11 Replies - 12782 Views - Last Post: 23 June 2013 - 11:02 PM

#1 NecroWinter  Icon User is offline

  • D.I.C Regular

Reputation: 38
  • View blog
  • Posts: 321
  • Joined: 21-October 11

Best secure way to create a login with PHP

Posted 12 September 2012 - 06:00 PM

This isnt really a code question so to speak, creating a text box to authenticate a user isnt challenging. When you create code to authenticate a person, you can check if the password is correct, if it isnt, you can echo out some html and say its incorrect or redirect them to the original page where they tried logging in from

However, if they are correct, one would assume that they are given access to an entire site. Echoing out a full page worth of html just doesnt seem right. if a user is authenticated, you can redirect them to a php or html file that they were trying to have access to, problem is, whats to stop a person from just bypassing the login by guessing where the redirect goes to? I imagine you could create a private folder, and have the desired site located there, but im not sure how to grant access to a private folder via php.

if this isnt the right forum for this topic, sorry.

Is This A Good Question/Topic? 0
  • +

Replies To: Best secure way to create a login with PHP

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3550
  • View blog
  • Posts: 10,319
  • Joined: 08-June 10

Re: Best secure way to create a login with PHP

Posted 12 September 2012 - 06:13 PM

usually protected pages are "protected" by a session, i.e. if there is no session set (via authetication), the access is denied.
Was This Post Helpful? 3
  • +
  • -

#3 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 927
  • View blog
  • Posts: 3,208
  • Joined: 19-January 10

Re: Best secure way to create a login with PHP

Posted 12 September 2012 - 06:32 PM

Yeah, sessions cannot be edited by the user so this makes it pretty much your best bet. I don't know where I'd be without sessions.
Was This Post Helpful? 1
  • +
  • -

#4 NecroWinter  Icon User is offline

  • D.I.C Regular

Reputation: 38
  • View blog
  • Posts: 321
  • Joined: 21-October 11

Re: Best secure way to create a login with PHP

Posted 12 September 2012 - 07:41 PM

thanks guys, ill definitely research sessions
Was This Post Helpful? 0
  • +
  • -

#5 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3029
  • View blog
  • Posts: 10,551
  • Joined: 08-August 08

Re: Best secure way to create a login with PHP

Posted 13 September 2012 - 06:15 AM

A hacker won't need to get to session variables if they can sniff unencrypted traffic as some one logs in, so if security is important then SSL should be used.
Was This Post Helpful? 3
  • +
  • -

#6 dallbee  Icon User is offline

  • New D.I.C Head

Reputation: 4
  • View blog
  • Posts: 15
  • Joined: 17-October 11

Re: Best secure way to create a login with PHP

Posted 15 September 2012 - 11:48 AM

Quote

whats to stop a person from just bypassing the login by guessing where the redirect goes to?

The trick is to not actually put any of your php files into an http accessible folder.
Say you have a www folder where all of your files can be seen by the web. This folder is located at something like /user/www/ . Inside of /user/www/, you can place an index.php which serves only to include files for authenticated users. The rest of your files are placed in /user/yourwebsite/

Session Security:
Encrypt your sessions with AES-256 and a 256 bit key.
Lock sessions to an IP Address.
Use SSL, but don't rely on it.
Hash your passwords with either scrypt, bcrypt, or pbkdf2 (Ordered best to worst)
Was This Post Helpful? 0
  • +
  • -

#7 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3550
  • View blog
  • Posts: 10,319
  • Joined: 08-June 10

Re: Best secure way to create a login with PHP

Posted 15 September 2012 - 01:45 PM

View Postdallbee, on 15 September 2012 - 08:48 PM, said:

The trick is to not actually put any of your php files into an http accessible folder.
Say you have a www folder where all of your files can be seen by the web. This folder is located at something like /user/www/ . Inside of /user/www/, you can place an index.php which serves only to include files for authenticated users. The rest of your files are placed in /user/yourwebsite/

Though that only works, if you have access to one such directory. That is no problem on your own machine, public webservers usually donít let you do that (unless, of course, the provider allows you to do so (for a fee))
Was This Post Helpful? 0
  • +
  • -

#8 dallbee  Icon User is offline

  • New D.I.C Head

Reputation: 4
  • View blog
  • Posts: 15
  • Joined: 17-October 11

Re: Best secure way to create a login with PHP

Posted 16 September 2012 - 03:11 PM

I've never seen a shared hosting webserver that doesn't give you access outside of your www directory. Typically you get your own folder, with a public_html or www inside of it.
Was This Post Helpful? 0
  • +
  • -

#9 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,991
  • Joined: 08-June 10

Re: Best secure way to create a login with PHP

Posted 16 September 2012 - 03:43 PM

Yea that's been my experience too. Only one host I've used didn't let me access the web root's parent directory, and that one was extremely cheap. (If it sounds too good too be true... It didn't even have mod_rewrite.)

But even so, it wouldn't exactly be a big problem to overcome. Just create the directory inside the web root and drop a .htaccess file in there with a Deny all directive. Now it's treated basically the same as a dir outside the web root. Hell you can even make it return a 404 code instead, making it appear not to be there.
Was This Post Helpful? 0
  • +
  • -

#10 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 927
  • View blog
  • Posts: 3,208
  • Joined: 19-January 10

Re: Best secure way to create a login with PHP

Posted 16 September 2012 - 03:52 PM

I usually use the MVC framework. Inside of the controller I would check if the user is logged in. If they are, let them view the page they were trying to view. If they were not, force them to go to the login page. Works rather well if you ask me.
Was This Post Helpful? 0
  • +
  • -

#11 codebarbarian  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 23-June 13

Re: Best secure way to create a login with PHP

Posted 23 June 2013 - 03:46 PM

Some things to add is also CSRF token validation ( Cross Site Request Forgery ), if you hook on a time validation as well you are protected against people entering the site to fast ( Bots ), and if it takes to long ( I.e: a timeout ). With time validation on a form, if the form is not used in the specified time range, the client must refresh the form to be able to use it.

Notice: You could also use a form token, to check if the form you have generated matches the form the user has submitted.

Example on creating and validating a CSRF token:

Generation of a token
// Generate a CSRF Token
function getCSRFToken()
{
	$nonce = mcrypt_create_iv (256, MCRYPT_DEV_URANDOM);
		
	if (empty ( $_SESSION ['csrf_tokens'] ))
	{
		$_SESSION ['csrf_tokens'] = array ();
	}
	$_SESSION ['csrf_tokens'] [$nonce] = true;
		
	return $nonce;
	}



Validation of a token.
// Validation for CSRF Token
function validateCSRFToken($token)
{
	if (isset ( $_SESSION ['csrf_tokens'] [$token] ))
	{
		unset ( $_SESSION ['csrf_tokens'] [$token] );
		return true;
	}
	return false;
}



If you generate a CSRF token and passes it to the login form by using a,
<input type="hidden" name="csrf_token" value="' . $token . '" />


You could easily check it by doing,
$token = isset($_POST['csrf_token']) ? $_POST['csrf_token'] : '';
$valid = !empty($token) && validateCSRFToken($token);
if (!$valid) {
    // Attack Detected! Fail!
}


Some practices to use:
- Exit Early. Always check, if anything seems wrong exit.
- A good validation of both username, and password.
- Do not trust your USERS!
Was This Post Helpful? 0
  • +
  • -

#12 vks.gautam1  Icon User is offline

  • D.I.C Regular

Reputation: 17
  • View blog
  • Posts: 317
  • Joined: 21-March 08

Re: Best secure way to create a login with PHP

Posted 23 June 2013 - 11:02 PM

Dont know much about PHP. is SQL injection too works here ?
bad coding practise affecting your website security.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1