Author |
Message |
Synook Newbie
Joined: Apr 27 2007 Posts: 3 Offline
|
Posted: Fri Apr 27, 2007 6:53 am Post subject: [PHP] User Authentication Methods |
|
|
|
|
Hello all,
If you have any ideas for a PHP script to authenticate users, where the user data is extracted from a MySQL database table with the passwords hashed using md5(), please post it here. I need some ideas for my new CMS - PageSquid - as version 0.4 will have multiple users.
I have a method, but I am sure it is horribly insecure so I won't post it here ...
Thanks. I'm sure we will be able to come up with a solution together.
P.S. I know could have used the Tracker on SourceForge, but it seems horribly slow to get responses _________________
|
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Fri Apr 27, 2007 7:15 am Post subject: |
|
|
|
|
Best way to secure passwords would be to use a 1-way crypting algorithm; make sure you use a unique salt value.
If you do use md5, don't use it alone as it's pretty susceptible to dictionary attacks. You'd want to hash it with something (Bl#!@#<password>#%)^^%); better yet, crypt() it, then md5 the results? _________________ Performance is often the art of cheating carefully. - James Gosling |
|
Back to top |
|
|
Synook Newbie
Joined: Apr 27 2007 Posts: 3 Offline
|
Posted: Fri Apr 27, 2007 8:24 am Post subject: |
|
|
|
|
Uh... but what I am thinking of is a way to authenticate users as they log in -as in they enter their username and password, and click "log in". Then, how do we make sure that they are who they seem. The obvious way is to just query the database for the user's record using their username, and compare the hashed password to the one in the database. But how secure is this, and is there a better way? |
|
Back to top |
|
|
k0zy Server Help Squatter
Gender: Joined: Jan 11 2003 Posts: 571 Location: Germany Offline
|
Posted: Fri Apr 27, 2007 1:40 pm Post subject: |
|
|
|
|
What CypherJF said.
Also, make sure to mysql_escape_string the data the users enter and that register_globals ist turned off.
Best way would probably to fetch the password for the given user and then compare it against the entered one in php.
And make sure you're error message on a failed login is "user not found or wrong password". _________________ It's a shark! Oh my god! Unbelievable! |
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Fri Apr 27, 2007 5:12 pm Post subject: |
|
|
|
|
Also, don't send passwords plain-text over a MySQL query; it can easily be sniffed on a network. |
|
Back to top |
|
|
Mine GO BOOM Hunch Hunch What What
Age:40 Gender: Joined: Aug 01 2002 Posts: 3614 Location: Las Vegas Offline
|
Posted: Fri Apr 27, 2007 8:42 pm Post subject: |
|
|
|
|
CypherJF wrote: | Also, don't send passwords plain-text over a MySQL query; it can easily be sniffed on a network. |
And HTTP is much better (he never said https anywhere)? Most MySQL connections are localhost (goes through unix socket, never touches a network) or a local networked machine, which hits through one of two switches in the datacenter. Most people who have more than one machine in a datacenter generally have their own switches and just setup their own VLAN. Thus, security here is a mute point.
A pretty secure, but lazy, salted password method would be a table with a password column of char(40), a salt column of whatever size you want, and in your select statement to validate your user, throw this into your where clause:
SELECT *
FROM user_table
WHERE username = "$username"
AND password = sha("$password" + salt + "some random constant string") |
You don't even need to do the hashing in php. Sure, you could just return the row back, and then do the security check in php, but your SQL database can do it faster and you can cut back on what you return. The constant string is extra protection, where if someone gets your database but not your source code, it helps protect a bit more. It doesn't cost much more processor time.
As noted above, protect your user supplied strings with mysql_real_escape_string. |
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Fri Apr 27, 2007 8:53 pm Post subject: |
|
|
|
|
I do like your recommendation there MGB. |
|
Back to top |
|
|
Mine GO BOOM Hunch Hunch What What
Age:40 Gender: Joined: Aug 01 2002 Posts: 3614 Location: Las Vegas Offline
|
Posted: Fri Apr 27, 2007 9:13 pm Post subject: |
|
|
|
|
CypherJF wrote: | I do like your recommendation there MGB. |
For more generic Password Authentication information, try SH/SC Wiki. |
|
Back to top |
|
|
|