Ad:

PHP Discussion Thread
Unsolved
Views: 2259

You are currently viewing page 2 of this multi-page discussion thread; Jump to the first page

Permalink

Apr 8th, 2009

Re: Login System

I don't mean to sound rude, but I just want this question answered about blocking session ID stealing.

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

Apr 8th, 2009

Re: Login System

Well, to be honest when your asking if somethings secure it either is or it isnt. Theres no in the middle.

As another user said, there are however ways in which you can make your website 'safer'. Depending on the trafic of your website you should increase the amount of security you add to your code.
For example, I run a low traffic website for a sports team, and the only security is that of protecting against SQL injections (by clearing all inputed data).

To continue, it is therefore your choice wether or not you need this much security but daniweb provides answer, and the answers above are perfectly in context and should be appreciated. Sorry if it sounds blunt but people spend time writing posts to help others, not for the fun of it.

In an earlier comment you said you didnt understant CSRF.
In this context it would be validating a selfmade html form on a victims website.
In others words, creating a form with the same names as those of the website your hacking and then sending it to the website to be validated. Its a very sneakly thing and I suggest you look into it, google will help you there.

Hope all this helps

Designer_101

Reputation Points: 12

Solved Threads: 16

Posting Whiz

Offline

314 posts
since Jul 2007

Permalink

Apr 8th, 2009

Re: Login System

Click to Expand / Collapse Quote originally posted by brechtjah ...

I don't mean to sound rude, but I just want this question answered about blocking session ID stealing.

The code I posted earlier would help prevent this. It will changed the session ID every single time the user clicks on a new link, so even if the malicious user somehow gets the session ID, it will likely have changed by the time they try to do something.

Here is the code again:

php Syntax (Toggle Plain Text)
<?php
session_start();
// We need to copy the old session data
$previousSession = $_SESSION;
 
// Then re-create a new session
session_destroy();
session_start();
 
// And finally, reassign the session data
$_SESSION = $previousSession;
?>
<?php
session_start();
// We need to copy the old session data
$previousSession = $_SESSION;

// Then re-create a new session
session_destroy();
session_start();

// And finally, reassign the session data
$_SESSION = $previousSession;
?>

Will Gresham

Reputation Points: 96

Solved Threads: 124

Master Poster

Offline

728 posts
since May 2008

Permalink

Apr 9th, 2009

Re: Login System

Click to Expand / Collapse Quote originally posted by xan ...

The code I posted earlier would help prevent this. It will changed the session ID every single time the user clicks on a new link, so even if the malicious user somehow gets the session ID, it will likely have changed by the time they try to do something.

Here is the code again:
php Syntax (Toggle Plain Text)
<?php
session_start();
// We need to copy the old session data
$previousSession = $_SESSION;
 
// Then re-create a new session
session_destroy();
session_start();
 
// And finally, reassign the session data
$_SESSION = $previousSession;
?>
<?php session_start(); // We need to copy the old session data $previousSession = $_SESSION; // Then re-create a new session session_destroy(); session_start(); // And finally, reassign the session data $_SESSION = $previousSession; ?>

instead of all that, why not use session_regenerate_id()?

thats what i use.

Last edited by kkeith29; Apr 9th, 2009 at 2:06 am.

kkeith29

Reputation Points: 235

Solved Threads: 193

Nearly a Posting Virtuoso

Offline

1,315 posts
since Jun 2007

Permalink

Apr 9th, 2009

Re: Login System

Ok, I will rewrite the whole code and upload it here once ready.

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

Apr 10th, 2009

Re: Login System

session_regenerate_id() would be better in this case.

Designer_101

Reputation Points: 12

Solved Threads: 16

Posting Whiz

Offline

314 posts
since Jul 2007

Permalink

Apr 10th, 2009

Re: Login System

i agree with designer_101

BzzBee

Reputation Points: 16

Solved Threads: 48

Posting Whiz

Offline

327 posts
since Apr 2009

Permalink

Apr 10th, 2009

Re: Login System

Ok this is the code I have now, I haven't fully checked it yet so there could be some errors in it, but I doubt this. What I'm more interested in is are the holes in the code for a user to hack it. Well... if it's quite secure, or if there are improvements to be made.
It works the same as before, with some changes. The function renew() should be called on every page load as suggested here.

login_BackEnd.php

php Syntax (Toggle Plain Text)
<?php
	/*
	 * Error Codes
	 * 0: Success
	 * 1: User does not exist in DB
	 * 2: User is already logged in
	 * 3: Hash in form is not equal to server side created hash
	 * 4: An error occured while creating the session in the DB
	*/
	session_start();
	srand(time());
 
	if(!isset($_SESSION['RND'])) {
		$_SESSION['RND'] = sha1(rand()%1000001);
	}
 
	if(!isset($_SESSION['authINF1'], $_SESSION['authINF2'], $_SESSION['authINF3'])) {
		$_SESSION['authINF1'] = sha1($_SERVER['HTTP_USER_AGENT']);
		$_SESSION['authINF2'] = sha1($_SERVER['HTTP_ACCEPT_LANGUAGE']);
		$_SESSION['authINF3'] = sha1($_SERVER['REMOTE_ADDR']);
	}
 
	function authenticate() {
		if(!isset($_SESSION['conSession'], $_SESSION['chSession'])) {
			// Get information from form
			$username = htmlentities($_POST['username'], ENT_QUOTES);
			$hash = htmlentities($_POST['hash'], ENT_QUOTES);
 
			// Create salt for hash
			$salt = htmlentities($_SESSION['RND'], ENT_QUOTES);
			$_SESSION['RND'] = sha1(rand()%1000001);
			$salt .= htmlentities($_SERVER['REMOTE_ADDR'], ENT_QUOTES);
			$salt .= htmlentities($_SERVER['HTTP_USER_AGENT'], ENT_QUOTES);
 
			$qGetUser = @mysql_query("SELECT * FROM users WHERE gebruikersnaam='".$username."'");
			if(@mysql_num_rows($qGetUser) == 1) {
 
				// The user exists in the DB
				$aGetUser = @mysql_fetch_assoc($qGetUser);
				$qGetSession = @mysql_query("SELECT * FROM sessions WHERE gebruikersnaam='".$username."'");
				if(@mysql_num_rows($qGetSession) == 0) {
 
					// The user is not logged in yet
					$serverSideHash = sha1($aGetUser['wachtwoord'].$salt);
					if($serverSideHash == $hash) {
 
						// The submitted hash and the server side created one are equal
						$chSession = sha1(rand()%1000001);
						if(@mysql_query("INSERT INTO sessions(gebruikersnaam, conSessie, chSessie, sessieTijd) VALUES('".$username."', '".$serverSideHash."', '".$chSession."', ".time().")")) {
 
							// The session has been created
							$_SESSION['conSession'] = $serverSideHash;
							$_SESSION['chSession'] = $chSession;
							$err = 0;
						}
						else {
							$err = 4;
						}
					}
					else {
						$err = 3;
					}
				}
				else {
					$err = 2;
				}
			}
			else {
				$err = 1;
			}
		}
		return $err;
	}
 
	function renew() {
		deleteOldSessions();
		session_regenerate_id(TRUE);
		$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
		$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
		$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
 
		if(@mysql_num_rows($qGetSession) == 1) {
			$aGetSession = @mysql_fetch_assoc($qGetSession);
			if($chSession == $aGetSession['chSessie']) {
				$chSession = sha1((rand()%1000001).$chSession);
				$_SESSION['chSession'] = htmlentities($chSession, ENT_QUOTES);
				@mysql_query("UPDATE sessions SET chSessie='".$chSession."', sessieTijd=".time()."");
			}
		}
	}
 
	function destroy() {
		$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
		$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
		$qGetSession = @mysql_query("DELETE FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
		session_unset();
		session_destroy();
	}
 
	function deleteOldSessions() {
		$inactivityTime = 60*5;
		$expirationTime = time() - $inactivityTime;
 
		if(isset($_SESSION['conSession']) && isset($_SESSION['chSession'])) {
			$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
			$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
			$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."' AND sessieTijd<".$expirationTime."");
			$aGetSession = @mysql_fetch_assoc($qGetSession);
			if(@mysql_num_rows($qGetSession) == 1) {
				destroy();
			}
		}
		@mysql_query("DELETE FROM sessions WHERE sessieTijd<".$expirationTime."");
	}
?>
<?php
	/*
	 * Error Codes
	 * 0: Success
	 * 1: User does not exist in DB
	 * 2: User is already logged in
	 * 3: Hash in form is not equal to server side created hash
	 * 4: An error occured while creating the session in the DB
	*/
	session_start();
	srand(time());
	
	if(!isset($_SESSION['RND'])) {
		$_SESSION['RND'] = sha1(rand()%1000001);
	}
	
	if(!isset($_SESSION['authINF1'], $_SESSION['authINF2'], $_SESSION['authINF3'])) {
		$_SESSION['authINF1'] = sha1($_SERVER['HTTP_USER_AGENT']);
		$_SESSION['authINF2'] = sha1($_SERVER['HTTP_ACCEPT_LANGUAGE']);
		$_SESSION['authINF3'] = sha1($_SERVER['REMOTE_ADDR']);
	}
	
	function authenticate() {
		if(!isset($_SESSION['conSession'], $_SESSION['chSession'])) {
			// Get information from form
			$username = htmlentities($_POST['username'], ENT_QUOTES);
			$hash = htmlentities($_POST['hash'], ENT_QUOTES);
			
			// Create salt for hash
			$salt = htmlentities($_SESSION['RND'], ENT_QUOTES);
			$_SESSION['RND'] = sha1(rand()%1000001);
			$salt .= htmlentities($_SERVER['REMOTE_ADDR'], ENT_QUOTES);
			$salt .= htmlentities($_SERVER['HTTP_USER_AGENT'], ENT_QUOTES);
			
			$qGetUser = @mysql_query("SELECT * FROM users WHERE gebruikersnaam='".$username."'");
			if(@mysql_num_rows($qGetUser) == 1) {
				
				// The user exists in the DB
				$aGetUser = @mysql_fetch_assoc($qGetUser);
				$qGetSession = @mysql_query("SELECT * FROM sessions WHERE gebruikersnaam='".$username."'");
				if(@mysql_num_rows($qGetSession) == 0) {
					
					// The user is not logged in yet
					$serverSideHash = sha1($aGetUser['wachtwoord'].$salt);
					if($serverSideHash == $hash) {
						
						// The submitted hash and the server side created one are equal
						$chSession = sha1(rand()%1000001);
						if(@mysql_query("INSERT INTO sessions(gebruikersnaam, conSessie, chSessie, sessieTijd) VALUES('".$username."', '".$serverSideHash."', '".$chSession."', ".time().")")) {
							
							// The session has been created
							$_SESSION['conSession'] = $serverSideHash;
							$_SESSION['chSession'] = $chSession;
							$err = 0;
						}
						else {
							$err = 4;
						}
					}
					else {
						$err = 3;
					}
				}
				else {
					$err = 2;
				}
			}
			else {
				$err = 1;
			}
		}
		return $err;
	}
	
	function renew() {
		deleteOldSessions();
		session_regenerate_id(TRUE);
		$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
		$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
		$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
		
		if(@mysql_num_rows($qGetSession) == 1) {
			$aGetSession = @mysql_fetch_assoc($qGetSession);
			if($chSession == $aGetSession['chSessie']) {
				$chSession = sha1((rand()%1000001).$chSession);
				$_SESSION['chSession'] = htmlentities($chSession, ENT_QUOTES);
				@mysql_query("UPDATE sessions SET chSessie='".$chSession."', sessieTijd=".time()."");
			}
		}
	}
	
	function destroy() {
		$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
		$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
		$qGetSession = @mysql_query("DELETE FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
		session_unset();
		session_destroy();
	}
	
	function deleteOldSessions() {
		$inactivityTime = 60*5;
		$expirationTime = time() - $inactivityTime;
		
		if(isset($_SESSION['conSession']) && isset($_SESSION['chSession'])) {
			$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
			$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
			$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."' AND sessieTijd<".$expirationTime."");
			$aGetSession = @mysql_fetch_assoc($qGetSession);
			if(@mysql_num_rows($qGetSession) == 1) {
				destroy();
			}
		}
		@mysql_query("DELETE FROM sessions WHERE sessieTijd<".$expirationTime."");
	}
?>

php Syntax (Toggle Plain Text)
<?php
	include_once("login_BackEnd.php");
	include_once("connect.php");
	deleteOldSessions();
 
	if(isset($_POST['logIn'])) {
		$response = authenticate();
		switch($response) {
			case 0:
				$msg = "Succes";
				$type = "notification";
				break;
			default:
				$msg = $response;
				$type = "information";
				break;
		}
	}
 
	if(isset($_SESSION['conSession'], $_SESSION['chSession'])) {
		if((sha1($_SERVER['HTTP_USER_AGENT']) == $_SESSION['authINF1']) && (sha1($_SERVER['HTTP_ACCEPT_LANGUAGE']) == $_SESSION['authINF2']) && (sha1($_SERVER['REMOTE_ADDR']) == $_SESSION['authINF3'])) {
			$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
			$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
			$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
			$aGetSession = @mysql_fetch_assoc($qGetSession);
			if(@mysql_num_rows($qGetSession) == 1) {
				$msg = "U bent ingelogd als ".$aGetSession['gebruikersnaam'];
				$type = "notification";
				renew();
			}
		}
	}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
	<head>
		<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
		<title>Vermeersch Constructie</title>
		<script type="text/javascript" src="MooTools_Functions.js"></script>
		<script type="text/javascript" src="MooTools_BackEnd.js"></script>
		<!--[if lt IE 7.]>
			<script defer type="text/javascript" src="pngfix.js"></script>
		<![endif]-->
		<link rel="stylesheet" href="style.css" type="text/css">
		<script type="text/javascript" src="sha1.js"></script>
		<script type="text/javascript">
			function hashIt() {
				var salt = "<?php echo htmlentities($_SESSION['RND'], ENT_QUOTES); ?>";
				salt += "<?php echo htmlentities($_SERVER['REMOTE_ADDR'], ENT_QUOTES); ?>";
				salt += "<?php echo htmlentities($_SERVER['HTTP_USER_AGENT'], ENT_QUOTES); ?>";
				pass = document.getElementById('password').value;
 
				document.getElementById('password').value = "";
				document.getElementById('hash').value = hex_sha1(hex_sha1(pass)+salt);
			}
		</script>
	</head>
 
	<body>
		<div class="header"></div>
		<div class="container">
			<?php
				if(!empty($msg)) {
					showMsg($msg, $type);
					$msg = null;
					$type = null;
				}
			?>
			<form method="post" action="" onSubmit="hashIt();">
				<table>
					<tr>
						<td>Gebruikersnaam:</td><td><input type="text" name="username"></td>
					</tr>
					<tr>
						<td>Wachtwoord:</td><td><input type="password" id="password"></td>
					</tr>
					<tr>
						<td>&nbsp;</td><td style="text-align: right;"><input type="submit" name="logIn" value="Aanmelden"></td>
					</tr>
				</table>
				<input type="hidden" name="hash" id="hash">
			</form>
		</div>
		<div class="footer"><div style="padding: 6px;">&copy; Debaere Brecht</div></div>
	</body>
</html>
<?php
	include_once("login_BackEnd.php");
	include_once("connect.php");
	deleteOldSessions();
	
	if(isset($_POST['logIn'])) {
		$response = authenticate();
		switch($response) {
			case 0:
				$msg = "Succes";
				$type = "notification";
				break;
			default:
				$msg = $response;
				$type = "information";
				break;
		}
	}
	
	if(isset($_SESSION['conSession'], $_SESSION['chSession'])) {
		if((sha1($_SERVER['HTTP_USER_AGENT']) == $_SESSION['authINF1']) && (sha1($_SERVER['HTTP_ACCEPT_LANGUAGE']) == $_SESSION['authINF2']) && (sha1($_SERVER['REMOTE_ADDR']) == $_SESSION['authINF3'])) {
			$conSession = htmlentities($_SESSION['conSession'], ENT_QUOTES);
			$chSession = htmlentities($_SESSION['chSession'], ENT_QUOTES);
			$qGetSession = @mysql_query("SELECT * FROM sessions WHERE conSessie='".$conSession."' AND chSessie='".$chSession."'");
			$aGetSession = @mysql_fetch_assoc($qGetSession);
			if(@mysql_num_rows($qGetSession) == 1) {
				$msg = "U bent ingelogd als ".$aGetSession['gebruikersnaam'];
				$type = "notification";
				renew();
			}
		}
	}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
	<head>
		<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
		<title>Vermeersch Constructie</title>
		<script type="text/javascript" src="MooTools_Functions.js"></script>
		<script type="text/javascript" src="MooTools_BackEnd.js"></script>
		<!--[if lt IE 7.]>
			<script defer type="text/javascript" src="pngfix.js"></script>
		<![endif]-->
		<link rel="stylesheet" href="style.css" type="text/css">
		<script type="text/javascript" src="sha1.js"></script>
		<script type="text/javascript">
			function hashIt() {
				var salt = "<?php echo htmlentities($_SESSION['RND'], ENT_QUOTES); ?>";
				salt += "<?php echo htmlentities($_SERVER['REMOTE_ADDR'], ENT_QUOTES); ?>";
				salt += "<?php echo htmlentities($_SERVER['HTTP_USER_AGENT'], ENT_QUOTES); ?>";
				pass = document.getElementById('password').value;
				
				document.getElementById('password').value = "";
				document.getElementById('hash').value = hex_sha1(hex_sha1(pass)+salt);
			}
		</script>
	</head>
	
	<body>
		<div class="header"></div>
		<div class="container">
			<?php
				if(!empty($msg)) {
					showMsg($msg, $type);
					$msg = null;
					$type = null;
				}
			?>
			<form method="post" action="" onSubmit="hashIt();">
				<table>
					<tr>
						<td>Gebruikersnaam:</td><td><input type="text" name="username"></td>
					</tr>
					<tr>
						<td>Wachtwoord:</td><td><input type="password" id="password"></td>
					</tr>
					<tr>
						<td>&nbsp;</td><td style="text-align: right;"><input type="submit" name="logIn" value="Aanmelden"></td>
					</tr>
				</table>
				<input type="hidden" name="hash" id="hash">
			</form>
		</div>
		<div class="footer"><div style="padding: 6px;">&copy; Debaere Brecht</div></div>
	</body>
</html>

brechtjah

Reputation Points: 26

Solved Threads: 9

Junior Poster in Training

Offline

92 posts
since Nov 2008

Permalink

Apr 10th, 2009

Re: Login System

why are you using javascript at all in the login process? I mean, only use it for basic validation not hashing. That in itself is a security flaw because attackers can see how you are encrypting a password, which helps them to crack it.

What if a user has javascript turned off? Then what. You should have php handle everything.

kkeith29

Reputation Points: 235

Solved Threads: 193

Nearly a Posting Virtuoso

Offline

1,315 posts
since Jun 2007

Permalink

Apr 10th, 2009

Re: Login System

Click to Expand / Collapse Quote originally posted by kkeith29 ...

why are you using javascript at all in the login process? I mean, only use it for basic validation not hashing. That in itself is a security flaw because attackers can see how you are encrypting a password, which helps them to crack it.

What if a user has javascript turned off? Then what. You should have php handle everything.

I agree JavaScript is more efficient (for the users) but PHP should always be your focus as it is loaded before the hacker gets the page.

Always make sure with important scripts that you make sure that the refering URL is the the page you wish it to come from.

Josh Connerty

Reputation Points: 31

Solved Threads: 27

Unverified User

Offline

342 posts
since Apr 2009

Previous
1
Page 2
3
Next

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: Need help to Delete all button for all checkboxes...

Next Thread in PHP Forum Timeline: timeout if page is inactive

DaniWeb Message

Cancel Changes

User Name
Password