All geek questions in one place

PHP Secure Session Login - Best Practice

As part of my web application. This is some code that I am considering (I'm not the best of PHP programmers, but I'm programming my own application for the project):

// Start session session_start(); // Is the user already logged in? if (isset($_SESSION['username'])) { header('Location: members-only-page.php'); }

I want to know if my login structure looks like this, it is safe.

I am using MD5 (); but I'm not quite happy with the whole $ _session ["user"] = "1" approach that scripts use; really like vBulletin did not?

Rate the answer. I did not even touch on the idea that this is Ajax ha!

UPDATE - The pseudo-code of my approach. All in SSL.

 // vars login string post password string post // validation aside from ajax now login string is empty redirect to login form with error password string is empty redirect to login form with error // mysql escape strings clean html strings mysql connect external mysql server if login string is user if password md5 match with database md5 session logged in else session failed password invalid redirect to login form user/pass error end if else session failed username invalid redirect to login form user/pass error end if if file called direct redirect 404 alert_admin function type hacking attempt login page end if
+4
source share
1 answer

  • mysql_real_escape_string() does not protect you from all forms of SQL injection or other types of attacks. You should use a system that uses code to protect against many guarantees separately, an example of such use on my test server (not strong enough for production):

     function sanitize($str) { $str = trim($str); if (get_magic_quotes_gpc()) $str = stripslashes($str); return htmlentities(mysql_real_escape_string($str)); }

Read the accepted answer of this question to find out why any way to filter user input is never complete.

-

For login security information, consider the following tips:

  • Avoid user input when possible, and if this is not possible; sanitize their entry.
  • Do not use only md5 to protect user passwords. Easy to decrypt.
    • Consider using a password salt that is unique to each individual user.
  • Keep your passwords both long and varied.
    • If necessary, add these as suggestions to user passwords. Example:
      • Must be at least six characters long.
      • Must consist of a mixed case of characters.
      • Must contain at least one number.
      • (Secure) Must contain at least one character.

Justification and statistics on password strength:

I, (with the nVidia NVS 3100M mobile video card), can crack or "bust" MD5 or SHA1 with a frequency of 56,900,000 passwords per second. This means that I can complete all passwords 1-6 characters long with a full character set (a-zA-Z0-9 + characters); in less than four minutes. Imagine that someone with a decent computer (even a gaming one) or a server can do it.

A way to protect against this is to salt your passwords. Depending on how you connect your passwords, the attacker will need to try many different decryption methods before they can guess any of your user passwords. If your password was not salty, they can roughly force it as I described above.

Learn more about PHP session security:

PHP Security Guide - Session Security

fooobar.com/questions/35402 / ...

Session Security Notes (SitePoint)

Also worthless:

You need to decide what your site should be protected with. If your website is hosted on a shared server or on shared hosting (whether it be a VPN, VPS or some kind of semi-open solution), you will always be at risk of other malicious users in the system that have access to your PHP files, and by extension; your MySQL database. Even on a dedicated server, without proper internal network security, you are simply screwed.

+2
source

Source: https://habr.com/ru/post/1381092/

More articles:


All Articles