login script - tips/security
Posted by dabbler (leah), 24 October 2003After lots of time spent on php.net, I finally got somewhere with the login script I was working on. It's not done, as it's not setting yabb cookies yet, that's the easy part, I'm not so much worried about that bit. I'm concerned about security. What should I be doing to make this as secure as possible?
My login testing page:
Any other tips on improvements?
Posted by admin (Graham Ellis), 25 October 2003Good Morning ...
"How secure is my script?" issues relate not only to the code itself, but also to the server environment. So - first things - be careful that there isn't a backup copy of your script on your server with a different extension so that hackers can see a copy of your source, and (perhaps) move most of the PHP code into a different file that you include from a different directory off your document path. Also (if you're on a shared server) check that you have permissions restricted against other users of the same server. These first things are "back door" checks; a thief will tend to see if the back door is open before he goes to the touble of trying to break in at the front.
Now ... the front door.
a) Your script uses global variables from the form (such as $formUser); will work on most ISPs and on PHP up to 4.1.2 by default. I suggest you switch to the superglobal arrays; a direct replacement would be $_REQUEST["formUser"] and the code should then work on PHP 4.1.0 and later, no matter how the configuration is set.
b) I would force the data to be accepted only through a POST and not through a GET - so use $_POST["formUser"], etc. If you accept "get" data, you are allowing users to set up a link that logs them in directly, and your script will also allow people to provide a spoof login page that would reveal the password in the location bar.
c) Again, to clean up the URL, I would suggest that you move "login" to a hidden field rather than having it as GET parameter
d) I'm a little concerned at the "yy" salt. Is that really what Yabb uses? If it does, it makes it much easier for anyone who can get a copy of your login files through some accidentally open security hole to run a dictionary-based attack looking for user's passwords.
Please don't be put off by the above ... you *did* ask how to make it "as secure as possible", and as it stands it looks pretty good anyway. By the way - you aren't going to echo out their encryted password in the live system are you?
Posted by dabbler (leah), 25 October 2003Quote:
No no no, that was part of the original cookie setting script I had found, and it helped me with the salt and testing.
Afraid so. Maybe this will change in upcoming versions. If not, I may address it then, make some modifications.
Thank you for the great tips Graham, much appreciated.
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: firstname.lastname@example.org • WEB: http://www.wellho.net • SKYPE: wellho