Will this login be safe?

Question

Will this login be safe?

HI, this is my first time. I have read the final forms-based authentication guide and http://en.wikibooks.org/wiki/PHP_Programming/User_login_systems , but I still have doubts as to whether I am doing this correctly. Note. I do this to learn, so please do not offer the framework and php pear auth or any other sibling class. I just want some recommendations on what I can do to improve this.

I don't need CIA style security, just something basic for the login site:

Anyway, this is how my input works:

Wait for the user to click Sign In
if (isset ($ _ POST ['action']) && $ _POST ['action'] == 'Login')
Does the token store in the token stored in the session? If you don’t die.
Use php filters to check string in username and password.
Hash the password (sha256) (with salt, I use the same salt for each password)
Use mysqli to verify the username and hashed password (LIMIT 1 in SQL).
If no match is found, show an error - otherwise establish a session (hashed using sha256)

At the bottom of all this, I place the following, this is the line that I am most worried about: My thinking is that if the session is not established, then show the login form and exit.

if (!isset($_SESSION['authenticated'])) { require_once 'html/login_form.html'; exit(); } // secret stuff goes here

Full code can be found here . It is still incomplete.

I will also try to implement this: How can I slow down user login attempts in PHP .

I am grateful for any feedback.

+4

php login

john mossel Dec 18 '10 at 4:32

source share

2 answers

Firstly, nothing is 100% protected. To make your login more secure, you can add some of the following elements:

Answer Call - http://en.wikipedia.org/wiki/Challenge-response_authentication
Protocol with three protocols - http://en.wikipedia.org/wiki/Three-pass_protocol
Hash md5(password + salt + username) username / password combination md5(password + salt + username)
Use JavaScript to validate on the client, and then validate again on the server
Use the database abstraction library to protect against SQL injection.

There are many others, but it all depends on how safe you need it and how much trouble you want to miss. Some balance is needed based on your application.

My broker account uses photos and problems before getting into the login form. This is a pain (needed on a brokerage account), but probably not so much on a blog.

+1

Todd moses Dec 18 '10 at 4:58

source share

Jason mccreary · Accepted Answer · 2010-12-18T04:55:10+0000

This is a fairly open question, as there are many areas that need to be divided. However, for medium security, I would at least recommend changing the following.

Number 2: Do not use the same salt. This means that if the salt is compromised, then these are all hashed values. I would recommend one way to encrypt a password. Users would prefer to reset, but did not know that it could be decrypted.

Number 5: Don't Forget SQL Injection. More important than LIMIT 1 . Check mysql_real_escape_string()

Will this login be safe?

More articles: