Login options for CI project

[eluser]veledrom[/eluser]
Hi,

It might be a general question but I'm trying to find out if there any difference between "ordinary forms style login" and "jQuery style login" in terms of security. Do they really differ?

Only interested in security part of opinions please. Both uses same controller+method.

Thanks in advance

ordinary forms style login

Code:

<form action="<?php echo site_url('login/do_login'); ?>" method="POST">
Username: <input type="text" name="text_username" />
Password: <input type="password" name="text_password" />

<input type="submit" value="Login" />
</form>

jQuery style login

Code:

var text_username = $('#text_username').attr('value');
var text_password = $('#text_password').attr('value');

$.ajax({
   type : 'POST',
   url : '<?php echo site_url('login/do_login'); ?>',
   data : 'username=' + text_username + '&password;=' + text_password,
   dataType : 'json',
   success   : function(response) { ........................ } .....

[eluser]InsiteFX[/eluser]
With CI you can use the xss_clean on all form input values plus CSRF cookie.

[eluser]veledrom[/eluser]
[quote author="InsiteFX" date="1336473771"]With CI you can use the xss_clean on all form input values plus CSRF cookie.
[/quote]

I know all those but the thing is, would use of jquery over normal form change anything or vice-versa?

[eluser]Stefan Hueg[/eluser]
[quote author="InsiteFX" date="1336473771"]With CI you can use the xss_clean on all form input values plus CSRF cookie.
[/quote]

No offense, but most of your posts are barely to nothing useful... As you can see of his code he is already using CodeIgniter on the server side, so in both cases the XSS cleanups will happen if he is using the input methods. Just take it as a constructive criticism.

@veledrom: In terms of security there is no difference. You should use this->input->post() for both cases to sanitize your POST variables.

Here is an optimized version of your jQuery method:

Code:

$.ajax({
   type : 'POST',
   url : '<?php echo site_url('login/do_login'); ?>',
   data : { //as i'm using an object here, jquery will escape the variables automatically
     username: $('#text_username').val(),
     password: $('#text_password').val()
   },
   dataType : 'json',
   success   : function(response) { ........................ } .....

[eluser]veledrom[/eluser]
@stefan - "In terms of security there is no difference....."

Sounds like there wouldn't be any difference as long as I handle variables properly in my controller.

Just wanted to make sure because I'm new for jQuery.

Thanks

[eluser]Rok Biderman[/eluser]
[quote author="Stefan Hueg" date="1336474980"]No offense, but most of your posts are barely to nothing useful...[/quote]



As much as I like you for making this comment, this time it's not exactly true. With ajax requests, you have to take into account CSRF protection, which does not fall into a category of sanitization. I think this blog post describes session riding and the fix for it quite nicely. Kudos to the author.

[eluser]Unknown[/eluser]
hello

i am a newbie. in my opinion just use simple way of doing this and use input class with xss clean on submit page like...

$new_data=$this->input->post(Null,true);
if($new_data!=false)
{
$new_data['form_element']
.........................
.........................
}

and then inerst or update with active records like $this-<db->insert() or $this->db->update();

security comes automatically.

[eluser]Stefan Hueg[/eluser]
[quote author="Coccodrillo" date="1336477501"][quote author="Stefan Hueg" date="1336474980"]No offense, but most of your posts are barely to nothing useful...[/quote]



As much as I like you for making this comment, this time it's not exactly true. With ajax requests, you have to take into account CSRF protection, which does not fall into a category of sanitization. I think this blog post describes session riding and the fix for it quite nicely. Kudos to the author.[/quote]

Thanks for the link, I was not aware of this security flaw, may have just overread it. Kudos!

[eluser]veledrom[/eluser]
I read about CSRF and created my own validation. Would anyone put inputs for code below so I know I didn't miss anything in terms of security? Also does it serve the purpose of CSRF logic? If you think it is useless or has flaw or stupid then please tell me because it will only help to make it better, won't hurt me.

Thanks

VIEW

Code:

<?php echo form_open('form/form_one_submit'); ?>

<?php
$errors = validation_errors();

if($errors != "")
{
echo '<table width="100%" border="0px" cellspacing="0px" cellpadding="0px">';
echo '<tr><td>' . $errors . '</td></tr>';
echo '</table>';
echo '<br /><br />';
}
?&gt;

Message : &lt;input type="text" name="text_message" value="" /&gt;
&lt;input type="submit" name="submit_button" value="Send" /&gt;
&lt;input type="hidden" name="hidden_form_hash" value="&lt;?php echo $form_hash; ?&gt;" /&gt;

&lt;?php echo '&lt;/form&gt;'; ?&gt;

CONTROLLER

Code:

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');


class Form extends CI_Controller
{

public function __construct()
{
  parent::__construct();
  
  $this->load->helper('url');
  $this->load->helper('form');
  $this->load->helper('form_hash_helper');
  
  $this->load->library('session');
  $this->load->library('form_validation');
}


/*
** ----------------------------------------------------------------------------------------
** Validate hash value coming from form submission
** ----------------------------------------------------------------------------------------
*/

public function validate_form_submission($incoming_hash)
{
  if (strlen($incoming_hash) != 20)
  {
   $this->form_validation->set_message('validate_form_submission', 'Your hash value is not in appropriate length.');
   return false;
  }
  
  if (form_hash('validate', $incoming_hash) === false)
  {
   $this->form_validation->set_message('validate_form_submission', 'Your hash might have been expired so please try again.');
   return false;
  }
  
  return true;
}


/*
** ----------------------------------------------------------------------------------------
** Form interface
** ----------------------------------------------------------------------------------------
*/

public function form_one()
{
  $data['form_hash'] = form_hash('get');
  
  $this->load->view('form_one_view.php', $data);
}


/*
** ----------------------------------------------------------------------------------------
** Form submission process
** ----------------------------------------------------------------------------------------
*/

public function form_one_submit()
{
  if ($this->input->post('submit_button') != 'Send')
  {
   redirect('form/form_one', true);
  }
  
  $this->form_validation->set_rules('text_message', 'Message', 'trim|required');
  $this->form_validation->set_rules('hidden_form_hash', 'Hash', 'callback_validate_form_submission');
  
  if ($this->form_validation->run() === true)
  {
   form_hash('unset');
  
   $text_message = $this->input->post('text_message', true);
  
   echo "Valid message : " . $text_message;
  }
  else
  {
   $this->form_one();
  }
}

}

/* EoF */

HELPER

Code:

[b]<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');


/*
** ----------------------------------------------------------------------------------------
** If the hash is already set in session then we will use it for the forms otherwise
** generate new hash and use it. If we generate hash for per form basis, form validation
** will fail because session stores one hash. User might open many forms at a time so.
** ----------------------------------------------------------------------------------------
*/

if (! function_exists('form_hash'))              
{
function form_hash($requet, $incoming_hash = null)
{
  $CI =& get_instance();
  
  if ($requet == 'get')                 //If it is to get hash for a form
  {
   if ($CI->session->userdata('form_salt'))           //If the salt is already set
   {
    $ci_encryption_key = $CI->config->item('encryption_key');      //Get static key from config
    $salt    = $CI->session->userdata('form_salt');      //Get the salt from session
    $hash    = substr(sha1(md5($ci_encryption_key . $salt)), 0, 20);  //Generate hash value for form
   }
   else                    //If the salt is not set before
   {
    $ci_encryption_key = $CI->config->item('encryption_key');      //Get static key from config
    $salt    = substr(uniqid(mt_rand(), true), 0, 10);     //Generate dynamic salt value
    $hash    = substr(sha1(md5($ci_encryption_key . $salt)), 0, 20);  //Generate hash value for form
    
    $CI->session->set_userdata('form_salt', $salt);         //Store salt key in session
   }
  
   return $hash;
  }
  else if ($requet == 'unset')               //If it is to unset hash
  {
   if ($CI->session->userdata('form_salt'))           //If the salt is already set
   {
    $CI->session->unset_userdata('form_salt');          //Unset it
   }
  }
  else if ($requet == 'validate')               //If it is to validate hash against form input
  {
   if ($CI->session->userdata('form_salt'))           //If the salt is already set
   {
    $ci_encryption_key = $CI->config->item('encryption_key');      //Get static key from config
    $salt    = $CI->session->userdata('form_salt');      //Get the salt from session
    $hash    = substr(sha1(md5($ci_encryption_key) . md5($salt)), 0, 20);  //Generate hash value for form
    
    return ($hash == $incoming_hash) ? true : false;        //If the hash values match or not
   }
   else                    //If the salt is not set before
   {
    return false;                 //Invalidate automaticaly
   }
  }
  else                     //Anything else
  {
   redirect(site_url(), true);
  }
}
}

/* EoF */[/b]

[eluser]Rok Biderman[/eluser]
I haven't looked at it in detail but this seems to incorporate everything we talked about. It looks fine to me.

As a sidenote, since you seem to be doing some kind of authentication, this is a very comprehensive reading. This is also interesting but it already seems you know a thing or two about hashing.