| Tips and tricks about security? |
[eluser]outtolunch[/eluser]
Hello guys! I'm just doing some self-studying and I was wondering what sort of approach do you take for log in systems, user registrations, etc... to make it all secure? I mean my question would be mainly about the security. What do you do to avoid attackers going through your site? How do you protect input fields, passwords, usernames, etc.... Thats the approach for the secure login? What do you store in the session variables (if it's a successful login)? Do you encode the values you store? Sorry, bunch of dummy questions, but I'm really interested to find out/discuss.
[eluser]WanWizard[/eluser]
First of all, use the security features of CI: XSS-clean, proper form validation, and active record for escaping of database values. For logins, I double hash the password, combined with a random salt, generated when the user record is created. This hash is stored in the users table as password. After succesful login, I store the record_id of the users table, a hash, and the authentication method (my app supports multiple auth sources) in the session. I use database sessions, none of the session info is send to the browser. I use the stored information to restore the user session at subsequent page requests, using the record_id and the hash. Our template engine protects forms automatically by inserting a hidden field in the form with a nonce (a random hash). When the form is submitted this nonce is validated against the list of issued nonces for that user. If not valid, the post is not accepted. If valid, the nonce is stored as used, so we can use the same system to protect against double posting (p.e. after using the back button).
[eluser]pickupman[/eluser]
In the the other forum discussion, Jelmer has a great sticky listed. Great read for beginners in CI.
[eluser]outtolunch[/eluser]
Cheers, thats gonna be helpful! One more question. So how do you send the password if the user forgets it? I mean, if it's hashed in the database, you're not sending a hash, are you? Do you somehow recover that password? Or you send a new one, when the user types in his e-mail address? Thanks, K.
[eluser]pickupman[/eluser]
You generate a new random password ([url="http://www.php.net/manual/en/function.rand.php#90773"]rand()[/url]), deactivate the account(optional), send the email with the new random password, save the new hashed random password to user record. When a user logs in with the temporary password, reactivate the account, and prompt for new password(optional).
[eluser]WanWizard[/eluser]
I used to do that, but I don't anymore, since I don't think it's wise to send a userid, password and sitename (i.e. an open invitation) via plain text email. It can be intercepted and misused. When a user requests a new password, I send out an email with a URL containing a unique hash. When the user clicks on the link, some safety questions are asked, and if answered correctly, I log the user in and redirect him to the user control panel so the password can be changed. The hash becomes invalid after use or after the user logs in (which basically means he found his password again, or someone else tried to get the password by asking for a new one).
[eluser]falkencreative[/eluser]
@pickupman - Thanks for the link to the sticky -- definitely worth reading.
[eluser]steelaz[/eluser]
Here's another read about handling passwords with PHP - http://php-security.org/2010/05/26/mops-...passwords/
[eluser]Leon Stafford[/eluser]
+1 for not sending passwords in emails. Passwords should not be user-rememberable anyway... Send them a secure, once-off, limited time link to access the site and generate a new password. It's the usual compromise between security and ease of use. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
