PHP RSS PHP RSS

Login System

Reply
1 2 3

Join Date: Nov 2008
Posts: 91
Reputation: brechtjah is an unknown quantity at this point 
Solved Threads: 9
brechtjah's Avatar
brechtjah brechtjah is offline Offline
Junior Poster in Training

Re: Login System

 
0
  #11
Apr 8th, 2009
I don't mean to sound rude, but I just want this question answered about blocking session ID stealing.
Reply With Quote Quick reply to this message  
Join Date: Jul 2007
Posts: 258
Reputation: Designer_101 is an unknown quantity at this point 
Solved Threads: 12
Designer_101's Avatar
Designer_101 Designer_101 is offline Offline
Posting Whiz in Training

Re: Login System

 
0
  #12
Apr 8th, 2009
Well, to be honest when your asking if somethings secure it either is or it isnt. Theres no in the middle.

As another user said, there are however ways in which you can make your website 'safer'. Depending on the trafic of your website you should increase the amount of security you add to your code.
For example, I run a low traffic website for a sports team, and the only security is that of protecting against SQL injections (by clearing all inputed data).

To continue, it is therefore your choice wether or not you need this much security but daniweb provides answer, and the answers above are perfectly in context and should be appreciated. Sorry if it sounds blunt but people spend time writing posts to help others, not for the fun of it.

In an earlier comment you said you didnt understant CSRF.
In this context it would be validating a selfmade html form on a victims website.
In others words, creating a form with the same names as those of the website your hacking and then sending it to the website to be validated. Its a very sneakly thing and I suggest you look into it, google will help you there.

Hope all this helps
Reply With Quote Quick reply to this message  
Join Date: May 2008
Posts: 524
Reputation: Will Gresham is on a distinguished road 
Solved Threads: 86
Sponsor
Will Gresham's Avatar
Will Gresham Will Gresham is offline Offline
Posting Pro

Re: Login System

 
0
  #13
Apr 8th, 2009
Originally Posted by brechtjah View Post
I don't mean to sound rude, but I just want this question answered about blocking session ID stealing.
The code I posted earlier would help prevent this. It will changed the session ID every single time the user clicks on a new link, so even if the malicious user somehow gets the session ID, it will likely have changed by the time they try to do something.

Here is the code again:
php Syntax (Toggle Plain Text) 
  1. <?php
  2. session_start();
  3. // We need to copy the old session data
  4. $previousSession = $_SESSION;
  5.  
  6. // Then re-create a new session
  7. session_destroy();
  8. session_start();
  9.  
  10. // And finally, reassign the session data
  11. $_SESSION = $previousSession;
  12. ?>
AJAX is not a programming language, scripting language or any other sort of language.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
Reply With Quote Quick reply to this message  
Join Date: Jun 2007
Posts: 1,227
Reputation: kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about 
Solved Threads: 167
kkeith29's Avatar
kkeith29 kkeith29 is offline Offline
Nearly a Posting Virtuoso

Re: Login System

 
0
  #14
Apr 9th, 2009
Originally Posted by xan View Post
The code I posted earlier would help prevent this. It will changed the session ID every single time the user clicks on a new link, so even if the malicious user somehow gets the session ID, it will likely have changed by the time they try to do something.

Here is the code again:
php Syntax (Toggle Plain Text) 
  1. <?php
  2. session_start();
  3. // We need to copy the old session data
  4. $previousSession = $_SESSION;
  5.  
  6. // Then re-create a new session
  7. session_destroy();
  8. session_start();
  9.  
  10. // And finally, reassign the session data
  11. $_SESSION = $previousSession;
  12. ?>
instead of all that, why not use session_regenerate_id()?

thats what i use.
Last edited by kkeith29; Apr 9th, 2009 at 2:06 am.
Reply With Quote Quick reply to this message  
Join Date: Nov 2008
Posts: 91
Reputation: brechtjah is an unknown quantity at this point 
Solved Threads: 9
brechtjah's Avatar
brechtjah brechtjah is offline Offline
Junior Poster in Training

Re: Login System

 
0
  #15
Apr 9th, 2009
Ok, I will rewrite the whole code and upload it here once ready.
Reply With Quote Quick reply to this message  
Join Date: Jul 2007
Posts: 258
Reputation: Designer_101 is an unknown quantity at this point 
Solved Threads: 12
Designer_101's Avatar
Designer_101 Designer_101 is offline Offline
Posting Whiz in Training

Re: Login System

 
0
  #16
Apr 10th, 2009
session_regenerate_id() would be better in this case.
Reply With Quote Quick reply to this message  
Join Date: Apr 2009
Posts: 254
Reputation: BzzBee is an unknown quantity at this point 
Solved Threads: 37
BzzBee BzzBee is offline Offline
Posting Whiz in Training

Re: Login System

 
0
  #17
Apr 10th, 2009
i agree with designer_101
BzzBee

http://www.homenwomen.com/
Reply With Quote Quick reply to this message  
Join Date: Nov 2008
Posts: 91
Reputation: brechtjah is an unknown quantity at this point 
Solved Threads: 9
brechtjah's Avatar
brechtjah brechtjah is offline Offline
Junior Poster in Training

Re: Login System

 
0
  #18
Apr 10th, 2009
Ok this is the code I have now, I haven't fully checked it yet so there could be some errors in it, but I doubt this. What I'm more interested in is are the holes in the code for a user to hack it. Well... if it's quite secure, or if there are improvements to be made.
It works the same as before, with some changes. The function renew() should be called on every page load as suggested here.

login_BackEnd.php
php Syntax (Toggle Plain Text) 
  1. <?php
  2. 	/*
  3. 	 * Error Codes
  4. 	 * 0: Success
  5. 	 * 1: User does not exist in DB
  6. 	 * 2: User is already logged in
  7. 	 * 3: Hash in form is not equal to server side created hash
  8. 	 * 4: An error occured while creating the session in the DB
  9. 	*/
  10. 	session_start();
  11. 	srand(time());
  12.  
  13. 	if(!isset($_SESSION['RND'])) {
  14. 		$_SESSION['RND'] = sha1(rand()%1000001);
  15. 	}
  16.  
  17. 	if(!isset($_SESSION['authINF1'], $_SESSION['authINF2'], $_SESSION['authINF3'])) {
  18. 		$_SESSION['authINF1'] = sha1($_SERVER['HTTP_USER_AGENT']);
  19. 		$_SESSION['authINF2'] = sha1($_SERVER['HTTP_ACCEPT_LANGUAGE']);
  20. 		$_SESSION['authINF3'] = sha1($_SERVER['REMOTE_ADDR']);
  21. 	}
  22.  
  23. 	function authenticate() {
  24. 		if(!isset($_SESSION['conSession'], $_SESSION['chSession'])) {
  25. 			// Get information from form
  26. 			$username = htmlentities($_POST['username'], ENT_QUOTES);
  27. 			$hash = htmlentities($_POST['hash'], ENT_QUOTES);
  28.  
  29. 			// Create salt for hash
  30. 			$salt = htmlentities($_SESSION['RND'], ENT_QUOTES);
  31. 			$_SESSION['RND'] = sha1(rand()%1000001);
  32. 			$salt .= htmlentities($_SERVER['REMOTE_ADDR'], ENT_QUOTES);
  33. 			$salt .= htmlentities($_SERVER['HTTP_USER_AGENT'], ENT_QUOTES);
  34.  
  35. 			$qGetUser = @mysql_query("SELECT * FROM users WHERE gebruikersnaam='".$username."'");
  36. 			if(@mysql_num_rows($qGetUser) == 1) {
  37.  
  38. 				// The user exists in the DB
  39. 				$aGetUser = @mysql_fetch_assoc($qGetUser);
  40. 				$qGetSession = @mysql_query("SELECT * FROM sessions WHERE gebruikersnaam='".$username."'");
  41. 				if(@mysql_num_rows($qGetSession) == 0) {
  42.  
  43. 					// The user is not logged in yet
  44. 					$serverSideHash = sha1($aGetUser['wachtwoord'].$salt);
  45. 					if($serverSideHash == $hash) {
  46.  
  47. 						// The submitted hash and the server side created one are equal
  48. 						$chSession = sha1(rand()%1000001);
  49. 						if(@mysql_query("INSERT INTO sessions(gebruikersnaam, conSessie, chSessie, sessieTijd) VALUES('".$username."', '".$serverSideHash."', '".$chSession."', ".time().")")) {
  50.  
  51. 							// The session has been created
  52. 							$_SESSION['conSession'] = $serverSideHash;
  53. 							$_SESSION['chSession'] = $chSession;
  54. 							$err = 0;
  55. 						}
  56. 						else {
  57. 							$err = 4;
  58. 						}
  59. 					}
  60. 					else {
  61. 						$err = 3;
  62. 					}
  63. 				}
  64. 				else {
  65. 					$err = 2;
  66. 				}
  67. 			}
  68. 			else {
  69. 				$err = 1;
  70. 			}
  71. 		}
  72. 		return $err;
  73. 	}
  74.  
  75. 	function renew() {
  76. 		deleteOldSessions();
  77. 		session_regenerate_id(TRUE);
  78. 		$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
  79. 		$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
  80. 		$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
  81.  
  82. 		if(@mysql_num_rows($qGetSession) == 1) {
  83. 			$aGetSession = @mysql_fetch_assoc($qGetSession);
  84. 			if($chSession == $aGetSession['chSessie']) {
  85. 				$chSession = sha1((rand()%1000001).$chSession);
  86. 				$_SESSION['chSession'] = htmlentities($chSession, ENT_QUOTES);
  87. 				@mysql_query("UPDATE sessions SET chSessie='".$chSession."', sessieTijd=".time()."");
  88. 			}
  89. 		}
  90. 	}
  91.  
  92. 	function destroy() {
  93. 		$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
  94. 		$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
  95. 		$qGetSession = @mysql_query("DELETE FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
  96. 		session_unset();
  97. 		session_destroy();
  98. 	}
  99.  
  100. 	function deleteOldSessions() {
  101. 		$inactivityTime = 60*5;
  102. 		$expirationTime = time() - $inactivityTime;
  103.  
  104. 		if(isset($_SESSION['conSession']) && isset($_SESSION['chSession'])) {
  105. 			$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
  106. 			$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
  107. 			$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."' AND sessieTijd<".$expirationTime."");
  108. 			$aGetSession = @mysql_fetch_assoc($qGetSession);
  109. 			if(@mysql_num_rows($qGetSession) == 1) {
  110. 				destroy();
  111. 			}
  112. 		}
  113. 		@mysql_query("DELETE FROM sessions WHERE sessieTijd<".$expirationTime."");
  114. 	}
  115. ?>

login.php
php Syntax (Toggle Plain Text) 
  1. <?php
  2. 	include_once("login_BackEnd.php");
  3. 	include_once("connect.php");
  4. 	deleteOldSessions();
  5.  
  6. 	if(isset($_POST['logIn'])) {
  7. 		$response = authenticate();
  8. 		switch($response) {
  9. 			case 0:
  10. 				$msg = "Succes";
  11. 				$type = "notification";
  12. 				break;
  13. 			default:
  14. 				$msg = $response;
  15. 				$type = "information";
  16. 				break;
  17. 		}
  18. 	}
  19.  
  20. 	if(isset($_SESSION['conSession'], $_SESSION['chSession'])) {
  21. 		if((sha1($_SERVER['HTTP_USER_AGENT']) == $_SESSION['authINF1']) && (sha1($_SERVER['HTTP_ACCEPT_LANGUAGE']) == $_SESSION['authINF2']) && (sha1($_SERVER['REMOTE_ADDR']) == $_SESSION['authINF3'])) {
  22. 			$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
  23. 			$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
  24. 			$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
  25. 			$aGetSession = @mysql_fetch_assoc($qGetSession);
  26. 			if(@mysql_num_rows($qGetSession) == 1) {
  27. 				$msg = "U bent ingelogd als ".$aGetSession['gebruikersnaam'];
  28. 				$type = "notification";
  29. 				renew();
  30. 			}
  31. 		}
  32. 	}
  33. ?>
  34. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  35. <html>
  36. 	<head>
  37. 		<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
  38. 		<title>Vermeersch Constructie</title>
  39. 		<script type="text/javascript" src="MooTools_Functions.js"></script>
  40. 		<script type="text/javascript" src="MooTools_BackEnd.js"></script>
  41. 		<!--[if lt IE 7.]>
  42. 			<script defer type="text/javascript" src="pngfix.js"></script>
  43. 		<![endif]-->
  44. 		<link rel="stylesheet" href="style.css" type="text/css">
  45. 		<script type="text/javascript" src="sha1.js"></script>
  46. 		<script type="text/javascript">
  47. 			function hashIt() {
  48. 				var salt = "<?php echo htmlentities($_SESSION['RND'], ENT_QUOTES); ?>";
  49. 				salt += "<?php echo htmlentities($_SERVER['REMOTE_ADDR'], ENT_QUOTES); ?>";
  50. 				salt += "<?php echo htmlentities($_SERVER['HTTP_USER_AGENT'], ENT_QUOTES); ?>";
  51. 				pass = document.getElementById('password').value;
  52.  
  53. 				document.getElementById('password').value = "";
  54. 				document.getElementById('hash').value = hex_sha1(hex_sha1(pass)+salt);
  55. 			}
  56. 		</script>
  57. 	</head>
  58.  
  59. 	<body>
  60. 		<div class="header"></div>
  61. 		<div class="container">
  62. 			<?php
  63. 				if(!empty($msg)) {
  64. 					showMsg($msg, $type);
  65. 					$msg = null;
  66. 					$type = null;
  67. 				}
  68. 			?>
  69. 			<form method="post" action="" onSubmit="hashIt();">
  70. 				<table>
  71. 					<tr>
  72. 						<td>Gebruikersnaam:</td><td><input type="text" name="username"></td>
  73. 					</tr>
  74. 					<tr>
  75. 						<td>Wachtwoord:</td><td><input type="password" id="password"></td>
  76. 					</tr>
  77. 					<tr>
  78. 						<td>&nbsp;</td><td style="text-align: right;"><input type="submit" name="logIn" value="Aanmelden"></td>
  79. 					</tr>
  80. 				</table>
  81. 				<input type="hidden" name="hash" id="hash">
  82. 			</form>
  83. 		</div>
  84. 		<div class="footer"><div style="padding: 6px;">&copy; Debaere Brecht</div></div>
  85. 	</body>
  86. </html>
Reply With Quote Quick reply to this message  
Join Date: Jun 2007
Posts: 1,227
Reputation: kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about 
Solved Threads: 167
kkeith29's Avatar
kkeith29 kkeith29 is offline Offline
Nearly a Posting Virtuoso

Re: Login System

 
0
  #19
Apr 10th, 2009
why are you using javascript at all in the login process? I mean, only use it for basic validation not hashing. That in itself is a security flaw because attackers can see how you are encrypting a password, which helps them to crack it.

What if a user has javascript turned off? Then what. You should have php handle everything.
Reply With Quote Quick reply to this message  
Join Date: Apr 2009
Posts: 340
Reputation: Josh Connerty is an unknown quantity at this point 
Solved Threads: 26
Josh Connerty's Avatar
Josh Connerty Josh Connerty is offline Offline
Posting Whiz

Re: Login System

 
0
  #20
Apr 10th, 2009
Originally Posted by kkeith29 View Post
why are you using javascript at all in the login process? I mean, only use it for basic validation not hashing. That in itself is a security flaw because attackers can see how you are encrypting a password, which helps them to crack it.

What if a user has javascript turned off? Then what. You should have php handle everything.
I agree JavaScript is more efficient (for the users) but PHP should always be your focus as it is loaded before the hacker gets the page.

Always make sure with important scripts that you make sure that the refering URL is the the page you wish it to come from.
Reply With Quote Quick reply to this message  
Reply
1 2 3

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the PHP Forum
Thread Tools Search this Thread



# 5.2.10 alexa apache api array beginner binary broken cakephp checkbox class clean clients cms code cron curl database date directory display dissertation dropdown dynamic echo echo$_get[x]changingitintovariable... email encode error fairness file files folder form forms function functions google href htaccess html image images include indentedsubcategory insert ip javascript joomla legislation limit link local login mail memberships menu mlm multiple multipletables mysql mysqlquery newsletters oop open paypal pdf persist php problem provider query radio random recursion remote rss script search server sessions sms sockets source space spam sql syntax system table tutorial update upload url validator variable video web youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC