Ad:

PHP Discussion Thread
Unsolved
Views: 2259

Page 1
2
3
Next

You are currently viewing page 1 of this multi-page discussion thread

Apr 8th, 2009

Login System

Expand Post »

Hi,
I wanted to post my login system I will use for an upcoming site for rating. I want to ensure a safe login, so please, if you know anything about this and see a security leak somewhere... Please post, any remarks are welcome.

How it works: the script generates a random number if the form hasn't been submitted yet. This number is being passed to the Javascript also. On submitting of the form the javascript creates a hash and empties the password field. The hash includes: IP + hashed password + random number. The server recreates this and destroys the session with the random number *. The two hashes are compared and a decision is made.
* I've been thinking of putting the random number in the database and an id in the session, then the random number is pulled of the database. However, I'm not so experienced in login systems and don't know what information can be corrupted.

NOTE: the script will also log who is currently logged in, I still have to code that part, but I couldn't wait to upload this here.
EDIT: I will include a script that will only allow for so much login attempts in a certain time span to exclude bots. Or shouldn't I?

php Syntax (Toggle Plain Text)
<?php
	session_start();
	include_once("connect.php");
 
	if(isset($_POST['logIn'])) {
		$RND = $_SESSION['RND'];
		session_destroy();
		$IP = $_SERVER['REMOTE_ADDR'];
 
		$qGetUser = @mysql_query("SELECT * FROM users WHERE gebruikersnaam='".$_POST['username']."'");
		if(@mysql_num_rows($qGetUser) == 1) {
			$aGetUser = @mysql_fetch_assoc($qGetUser);
			$serverHash = sha1(($IP.$aGetUser['wachtwoord'].$RND));
 
			if($serverHash == $_POST['hash']) {
				$msg = "NICE!";
				$type = "notification";
			}
			else {
				$msg = "fail :( serverHash: ".$serverHash." ; clientHash: ".$_POST['hash']." ; wachtw: ".$aGetUser['wachtwoord'];
				$type = "error";
			}
		}
		else {
			$msg = "De ingevoerde gebruikersnaam is ongeldig.";
			$type = "error";
		}
	}
	else {
		$_SESSION['RND'] = getRandomNumber();
	}
 
	function getRandomNumber() {
		srand(time());
		return (rand()%1000001);
	}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
	<head>
		<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
		<title>Vermeersch Constructie</title>
		<script type="text/javascript" src="MooTools_Functions.js"></script>
		<script type="text/javascript" src="MooTools_BackEnd.js"></script>
		<!--[if lt IE 7.]>
			<script defer type="text/javascript" src="pngfix.js"></script>
		<![endif]-->
		<link rel="stylesheet" href="style.css" type="text/css">
		<script type="text/javascript" src="sha1.js"></script>
		<script type="text/javascript">
			function hashIt() {
				var password = document.getElementById('password').value;
				var ip = document.getElementById('ip').value;
				var randomnumber = <?php echo $_SESSION['RND']; ?>;
 
				document.getElementById('password').value = "";
				document.getElementById('hash').value = hex_sha1((ip + hex_sha1(password) + randomnumber));
			}
		</script>
	</head>
 
	<body>
		<div class="header"></div>
		<div class="container">
			<?php
				if(!empty($msg)) {
					showMsg($msg, $type);
					$msg = null;
					$type = null;
				}
			?>
			<form method="post" action="" onSubmit="hashIt();">
				<table>
					<tr>
						<td>Gebruikersnaam:</td><td><input type="text" name="username"></td>
					</tr>
					<tr>
						<td>Wachtwoord:</td><td><input type="password" id="password"></td>
					</tr>
					<tr>
						<td>&nbsp;</td><td style="text-align: right;"><input type="submit" name="logIn" value="Aanmelden"></td>
					</tr>
				</table>
				<input type="hidden" name="ip" id="ip" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">
				<input type="hidden" name="hash" id="hash">
			</form>
		</div>
		<div class="footer"><div style="padding: 6px;">&copy; Debaere Brecht</div></div>
	</body>
</html>
<?php
	session_start();
	include_once("connect.php");
	
	if(isset($_POST['logIn'])) {
		$RND = $_SESSION['RND'];
		session_destroy();
		$IP = $_SERVER['REMOTE_ADDR'];
		
		$qGetUser = @mysql_query("SELECT * FROM users WHERE gebruikersnaam='".$_POST['username']."'");
		if(@mysql_num_rows($qGetUser) == 1) {
			$aGetUser = @mysql_fetch_assoc($qGetUser);
			$serverHash = sha1(($IP.$aGetUser['wachtwoord'].$RND));
			
			if($serverHash == $_POST['hash']) {
				$msg = "NICE!";
				$type = "notification";
			}
			else {
				$msg = "fail :( serverHash: ".$serverHash." ; clientHash: ".$_POST['hash']." ; wachtw: ".$aGetUser['wachtwoord'];
				$type = "error";
			}
		}
		else {
			$msg = "De ingevoerde gebruikersnaam is ongeldig.";
			$type = "error";
		}
	}
	else {
		$_SESSION['RND'] = getRandomNumber();
	}
	
	function getRandomNumber() {
		srand(time());
		return (rand()%1000001);
	}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
	<head>
		<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
		<title>Vermeersch Constructie</title>
		<script type="text/javascript" src="MooTools_Functions.js"></script>
		<script type="text/javascript" src="MooTools_BackEnd.js"></script>
		<!--[if lt IE 7.]>
			<script defer type="text/javascript" src="pngfix.js"></script>
		<![endif]-->
		<link rel="stylesheet" href="style.css" type="text/css">
		<script type="text/javascript" src="sha1.js"></script>
		<script type="text/javascript">
			function hashIt() {
				var password = document.getElementById('password').value;
				var ip = document.getElementById('ip').value;
				var randomnumber = <?php echo $_SESSION['RND']; ?>;
				
				document.getElementById('password').value = "";
				document.getElementById('hash').value = hex_sha1((ip + hex_sha1(password) + randomnumber));
			}
		</script>
	</head>
	
	<body>
		<div class="header"></div>
		<div class="container">
			<?php
				if(!empty($msg)) {
					showMsg($msg, $type);
					$msg = null;
					$type = null;
				}
			?>
			<form method="post" action="" onSubmit="hashIt();">
				<table>
					<tr>
						<td>Gebruikersnaam:</td><td><input type="text" name="username"></td>
					</tr>
					<tr>
						<td>Wachtwoord:</td><td><input type="password" id="password"></td>
					</tr>
					<tr>
						<td>&nbsp;</td><td style="text-align: right;"><input type="submit" name="logIn" value="Aanmelden"></td>
					</tr>
				</table>
				<input type="hidden" name="ip" id="ip" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>">
				<input type="hidden" name="hash" id="hash">
			</form>
		</div>
		<div class="footer"><div style="padding: 6px;">&copy; Debaere Brecht</div></div>
	</body>
</html>

Thanks

, please post comments on it

Last edited by brechtjah; Apr 8th, 2009 at 10:47 am.

Similar Threads

Website Login in ASP.NET
member login system in php in PHP
Login System Help in Visual Basic 4 / 5 / 6
Simple Login System: Need Advice. in PHP

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

Apr 8th, 2009

Re: Login System

Thats a really nice script. However what if the user has javascript turned off? Some of your validation is in javascrit therefore a login would be imossible.

Use <noscript> to let the user know their login wont be sucessfull unless they turn it on. Also, are you cleaning your strings from quotes and other characters? I cant really see if you are?

On the other hand, this is a really nice method. It works against CSRF and XXS therefore is really safe. I'm copying the code for personal use so thankyou

Does this help ?

Designer_101

Reputation Points: 12

Solved Threads: 16

Posting Whiz

Offline

314 posts
since Jul 2007

Permalink

Apr 8th, 2009

Re: Login System

Click to Expand / Collapse Quote originally posted by Designer_101 ...

Thats a really nice script. However what if the user has javascript turned off? Some of your validation is in javascrit therefore a login would be imossible.

Use <noscript> to let the user know their login wont be sucessfull unless they turn it on. Also, are you cleaning your strings from quotes and other characters? I cant really see if you are?

On the other hand, this is a really nice method. It works against CSRF and XXS therefore is really safe. I'm copying the code for personal use so thankyou

Does this help ?

Oh I should indeed implement htmlentities use, but...
What do you mean with CSRF and XXS? What are those things?

Googling those things gives me other results than I need

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

Apr 8th, 2009

Re: Login System

CSRF: Cross-site request forgery
XXS: Cross-site Scripting

As mentioned by Designer_101, I would suggest not using POST values directly into SQL queries (Or for anything really) They should be cleaned first. Use a preg_match on any values (such as usernames) where you know they will only contain certain characters, at a minimum you should have addslashes in there.

Will Gresham

Reputation Points: 96

Solved Threads: 124

Master Poster

Offline

728 posts
since May 2008

Permalink

Apr 8th, 2009

Re: Login System

I am kinda stuck now on how I would make one user logged in over multiple pages, however leaving hackers out. I can't really use sessions because they can be hacked no?
Can I have some assist on this please, then I can complete the script and I'll paste it here

Thanks

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

Apr 8th, 2009

Re: Login System

You will not make it 100% secure, no matter what you do.

But you can take some steps to secure your application further. Sessions are much more secure than cookies and are probably the best way to go for this, you can look at making it harder to 'hack':

Check the User Agent for each visit, while the user agent reported can be masked or changed by the user, checking it for each page load will stop some attempts, so if the user agent suddenly changes mid session, this will stop it:

php Syntax (Toggle Plain Text)
<?php
if(!isset($_SESSION['user_agent'])) {
    // Set the session value as the hash of the UA
    $_SESSION['user_agent'] = md5($_SERVER['HTTP_USER_AGENT']);
} else {
    // Check that the session value matches the hash of the UA
    if($_SESSION['user_agent'] != md5($_SERVER['HTTP_USER_AGENT'])) {
        // Alert the user they have been logged out due to a UA change
        echo "The user agent data sent by your browser has changed unexpectedly, please login again.";
        session_destroy();
        exit(0);
    }
}
?>
<?php
if(!isset($_SESSION['user_agent'])) {
    // Set the session value as the hash of the UA
    $_SESSION['user_agent'] = md5($_SERVER['HTTP_USER_AGENT']);
} else {
    // Check that the session value matches the hash of the UA
    if($_SESSION['user_agent'] != md5($_SERVER['HTTP_USER_AGENT'])) {
        // Alert the user they have been logged out due to a UA change
        echo "The user agent data sent by your browser has changed unexpectedly, please login again.";
        session_destroy();
        exit(0);
    }
}
?>

The same (or similar) could be done for other values such as the IP address, but since some users will be behind proxies, and the IP can change mid session, this may not be such a good idea.

Also, to make it harder for a malicious user, you can change the session key every page load:

php Syntax (Toggle Plain Text)
<?php
session_start();
// We need to copy the old session data
$previousSession = $_SESSION;
 
// Then re-create a new session
session_destroy();
session_start();
 
// And finally, reassign the session data
$_SESSION = $previousSession;
?>
<?php
session_start();
// We need to copy the old session data
$previousSession = $_SESSION;

// Then re-create a new session
session_destroy();
session_start();

// And finally, reassign the session data
$_SESSION = $previousSession;
?>

Will Gresham

Reputation Points: 96

Solved Threads: 124

Master Poster

Offline

728 posts
since May 2008

Permalink

Apr 8th, 2009

Re: Login System

Excuse me, I'm not so familiar with sessions. I don't know anything about session keys.
If I put the hash in a session and compare it to the hash in the database. Then it is possible for a hacker to pose himself like the user by somehow stealing the session, yes? How would I go to prevent this? Or isn't this possible?

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

Apr 8th, 2009

Re: Login System

Seeing as all the session values are stored on the server, unlike cookies which are stored on the clients computer, they are much more secure anyway.

In theory if the malicious user got the session key they may be able to do some things, but this will be prevented to a certain extent by using the script above to change the session key every page load.

Also, make sure your logout button/link is easy to see, as by clicking this the session data should be deleted by the script meaning that it can no longer be accessed.

Last edited by Will Gresham; Apr 8th, 2009 at 4:31 pm.

Will Gresham

Reputation Points: 96

Solved Threads: 124

Master Poster

Offline

728 posts
since May 2008

Permalink

Apr 8th, 2009

Re: Login System

Click to Expand / Collapse Quote originally posted by xan ...

Seeing as all the session values are stored on the server, unlike cookies which are stored on the clients computer, they are much more secure anyway.

In theory if the malicious user got the session key they may be able to do some things, but this will be prevented to a certain extent by using the script above to change the session key every page load.

Also, make sure your logout button/link is easy to see, as by clicking this the session data should be deleted by the script meaning that it can no longer be accessed.

Isn't it possible to check if the hacker tries to inject a session id in the URI by using GET? Like this:

php Syntax (Toggle Plain Text)
if($_GET['PHPSESSID'] != null) {
  // A hacker is trying to inject a session ID
}
if($_GET['PHPSESSID'] != null) {
  // A hacker is trying to inject a session ID
}

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

Apr 8th, 2009

Re: Login System

Here is a good example of a secure login system:

http://www.daniweb.com/forums/thread183049.html

With proper implementation of sessions, the possibility of hacking them goes down drastically.

kkeith29

Reputation Points: 235

Solved Threads: 193

Nearly a Posting Virtuoso

Offline

1,315 posts
since Jun 2007

Page 1
2
3
Next

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: Need help to Delete all button for all checkboxes...

Next Thread in PHP Forum Timeline: timeout if page is inactive

DaniWeb Message

Cancel Changes

User Name
Password