring passwords as you say. I probably wouldn't have thought to do that if you hadn't have pointed it out. As my clients data is sensitive I need to do all I can to make it as secure as possible. I'll start with this method in the tutorial to begin with, and then add additional security mesures afterwards such as expiring passwords and strict rules on password suitability. Quote Link to comment Share on other sites More sharing options...
MDCode Posted January 7, 2014 Share Posted January 7, 2014 After the line where they commented that the session_regenerate_id() deletes the session without using the delete old session parameter, I wouldn't trust it to be up to date and/or do what it says exactly. I would have someone take a good look at it. Quote Link to comment Share on other sites More sharing options...
davidannis Posted January 8, 2014 Share Posted January 8, 2014 If security is a big concern, another idea is authentication above and beyond the password. Send an SMS or e-mail with a one time code valid for an hour as part of the login process or challenge the user with security questions (mother's maiden name, home phone, account number, etc.). You can choose to use these additional challenges only on new browsers (allow them to set a cookie if they expect to use the computer again). Quote Link to comment Share on other sites More sharing options...
GetFreaky Posted January 8, 2014 Share Posted January 8, 2014 (edited) Thank you both. Dowlat - I appreciate the detailed run through it's very helpful. i was referring more to the technical strength of the code in question but I will make sure to implement expiring passwords as you say. I probably wouldn't have thought to do that if you hadn't have pointed it out. As my clients data is sensitive I need to do all I can to make it as secure as possible. I'll start with this method in the tutorial to begin with, and then add additional security mesures afterwards such as expiring passwords and strict rules on password suitability. No problem champ. thats my account btw, I tried everything to regain it back, so I logged in with facebook instead. Hope the mods don't mind. I'll make this my official account. Edited January 8, 2014 by GetFreaky Quote Link to comment Share on other sites More sharing options...
paddy_fields Posted January 8, 2014 Author Share Posted January 8, 2014 If security is a big concern, another idea is authentication above and beyond the password. Send an SMS or e-mail with a one time code valid for an hour as part of the login process or challenge the user with security questions (mother's maiden name, home phone, account number, etc.). You can choose to use these additional challenges only on new browsers (allow them to set a cookie if they expect to use the computer again). Nice idea! I'm not sure if I could warrant that 'per login' but for the inital login for each user that would be a very nice method - espcially on a new brower or possibly from a new IP address? Would it be feasible to have a whitelist of IP addresses, or is that still quite simple for a hacker to get around? Quote Link to comment Share on other sites More sharing options...
davidannis Posted January 9, 2014 Share Posted January 9, 2014 A whitelist of IP addresses would be reasonable, but I'd time them out so an IP that got on the list was not there forever. You could require a cookie on the browser that was tied to an IP address storeed on the server. If the user logs in with the same browser and is at the same IP he gets in with just a password, otherwise he gets challenge number 2. Folks with a DHCP server may end up being challenged every time even if they are sitting in the same place though usually your server will see their firewall/router's IP. A personal rant about secure passwords. I understand the desire to have a long, hard to crack, changing password from the perspective of a system administrator but I am a user too. The tougher the password requirements, the more chance that I'll forget it. After all how many 12 character passwords that require 2 cases, 2 numbers and a special character can I remember, especially if it changes every few months. So, the more secure the password, the larger the chance that I leave it on a post it or use the "I forgot my password, please reset it mechanism" The more frequently the reset password mechanism gets used, the more pressure to make it easy and quick for the user (less secure). So, there is a point at which requiring more secure passwords may create less secure results. Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted January 9, 2014 Share Posted January 9, 2014 I'd say there's room to improve there. For instance, if you can detect that somebody is hitting your login form beyond a reasonable number of attempts, you should block them at the server level. If they just exceeded X number of login attempts, you can lock them out for 10 or 20 minutes, but locking somebody out doesn't mean that they won't keep hammering on your login. Another thing I'd do is put the session ID in the database, then match it on requests after login. On logout delete the session ID. You might do the same for session expiration. Quote Link to comment Share on other sites More sharing options...
paddy_fields Posted January 10, 2014 Author Share Posted January 10, 2014 Thanks davadannis, I like the idea of timing out the IP address whitelist... that's going on the list. And I agree rgarding password length, the application still needs to be easily accessable by a user who isn't trying to simply hack the site! For instance, if you can detect that somebody is hitting your login form beyond a reasonable number of attempts, you should block them at the server level. sKunKbad, how would I block someone at server level? Do you mean I should log their IP address and then not even allow them to access the login form at all? ie- redirect to a 'go_away_you_bugger.php' if they try to access login.php? Quote Link to comment Share on other sites More sharing options...
paddy_fields Posted January 10, 2014 Author Share Posted January 10, 2014 I suppose I could modify the htaccess file? Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted January 10, 2014 Share Posted January 10, 2014 I suppose I could modify the htaccess file? The .htaccess file is just another text file. You would modify it with standard PHP file editing. Take a look at the documentation on php.net. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.