Solved

.php login security advice

Posted on 2007-11-17
7
1,080 Views
Last Modified: 2012-06-27
I am currently building a login-user-cms with a backend database which will contain some sensitive data.
It is inspired by this tutorial:
http://www.roscripts.com/PHP_login_script-143.html

I have the following precautions:

* i only make use of sessions (no coockies)
* i use mysql_real_escape_string to protect mysql injection
* at login the IP is stored and on each form submission re-checked
* no includes with variables
* no php code error output (i don't use die() very often, but if->else statements)
* maximum of 3 login attempts

i am thinking of:
* using session_regenerate_id
* hashing the input of sensitive data with (javascript) SHA256
  http://www.bichlmeier.info/sha256.html

* encrypt the data in MYSQL, but the downside is possible trouble with SELECT statements ?

Am i over-paranoid, or do you think it will be a good idea to hash the input? And what about encrypting data? My biggest concern with encrypting is the slowdown.

I would appreciate your input & advice on this, i might have overseen things here.
Thanks in advance.
0
Comment
Question by:dwax
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Rok-Kralj
ID: 20305239
session_regenerate_id() -very  good choice, at least at login
hashing, encrypting - only if you are afraid of someone breaking to your base
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 20305270
You seem to be going about things the right way. Store sensitive information in SESSION variables as they are stored server side. If you are being *really* paranoid then be aware that ALL session cookies on a server are usually stored in /tmp (*nix - I'm not sure about Windows), but Zend have a datasheet on modifying these to store them in the database instead. See here

http://devzone.zend.com/node/view/id/1312

about halfway down the page.

As far as encryption goes, there is no need to encrypt absolutely everything. For instance to hide information about someone it my be enough to encrypt just their name - particularly if it is not a search term. If you do have to encrypt "searchable" fields then feed them into an algorithm that produces some output that is searchable so that you can massively reduce stuff that needs decrypting for searching.
0
 
LVL 12

Expert Comment

by:Rok-Kralj
ID: 20306954
You can also use OpenSSL to encrypt comunication between client and server. It's free.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:dwax
ID: 20307378
thanks for the replies.

I can use shared ssl on my host, but that means an ugly url like  https://jhostdomomain.com/userftpname.
Which doesn't give the user a very 'secure' feeling.

Okay, basicly i am on the right track, thats good to hear. My current host has most 'dangerous' php functions disabled (safe_mode, magic quotes,no external includes etc) so it's pretty safe i think.

Would using ssl be a huge leap in security?
0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 88 total points
ID: 20307414
"Would using ssl be a huge leap in security?"

It should make things considerably more difficult for man-in-middle attacks, packet sniffing, etc. It won't stop holes in code from being holes in code. Faulty PHP will still be a security gap.

All https will do is make it MORE LIKELY that the line from the server to the client's browser is safe.

0
 
LVL 12

Assisted Solution

by:Rok-Kralj
Rok-Kralj earned 87 total points
ID: 20307518
If you really did everything written above, you are safe.

If you want me to check your code for holes, post it here.
0
 

Author Comment

by:dwax
ID: 20307611

Thanks to you both!  (split points).
I will talk things over with the client.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CA single sign on 2 73
Keep getting 503 on Curl request 6 30
Amazon Redshift 2 25
How do I fix this error:  Warning: strpos(): Empty needle on line 122 3 15
Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now