Solved

.php login security advice

Posted on 2007-11-17
7
1,078 Views
Last Modified: 2012-06-27
I am currently building a login-user-cms with a backend database which will contain some sensitive data.
It is inspired by this tutorial:
http://www.roscripts.com/PHP_login_script-143.html

I have the following precautions:

* i only make use of sessions (no coockies)
* i use mysql_real_escape_string to protect mysql injection
* at login the IP is stored and on each form submission re-checked
* no includes with variables
* no php code error output (i don't use die() very often, but if->else statements)
* maximum of 3 login attempts

i am thinking of:
* using session_regenerate_id
* hashing the input of sensitive data with (javascript) SHA256
  http://www.bichlmeier.info/sha256.html

* encrypt the data in MYSQL, but the downside is possible trouble with SELECT statements ?

Am i over-paranoid, or do you think it will be a good idea to hash the input? And what about encrypting data? My biggest concern with encrypting is the slowdown.

I would appreciate your input & advice on this, i might have overseen things here.
Thanks in advance.
0
Comment
Question by:dwax
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Rok-Kralj
ID: 20305239
session_regenerate_id() -very  good choice, at least at login
hashing, encrypting - only if you are afraid of someone breaking to your base
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 20305270
You seem to be going about things the right way. Store sensitive information in SESSION variables as they are stored server side. If you are being *really* paranoid then be aware that ALL session cookies on a server are usually stored in /tmp (*nix - I'm not sure about Windows), but Zend have a datasheet on modifying these to store them in the database instead. See here

http://devzone.zend.com/node/view/id/1312

about halfway down the page.

As far as encryption goes, there is no need to encrypt absolutely everything. For instance to hide information about someone it my be enough to encrypt just their name - particularly if it is not a search term. If you do have to encrypt "searchable" fields then feed them into an algorithm that produces some output that is searchable so that you can massively reduce stuff that needs decrypting for searching.
0
 
LVL 12

Expert Comment

by:Rok-Kralj
ID: 20306954
You can also use OpenSSL to encrypt comunication between client and server. It's free.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:dwax
ID: 20307378
thanks for the replies.

I can use shared ssl on my host, but that means an ugly url like  https://jhostdomomain.com/userftpname.
Which doesn't give the user a very 'secure' feeling.

Okay, basicly i am on the right track, thats good to hear. My current host has most 'dangerous' php functions disabled (safe_mode, magic quotes,no external includes etc) so it's pretty safe i think.

Would using ssl be a huge leap in security?
0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 88 total points
ID: 20307414
"Would using ssl be a huge leap in security?"

It should make things considerably more difficult for man-in-middle attacks, packet sniffing, etc. It won't stop holes in code from being holes in code. Faulty PHP will still be a security gap.

All https will do is make it MORE LIKELY that the line from the server to the client's browser is safe.

0
 
LVL 12

Assisted Solution

by:Rok-Kralj
Rok-Kralj earned 87 total points
ID: 20307518
If you really did everything written above, you are safe.

If you want me to check your code for holes, post it here.
0
 

Author Comment

by:dwax
ID: 20307611

Thanks to you both!  (split points).
I will talk things over with the client.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Multilanguage Database Design in MySQL 5 39
get radio button vale in array 7 37
Paging Using PHP 7 34
Help cleaning out CSS 2 31
Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses how to create an extensible mechanism for linked drop downs.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now