Welcome to WebmasterWorld Guest from 107.20.20.39

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Wondering about my security

PHP security solution, is it really secure?

   
8:27 pm on Jun 27, 2003 (gmt 0)

10+ Year Member



Ok, I recently tried to secure part of a site. I just wanted to know actually how secure it really is. The reason I ask is, 1. I'm new to PHP, and 2. It was sooo easy to do it, I cant believe it is really secure.

What I did:
I created a log in page, in this page, I use a username and password form and check it against my list located in a different folder other then the public folder.

The checking is done from a script located in a folder called XXX(not really called that but...)

Next if the user/pass combo is there, then I let them past the login page, if it isn't then they just get the log-in page again(not very informative but if they can't log in too bad :P ).

Now all the rest of the pages are located in this 'XXX' folder. And each page in that folder that I want secure I put a small peice of script basically like this

<?php
if ( HTTP_REFERER ) isn't [.....com...] then kick out to the login page
?>

uh, that's the basic version anyway :P

how secure is this?

8:28 pm on Jun 27, 2003 (gmt 0)

10+ Year Member



OH I forgot one thing...

The HTTP_REFERER part, I just take the first x characters of that string... just enough to verify
http....com/XXX is in the url of the last page.

10:27 pm on Jun 27, 2003 (gmt 0)

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member



First of all, Welcome to Webmaster World! :)

Now, relying on the referer sent by the browser is not secure at all. It has nothing to do with PHP's security (which is pretty darn secure, until you create the security hole yourself.)

The referer can be spoofed (faked). Some browsers send incorrect or incomplete referers. If you want to be sure that the user is coming from an allowed page, pass some random information to the page that is different each time that page is reached. This random string can then be verified on the next page.

Have you looked into PHP Sessions?

10:43 pm on Jun 27, 2003 (gmt 0)

10+ Year Member



Agreeing with DrDoc, check into PHP Sessions, very simple to use. Also have you thought about storing the usernames and passwords in a database rather then a file (I know you said it is not in the public folder), but if the list is long, it would be faster to query in a database.
-FM-
11:32 pm on Jun 27, 2003 (gmt 0)

10+ Year Member



I am also a new born php programmer and have recently built a secure log in section using Mysql and php sessions.

The sessions in php are great, checking to make sure that an open session has a specific active string which can be yes, no, 0 or 1.

For extra security I would recommend a database storing all info on a seperate table and create a log of every log in made just so you can see the activity.

I have found php to be very secure have tested all sorts of methods. One thing I would NOT do is store the passwords or usernames on a text file even in a completely different folder.

3:45 am on Jun 28, 2003 (gmt 0)

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member



agreed - use a database for your username & password

preferably store only an md5 hash of the password

don't rely on referrer, although it's nice to add that in as well for added security

i don't use sessions in general - i generate my own cookie with a randomised value in it, and create a corresponding database entry to remember that value, the IP the cookie went to, and the time... that way I am in control of my security - not php session.

i then check before returning _each and every_ page that the cookie value is a) present, b) the IP is the same as when it was sent out, and c) the time is within X mins from cookie issue (login).

i think you should have reasonable security if you do this. i always shy away from using standard security functions etc. as once a hole is found in it - it soon becomes common knowledge and every site using it becomes at risk.

10:12 am on Jun 28, 2003 (gmt 0)

10+ Year Member



b) the IP is the same as when it was sent out,

Isn't this a potential problem with certains ISPs? I notice in logs that AOL surfers seem to have a different IP with each request. Just wondering ...

M.

12:16 pm on Jun 28, 2003 (gmt 0)

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member



AOL surfers

need i say more? i never had any complaints about not being able to use any of my sites security.

5:08 pm on Jun 28, 2003 (gmt 0)

10+ Year Member



Isn't this a potential problem with certains ISPs?

Yes I think that happens in case of dialup users, that IPs change during same session.

5:36 pm on Jun 28, 2003 (gmt 0)

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member



with dialup users, true, they will need to log in again - but i'd say that with an average reconnection time of say an hour, their hourly typing a password is worth it to ensure nobody hijacks the session
10:08 pm on Jun 28, 2003 (gmt 0)

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Just store the first three numbers.

###.###.###

The IP switch usually only affects the fourth...

9:38 am on Jun 29, 2003 (gmt 0)

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Just store the first three numbers.
###.###.###

The IP switch usually only affects the fourth...


which would leave the system open to cookie hijack by only 255 different people - and in the case of a network on static IPs - that would most likely be people nearby... ie those who are in a position to easily hijack.

something i'd rather not leave to chance

1:14 pm on Jun 30, 2003 (gmt 0)

10+ Year Member



Well, I'm already liking this forum. I go away for the weekend and I get everyones opinion :) Gives me something to do Monday morning at work haha.

Anyway, So what you guys are saying is the "Referer" can be fraud? Well why the hell would my book tell me to do it this way :P

I do have a database at my disposal, but there is only 1 user allowed into this site. No username just a password. It's just a documentation site for a project. Basically a way to communicate usually information that isn't sensitive, but just in case I'm securing it so we could pass sensitive information. And I'm just using this for something to do. The boss don't come back for a week and I have finished everything that was dumped on me already. So this is just something I'm doing to pass the time :)

THanks for all your input guys/gals. I think I'm going to stick with just the file outside of the public folder. No real advantage on look-up(only 1 pass anyway). As for the session stuff, I was looking at that in my books. What my book says for good security is to create a session and pass a variable from page to page, checking that variable on every page. That would be a better solution compared to what I have?

3:54 pm on Jun 30, 2003 (gmt 0)

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member



create a session and pass a variable from page to page, checking that variable on every page

yes, that's a really good way of doing it... BUT...
make sure register_globals is OFF in php.ini, i.e. make sure you use $_SESSION['loggedin'] not just $loggedin... otherwise i can write www.yoursite.com?loggedin=1 and get in :-)

4:08 pm on Jun 30, 2003 (gmt 0)

10+ Year Member



heh, nice try HACKER! hehe j/k.

Actually I have written into my pages that if any args are in the url, I reload the page stripping the args out...

Something like this
if( $HTTP_SERVER_VARS["argc"]!= 0 ) {
header( "Location: $PHP_SELF" );
exit;
}

That way, any information I get won't be input through the URL.