Server Help

Non-Subspace Related Coding - [PHP] User Authentication Methods
Synook - Fri Apr 27, 2007 6:53 am
Post subject: [PHP] User Authentication Methods
Hello all,

If you have any ideas for a PHP script to authenticate users, where the user data is extracted from a MySQL database table with the passwords hashed using md5(), please post it here. I need some ideas for my new CMS - PageSquid - as version 0.4 will have multiple users.

I have a method, but I am sure it is horribly insecure icon_sad.gif so I won't post it here icon_smile.gif ...

Thanks. I'm sure we will be able to come up with a solution together.

P.S. I know could have used the Tracker on SourceForge, but it seems horribly slow to get responses icon_cry.gif
CypherJF - Fri Apr 27, 2007 7:15 am
Post subject:
Best way to secure passwords would be to use a 1-way crypting algorithm; make sure you use a unique salt value.

If you do use md5, don't use it alone as it's pretty susceptible to dictionary attacks. You'd want to hash it with something (Bl#!@#<password>#%)^^%); better yet, crypt() it, then md5 the results?
Synook - Fri Apr 27, 2007 8:24 am
Post subject:
Uh... but what I am thinking of is a way to authenticate users as they log in -as in they enter their username and password, and click "log in". Then, how do we make sure that they are who they seem. The obvious way is to just query the database for the user's record using their username, and compare the hashed password to the one in the database. But how secure is this, and is there a better way?
k0zy - Fri Apr 27, 2007 1:40 pm
Post subject:
What CypherJF said.

Also, make sure to mysql_escape_string the data the users enter and that register_globals ist turned off.

Best way would probably to fetch the password for the given user and then compare it against the entered one in php.

And make sure you're error message on a failed login is "user not found or wrong password".
CypherJF - Fri Apr 27, 2007 5:12 pm
Post subject:
Also, don't send passwords plain-text over a MySQL query; it can easily be sniffed on a network.
Mine GO BOOM - Fri Apr 27, 2007 8:42 pm
Post subject:
CypherJF wrote:
Also, don't send passwords plain-text over a MySQL query; it can easily be sniffed on a network.

And HTTP is much better (he never said https anywhere)? Most MySQL connections are localhost (goes through unix socket, never touches a network) or a local networked machine, which hits through one of two switches in the datacenter. Most people who have more than one machine in a datacenter generally have their own switches and just setup their own VLAN. Thus, security here is a mute point.

A pretty secure, but lazy, salted password method would be a table with a password column of char(40), a salt column of whatever size you want, and in your select statement to validate your user, throw this into your where clause:
Code: Show/Hide
SELECT *
FROM user_table
WHERE username = "$username"
AND password = sha("$password" + salt + "some random constant string")

You don't even need to do the hashing in php. Sure, you could just return the row back, and then do the security check in php, but your SQL database can do it faster and you can cut back on what you return. The constant string is extra protection, where if someone gets your database but not your source code, it helps protect a bit more. It doesn't cost much more processor time.

As noted above, protect your user supplied strings with mysql_real_escape_string.
CypherJF - Fri Apr 27, 2007 8:53 pm
Post subject:
I do like your recommendation there MGB.
Mine GO BOOM - Fri Apr 27, 2007 9:13 pm
Post subject:
CypherJF wrote:
I do like your recommendation there MGB.

For more generic Password Authentication information, try SH/SC Wiki.
All times are -5 GMT
View topic
Powered by phpBB 2.0 .0.11 © 2001 phpBB Group