PHP RSS PHP RSS

Login System

Reply
1 2 Last »

Join Date: Nov 2008
Posts: 91
Reputation: brechtjah is an unknown quantity at this point 
Solved Threads: 9
brechtjah's Avatar
brechtjah brechtjah is offline Offline
Junior Poster in Training

Login System

 
0
  #1
Apr 8th, 2009
Hi,
I wanted to post my login system I will use for an upcoming site for rating. I want to ensure a safe login, so please, if you know anything about this and see a security leak somewhere... Please post, any remarks are welcome.

How it works: the script generates a random number if the form hasn't been submitted yet. This number is being passed to the Javascript also. On submitting of the form the javascript creates a hash and empties the password field. The hash includes: IP + hashed password + random number. The server recreates this and destroys the session with the random number *. The two hashes are compared and a decision is made.
* I've been thinking of putting the random number in the database and an id in the session, then the random number is pulled of the database. However, I'm not so experienced in login systems and don't know what information can be corrupted.

NOTE: the script will also log who is currently logged in, I still have to code that part, but I couldn't wait to upload this here.
EDIT: I will include a script that will only allow for so much login attempts in a certain time span to exclude bots. Or shouldn't I?
php Syntax (Toggle Plain Text) 
  1. <?php
  2. 	session_start();
  3. 	include_once("connect.php");
  4.  
  5. 	if(isset($_POST['logIn'])) {
  6. 		$RND = $_SESSION['RND'];
  7. 		session_destroy();
  8. 		$IP = $_SERVER['REMOTE_ADDR'];
  9.  
  10. 		$qGetUser = @mysql_query("SELECT * FROM users WHERE gebruikersnaam='".$_POST['username']."'");
  11. 		if(@mysql_num_rows($qGetUser) == 1) {
  12. 			$aGetUser = @mysql_fetch_assoc($qGetUser);
  13. 			$serverHash = sha1(($IP.$aGetUser['wachtwoord'].$RND));
  14.  
  15. 			if($serverHash == $_POST['hash']) {
  16. 				$msg = "NICE!";
  17. 				$type = "notification";
  18. 			}
  19. 			else {
  20. 				$msg = "fail :( serverHash: ".$serverHash." ; clientHash: ".$_POST['hash']." ; wachtw: ".$aGetUser['wachtwoord'];
  21. 				$type = "error";
  22. 			}
  23. 		}
  24. 		else {
  25. 			$msg = "De ingevoerde gebruikersnaam is ongeldig.";
  26. 			$type = "error";
  27. 		}
  28. 	}
  29. 	else {
  30. 		$_SESSION['RND'] = getRandomNumber();
  31. 	}
  32.  
  33. 	function getRandomNumber() {
  34. 		srand(time());
  35. 		return (rand()%1000001);
  36. 	}
  37. ?>
  38. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  39. <html>
  40. 	<head>
  41. 		<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
  42. 		<title>Vermeersch Constructie</title>
  43. 		<script type="text/javascript" src="MooTools_Functions.js"></script>
  44. 		<script type="text/javascript" src="MooTools_BackEnd.js"></script>
  45. 		<!--[if lt IE 7.]>
  46. 			<script defer type="text/javascript" src="pngfix.js"></script>
  47. 		<![endif]-->
  48. 		<link rel="stylesheet" href="style.css" type="text/css">
  49. 		<script type="text/javascript" src="sha1.js"></script>
  50. 		<script type="text/javascript">
  51. 			function hashIt() {
  52. 				var password = document.getElementById('password').value;
  53. 				var ip = document.getElementById('ip').value;
  54. 				var randomnumber = <?php echo $_SESSION['RND']; ?>;
  55.  
  56. 				document.getElementById('password').value = "";
  57. 				document.getElementById('hash').value = hex_sha1((ip + hex_sha1(password) + randomnumber));
  58. 			}
  59. 		</script>
  60. 	</head>
  61.  
  62. 	<body>
  63. 		<div class="header"></div>
  64. 		<div class="container">
  65. 			<?php
  66. 				if(!empty($msg)) {
  67. 					showMsg($msg, $type);
  68. 					$msg = null;
  69. 					$type = null;
  70. 				}
  71. 			?>
  72. 			<form method="post" action="" onSubmit="hashIt();">
  73. 				<table>
  74. 					<tr>
  75. 						<td>Gebruikersnaam:</td><td><input type="text" name="username"></td>
  76. 					</tr>
  77. 					<tr>
  78. 						<td>Wachtwoord:</td><td><input type="password" id="password"></td>
  79. 					</tr>
  80. 					<tr>
  81. 						<td>&nbsp;</td><td style="text-align: right;"><input type="submit" name="logIn" value="Aanmelden"></td>
  82. 					</tr>
  83. 				</table>
  84. 				<input type="hidden" name="ip" id="ip" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">
  85. 				<input type="hidden" name="hash" id="hash">
  86. 			</form>
  87. 		</div>
  88. 		<div class="footer"><div style="padding: 6px;">&copy; Debaere Brecht</div></div>
  89. 	</body>
  90. </html>

Thanks , please post comments on it
Last edited by brechtjah; Apr 8th, 2009 at 10:47 am.
Reply With Quote Quick reply to this message  
Join Date: Jul 2007
Posts: 258
Reputation: Designer_101 is an unknown quantity at this point 
Solved Threads: 12
Designer_101's Avatar
Designer_101 Designer_101 is offline Offline
Posting Whiz in Training

Re: Login System

 
0
  #2
Apr 8th, 2009
Thats a really nice script. However what if the user has javascript turned off? Some of your validation is in javascrit therefore a login would be imossible.

Use <noscript> to let the user know their login wont be sucessfull unless they turn it on. Also, are you cleaning your strings from quotes and other characters? I cant really see if you are?

On the other hand, this is a really nice method. It works against CSRF and XXS therefore is really safe. I'm copying the code for personal use so thankyou

Does this help ?
Reply With Quote Quick reply to this message  
Join Date: Nov 2008
Posts: 91
Reputation: brechtjah is an unknown quantity at this point 
Solved Threads: 9
brechtjah's Avatar
brechtjah brechtjah is offline Offline
Junior Poster in Training

Re: Login System

 
0
  #3
Apr 8th, 2009
Originally Posted by Designer_101 View Post
Thats a really nice script. However what if the user has javascript turned off? Some of your validation is in javascrit therefore a login would be imossible.

Use <noscript> to let the user know their login wont be sucessfull unless they turn it on. Also, are you cleaning your strings from quotes and other characters? I cant really see if you are?

On the other hand, this is a really nice method. It works against CSRF and XXS therefore is really safe. I'm copying the code for personal use so thankyou

Does this help ?
Oh I should indeed implement htmlentities use, but...
What do you mean with CSRF and XXS? What are those things? Googling those things gives me other results than I need
Reply With Quote Quick reply to this message  
Join Date: May 2008
Posts: 524
Reputation: Will Gresham is on a distinguished road 
Solved Threads: 86
Sponsor
Will Gresham's Avatar
Will Gresham Will Gresham is offline Offline
Posting Pro

Re: Login System

 
0
  #4
Apr 8th, 2009
CSRF: Cross-site request forgery
XXS: Cross-site Scripting

As mentioned by Designer_101, I would suggest not using POST values directly into SQL queries (Or for anything really) They should be cleaned first. Use a preg_match on any values (such as usernames) where you know they will only contain certain characters, at a minimum you should have addslashes in there.
AJAX is not a programming language, scripting language or any other sort of language.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
Reply With Quote Quick reply to this message  
Join Date: Nov 2008
Posts: 91
Reputation: brechtjah is an unknown quantity at this point 
Solved Threads: 9
brechtjah's Avatar
brechtjah brechtjah is offline Offline
Junior Poster in Training

Re: Login System

 
0
  #5
Apr 8th, 2009
I am kinda stuck now on how I would make one user logged in over multiple pages, however leaving hackers out. I can't really use sessions because they can be hacked no?
Can I have some assist on this please, then I can complete the script and I'll paste it here

Thanks
Reply With Quote Quick reply to this message  
Join Date: May 2008
Posts: 524
Reputation: Will Gresham is on a distinguished road 
Solved Threads: 86
Sponsor
Will Gresham's Avatar
Will Gresham Will Gresham is offline Offline
Posting Pro

Re: Login System

 
0
  #6
Apr 8th, 2009
You will not make it 100% secure, no matter what you do.

But you can take some steps to secure your application further. Sessions are much more secure than cookies and are probably the best way to go for this, you can look at making it harder to 'hack':

Check the User Agent for each visit, while the user agent reported can be masked or changed by the user, checking it for each page load will stop some attempts, so if the user agent suddenly changes mid session, this will stop it:
php Syntax (Toggle Plain Text) 
  1. <?php
  2. if(!isset($_SESSION['user_agent'])) {
  3.     // Set the session value as the hash of the UA
  4.     $_SESSION['user_agent'] = md5($_SERVER['HTTP_USER_AGENT']);
  5. } else {
  6.     // Check that the session value matches the hash of the UA
  7.     if($_SESSION['user_agent'] != md5($_SERVER['HTTP_USER_AGENT'])) {
  8.         // Alert the user they have been logged out due to a UA change
  9.         echo "The user agent data sent by your browser has changed unexpectedly, please login again.";
  10.         session_destroy();
  11.         exit(0);
  12.     }
  13. }
  14. ?>
The same (or similar) could be done for other values such as the IP address, but since some users will be behind proxies, and the IP can change mid session, this may not be such a good idea.

Also, to make it harder for a malicious user, you can change the session key every page load:
php Syntax (Toggle Plain Text) 
  1. <?php
  2. session_start();
  3. // We need to copy the old session data
  4. $previousSession = $_SESSION;
  5.  
  6. // Then re-create a new session
  7. session_destroy();
  8. session_start();
  9.  
  10. // And finally, reassign the session data
  11. $_SESSION = $previousSession;
  12. ?>
AJAX is not a programming language, scripting language or any other sort of language.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
Reply With Quote Quick reply to this message  
Join Date: Nov 2008
Posts: 91
Reputation: brechtjah is an unknown quantity at this point 
Solved Threads: 9
brechtjah's Avatar
brechtjah brechtjah is offline Offline
Junior Poster in Training

Re: Login System

 
0
  #7
Apr 8th, 2009
Excuse me, I'm not so familiar with sessions. I don't know anything about session keys.
If I put the hash in a session and compare it to the hash in the database. Then it is possible for a hacker to pose himself like the user by somehow stealing the session, yes? How would I go to prevent this? Or isn't this possible?
Reply With Quote Quick reply to this message  
Join Date: May 2008
Posts: 524
Reputation: Will Gresham is on a distinguished road 
Solved Threads: 86
Sponsor
Will Gresham's Avatar
Will Gresham Will Gresham is offline Offline
Posting Pro

Re: Login System

 
0
  #8
Apr 8th, 2009
Seeing as all the session values are stored on the server, unlike cookies which are stored on the clients computer, they are much more secure anyway.

In theory if the malicious user got the session key they may be able to do some things, but this will be prevented to a certain extent by using the script above to change the session key every page load.

Also, make sure your logout button/link is easy to see, as by clicking this the session data should be deleted by the script meaning that it can no longer be accessed.
Last edited by Will Gresham; Apr 8th, 2009 at 4:31 pm.
AJAX is not a programming language, scripting language or any other sort of language.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
Reply With Quote Quick reply to this message  
Join Date: Nov 2008
Posts: 91
Reputation: brechtjah is an unknown quantity at this point 
Solved Threads: 9
brechtjah's Avatar
brechtjah brechtjah is offline Offline
Junior Poster in Training

Re: Login System

 
0
  #9
Apr 8th, 2009
Originally Posted by xan View Post
Seeing as all the session values are stored on the server, unlike cookies which are stored on the clients computer, they are much more secure anyway.

In theory if the malicious user got the session key they may be able to do some things, but this will be prevented to a certain extent by using the script above to change the session key every page load.

Also, make sure your logout button/link is easy to see, as by clicking this the session data should be deleted by the script meaning that it can no longer be accessed.
Isn't it possible to check if the hacker tries to inject a session id in the URI by using GET? Like this:
php Syntax (Toggle Plain Text) 
  1. if($_GET['PHPSESSID'] != null) {
  2.   // A hacker is trying to inject a session ID
  3. }

?
Reply With Quote Quick reply to this message  
Join Date: Jun 2007
Posts: 1,227
Reputation: kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about 
Solved Threads: 167
kkeith29's Avatar
kkeith29 kkeith29 is offline Offline
Nearly a Posting Virtuoso

Re: Login System

 
0
  #10
Apr 8th, 2009
Here is a good example of a secure login system:

http://www.daniweb.com/forums/thread183049.html

With proper implementation of sessions, the possibility of hacking them goes down drastically.
Reply With Quote Quick reply to this message  
Reply
1 2 Last »

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the PHP Forum
Thread Tools Search this Thread



# 5.2.10 action address apache api array auto autoincrement beginner binary broken cakephp checkbox class classes cms code cron curl database date dehasher destroy display dissertation domain dynamic echo echo$_get[x]changingitintovariable... email error errorlog fatalerror file files folder form forms function functions google href htaccess html if-else image images include insert ip javascript joomla legislation limit link load login mail masterthesis menu mlm multiple mysql mysqlquery oop open paypal pdf persist php popup problem query radio random record recursion remote script search server sessions sms sockets source space sql syntax system table tutorial update upload url validator variable video web youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC