Creating a secure login using sessions and cookies in PHP

15
votes

I am making a login script that I would like to be as secure as possible. Problem is, security seems to be a never ending battle. So essentially, I am looking for suggestions and improvements to my ideas.

What I have is a login based solely on sessions. Anytime the session information changes, session_regenerate_id() is called to avoid obvious hijacking attempts.

When the session is not set, I check a cookie for valid login, and on success, I update the session.

I attempt to secure the cookie by adding a hash value along with a piece of unique user information (like username or id). This hash is comprised of various information, including the username/id, undecipherable password hash, part of the IP address, etc. By extracting the username/id from the cookie, I can make a new hash from the valid user information and compare that with the hash in the cookie. My hopes here are to prevent fake cookies and cookie hijacking (unless they also spoof the IP address).

EDIT Assume that the login itself will be done via HTTPS/SSL, so the transfer is (reasonably) secure.

Am I on the right track? What else can be done to secure my login?

Thanks for the help!

5
phpsecuritysessionauthenticationcookies
phpseclib.sourceforge.netTeson
Thats actually very nice to know for future security related topics (just bookmarked!), but I am assuming that if the transfer is to be secured, then SSL will be used. I am more looking for ideas to secure the state of the login to prevent unauthorized entry via unethical means.steveo225
How about using SSL? At the end of the day, if the attacker is on the same network and is sniffing, I don't think having all those help, and SSL isn't exactly unbreakable too, but at least it's not plaintext. My 2cAndreas Wong
You shouldn't be binding the session to the IP address unless the user specifically asks you to do so.meagar♦
1. I am only binding to part of the IP address 2: Why not? (Note the hash, which contains the IP part, is done such that I cannot decipher the IP address, or any other component in the hash, therefore, I cannot use the information in any attempt to track them).steveo225

5 Answers

3
votes

There is no such thing as secure cookie UNLESS it's transmitted over SSL only. It can be mitigated some when using a persistent non-session cookie (like remember me), by doing exactly what you're doing, but not in the same way you're thinking of doing it.

You can indeed store server variables such as the user-agent, the ip address and so forth (and even JavaScript variables), but they are only good for validating that the persistent cookie data matches the client's new connection. The ip address isn't a good idea except when you know that the client (like you only) isn't going to change on every page load (a la AOL).

Modern web browsers and 3rd party services like LastPass can store login credentials that only require a key press (and sometimes not even that) to send the data to the login form. Persistent cookies are only good for those people who refuse to use what's available otherwise. In the end, persistent, non-session cookies are not really required anymore.

6
votes

Stop what you are doing. Do not check the user-agent or the ip address. The user-agent is an attacker controlled variable and checking this value does not increase the security of this system. The ip address will change for legitimate reasons, such as if a user is behind a load balancer or TOR.

A session id must always be a cryptographic nonce. In php just call session_start() and then start using the $_SESSION super global. PHP takes care of all of this for you. If you want to improve php's session handler, use the configurations. Enable use_only_cookies, cookie_httponly and cookie_secure. Also setting the entropy_file to /dev/urandom is a good idea if you are on a *nix system but if your under windows then your in trouble.

For instance to authenticate a user:

//In a header file
session_start();
...
if(check_login($_POST['user_name'],$_POST['password'])){
   //Primary key of this user
   $_SESSION['user_id']=get_user_id($_POST['user_name']);
   $_SESSION['logged_id']=True;
}

And to verify if a user is logged in:

//in a header file
session_start()
...
if(!$_SESSION['logged_id']){
   header("location: login.php");
   die();//The script will keep executing unless you die()
}

To improve this system read OWASP A9 and use HTTPS for the entire life of the session. Also read OWASP A5: CSRF aka "session riding" and OWASP A2: XSS because they can both be used to compromise a session.

1
votes

I use a cookie based method (using setcookie function) but ....

session_start();
...
if(check_login($_POST['user_name'],$_POST['password'])){
   //Primary key of this user
   $_SESSION['user_id']=get_user_id($_POST['user_name']);
   $_SESSION['logged_id']=True;
}

...these methods are wrooooong !!!!

I crack my website with an attack based on the cookie.

  1. I used cookie option of the WebCruiser vulnerability scanner, so I get my cookie after login.
  2. Then I changed a simply value on cookie
  3. Then I clicked save cookie.
  4. At this point I clicked on webbrowser see on the left panel then I clicked right then I clicked on refresh page, so I got my admin page without using the login page with user and password.

So if someone push you a virus to read the cookie history of IE or Firefox, you'll be happy to find out your admin user and pass can be used by others.

So how to fix the problem? Simple: combine the cookie with session server or session's cookie with sessions server, or session with file session, or cookie with file session.... will be secure but slow :((((

0
votes

I keep all login data in the users session, this way its all stored server side.

The only thing i would store in a client cookie is stuff like 'auto login', 'session id'

0
votes

SESSION more secure than cookie and my advise is to create a unique id for the current login attempted like :

$id = uniqid();
$_SESSION['username'.$id] = "something ...";