homepage Welcome to WebmasterWorld Guest from 54.204.127.59
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Wondering about my security
PHP security solution, is it really secure?
mikejson




msg:1252080
 8:27 pm on Jun 27, 2003 (gmt 0)

Ok, I recently tried to secure part of a site. I just wanted to know actually how secure it really is. The reason I ask is, 1. I'm new to PHP, and 2. It was sooo easy to do it, I cant believe it is really secure.

What I did:
I created a log in page, in this page, I use a username and password form and check it against my list located in a different folder other then the public folder.

The checking is done from a script located in a folder called XXX(not really called that but...)

Next if the user/pass combo is there, then I let them past the login page, if it isn't then they just get the log-in page again(not very informative but if they can't log in too bad :P ).

Now all the rest of the pages are located in this 'XXX' folder. And each page in that folder that I want secure I put a small peice of script basically like this

<?php
if ( HTTP_REFERER ) isn't [.....com...] then kick out to the login page
?>

uh, that's the basic version anyway :P

how secure is this?

 

mikejson




msg:1252081
 8:28 pm on Jun 27, 2003 (gmt 0)

OH I forgot one thing...

The HTTP_REFERER part, I just take the first x characters of that string... just enough to verify
http....com/XXX is in the url of the last page.

DrDoc




msg:1252082
 10:27 pm on Jun 27, 2003 (gmt 0)

First of all, Welcome to Webmaster World! :)

Now, relying on the referer sent by the browser is not secure at all. It has nothing to do with PHP's security (which is pretty darn secure, until you create the security hole yourself.)

The referer can be spoofed (faked). Some browsers send incorrect or incomplete referers. If you want to be sure that the user is coming from an allowed page, pass some random information to the page that is different each time that page is reached. This random string can then be verified on the next page.

Have you looked into PHP Sessions?

firemaster




msg:1252083
 10:43 pm on Jun 27, 2003 (gmt 0)

Agreeing with DrDoc, check into PHP Sessions, very simple to use. Also have you thought about storing the usernames and passwords in a database rather then a file (I know you said it is not in the public folder), but if the list is long, it would be faster to query in a database.
-FM-

lasko




msg:1252084
 11:32 pm on Jun 27, 2003 (gmt 0)

I am also a new born php programmer and have recently built a secure log in section using Mysql and php sessions.

The sessions in php are great, checking to make sure that an open session has a specific active string which can be yes, no, 0 or 1.

For extra security I would recommend a database storing all info on a seperate table and create a log of every log in made just so you can see the activity.

I have found php to be very secure have tested all sorts of methods. One thing I would NOT do is store the passwords or usernames on a text file even in a completely different folder.

vincevincevince




msg:1252085
 3:45 am on Jun 28, 2003 (gmt 0)

agreed - use a database for your username & password

preferably store only an md5 hash of the password

don't rely on referrer, although it's nice to add that in as well for added security

i don't use sessions in general - i generate my own cookie with a randomised value in it, and create a corresponding database entry to remember that value, the IP the cookie went to, and the time... that way I am in control of my security - not php session.

i then check before returning _each and every_ page that the cookie value is a) present, b) the IP is the same as when it was sent out, and c) the time is within X mins from cookie issue (login).

i think you should have reasonable security if you do this. i always shy away from using standard security functions etc. as once a hole is found in it - it soon becomes common knowledge and every site using it becomes at risk.

mapostel




msg:1252086
 10:12 am on Jun 28, 2003 (gmt 0)

b) the IP is the same as when it was sent out,

Isn't this a potential problem with certains ISPs? I notice in logs that AOL surfers seem to have a different IP with each request. Just wondering ...

M.

vincevincevince




msg:1252087
 12:16 pm on Jun 28, 2003 (gmt 0)

AOL surfers

need i say more? i never had any complaints about not being able to use any of my sites security.

jaski




msg:1252088
 5:08 pm on Jun 28, 2003 (gmt 0)

Isn't this a potential problem with certains ISPs?

Yes I think that happens in case of dialup users, that IPs change during same session.

vincevincevince




msg:1252089
 5:36 pm on Jun 28, 2003 (gmt 0)

with dialup users, true, they will need to log in again - but i'd say that with an average reconnection time of say an hour, their hourly typing a password is worth it to ensure nobody hijacks the session

DrDoc




msg:1252090
 10:08 pm on Jun 28, 2003 (gmt 0)

Just store the first three numbers.

###.###.###

The IP switch usually only affects the fourth...

vincevincevince




msg:1252091
 9:38 am on Jun 29, 2003 (gmt 0)

Just store the first three numbers.
###.###.###

The IP switch usually only affects the fourth...


which would leave the system open to cookie hijack by only 255 different people - and in the case of a network on static IPs - that would most likely be people nearby... ie those who are in a position to easily hijack.

something i'd rather not leave to chance

mikejson




msg:1252092
 1:14 pm on Jun 30, 2003 (gmt 0)

Well, I'm already liking this forum. I go away for the weekend and I get everyones opinion :) Gives me something to do Monday morning at work haha.

Anyway, So what you guys are saying is the "Referer" can be fraud? Well why the hell would my book tell me to do it this way :P

I do have a database at my disposal, but there is only 1 user allowed into this site. No username just a password. It's just a documentation site for a project. Basically a way to communicate usually information that isn't sensitive, but just in case I'm securing it so we could pass sensitive information. And I'm just using this for something to do. The boss don't come back for a week and I have finished everything that was dumped on me already. So this is just something I'm doing to pass the time :)

THanks for all your input guys/gals. I think I'm going to stick with just the file outside of the public folder. No real advantage on look-up(only 1 pass anyway). As for the session stuff, I was looking at that in my books. What my book says for good security is to create a session and pass a variable from page to page, checking that variable on every page. That would be a better solution compared to what I have?

vincevincevince




msg:1252093
 3:54 pm on Jun 30, 2003 (gmt 0)

create a session and pass a variable from page to page, checking that variable on every page

yes, that's a really good way of doing it... BUT...
make sure register_globals is OFF in php.ini, i.e. make sure you use $_SESSION['loggedin'] not just $loggedin... otherwise i can write www.yoursite.com?loggedin=1 and get in :-)

mikejson




msg:1252094
 4:08 pm on Jun 30, 2003 (gmt 0)

heh, nice try HACKER! hehe j/k.

Actually I have written into my pages that if any args are in the url, I reload the page stripping the args out...

Something like this
if( $HTTP_SERVER_VARS["argc"]!= 0 ) {
header( "Location: $PHP_SELF" );
exit;
}

That way, any information I get won't be input through the URL.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved