DK64 DK64 - 4 months ago 20
PHP Question

PHP login form safety

I have googled this pretty much since I am new to this kind of security thing, but I still have some doubts.




SITUATION

I am developing a website for a firm (mostly with PHP of course) and I need to protect all the pages. I have made a login form and I am crypting the password with md5 in the database. I had in mind to do this:


  1. Login form. If the user authenticated with the correct username and
    password, create a
    $_SESSION["logged"] = 1;

  2. Now you are logged. In each page of the website I check if the $_SESSION["logged"] is set and has the value of 1. If yes, I display the content of the page.



In this way, if you try to open a random page in the website, without logging, I am able to show an error page (because when I check the
$_SESSION["logged"]
I see that it is unset/it hasn't the value of 1).




QUESTION(s)

I have NOTHING stored in the client, I am doing everything server-side and I was wondering if this method is safe enough. I have seen around that people used this kind of approach that I thought but I have also read that they are going to encrypt the data in a session. Is that really needed?

I was also wondering: when the user (after the login) closes the website and the browser, does the session destroy automatically or I have to handle something on-close calling the
session_destroy();
?

As I have already said, I haven't much experience in this stuff but I guess that doing everything server-side is better. I don't want to use cookies.

Answer

MD5 is absolutely not suitable for "crypting the password". Your process will be insecure and your client will be vulnerable. Look up password_hash as an absolute bar minimum.

I have NOTHING stored in the client,

Perhaps you are unfamiliar with how sessions work. There will be a cookie on the client machine. You can improve your security of this cookie by using a better-than-default session name/key generator such as whirlpool.

Your security will be paramount to use a TLS layer such as Lets Encrypt which is a free community supported TLS layer and fairly secure (actually it appears to be very secure but I can't beleive that something free is so good so I persist in withholding a litle bit of judgement!)

You also NEED TO TELL PHP YOU ARE USING TLS This is very important and you need to edit the php.ini file to tell PHP to use only HTTP and Encrypted cookies for sessions, such as with session_set_cookie_params.

Judging by your question you really, really bette be using Prepared Statements and fully qualifying your database interactions to avoid SQL Injection and database compromise.

Session_destroy is relatively worthless, stop caring about it. What you want to be using is regularly running session_regenerate_id typically every few page loads (say 5).

Some further reading: PHP Sessions and Security.

Final Thought

As I have already said, I haven't much experience in this stuff

Then you're going to miss things, make mistakes and the chances that your clients website is at risk from abuse or compromise is grealy increased.

Most Important Thought

  • Get a TLS certificate from a Reputable Certificate Authority. Get a server admin to help you correctly install and setup the certificate for your domain.

EDIT:

This is a good link to read.

Comments