PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Dec 06, 2019 4:46 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 40 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Sat Apr 14, 2012 6:37 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA


Attachments:
File comment: This .zip file contains supporting example script files and a PDF of the above tutorial.
login.zip [150.49 KiB]
Downloaded 5429 times
Top
 Profile  
 
PostPosted: Fri May 11, 2012 8:30 am 
Offline
Forum Newbie

Joined: Thu May 10, 2012 9:11 pm
Posts: 2
Dear friend,

Nice post! Last week I asked my php's teacher about mysqli, but she does not know it.

So, I have got some issue when made the verification to protected pages.

Your article mentioned about this example code:

Syntax: [ Download ] [ Hide ]
if (!isset($_SESSION['user_id']) || !isset($_SESSION['signature']) || !isset($_SESSION['loggedIn']) || $_SESSION['loggedIn'] != true || $_SESSION['signature'] != md5($_SESSION['user_id'] . $_SERVER['HTTP_USER_AGENT'] . $salt))
{
    session_destroy();
    header("Location: mainlogin.php");
    exit();
}
 


My question is about the logical operator "||". I can have this working only with "&&" logical operator.

Example:
Syntax: [ Download ] [ Hide ]
if (!isset($_SESSION['user_id']) && !isset($_SESSION['authenticated']) && $_SESSION['authenticated'] != true && $_SESSION['signature'] != md5($_SESSION['user_id'] . $_SERVER['HTTP_USER_AGENT'] . $salt))
{
    session_destroy();
    header("Location: mainlogin.php");
    exit();
}
 

Best regards and thanks a lot for a nice post.


Top
 Profile  
 
PostPosted: Fri May 11, 2012 8:41 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Yes you can have it working with && as well; my personal reason for opting to use || (OR) is because even if only one condition is 'incorrect' the authentication process has failed and a user has to be logged in. The snippet of code you have says that all conditions have to be met before authentication is invalid i.e user_id is not set AND authenticated is not set AND authenticated is not equal to true AND...(etc).

The idea is still the same but i would rather have the authentication fail as easily as possible so any attempt to break it has to be made as difficult as possible.

I'm glad you found the tutorial useful :)


Top
 Profile  
 
PostPosted: Fri May 11, 2012 9:36 am 
Offline
Forum Newbie

Joined: Thu May 10, 2012 9:11 pm
Posts: 2
Hello!
It seems I have some incorrect condition I think.

I've got the verify session script working only in this way:

<?php
if (!isset($_SESSION['user_id']) || ($_SESSION['authenticated']) != TRUE || !isset($_SESSION['signature']))
{
session_destroy();
header("Location: mainlogin.php");
exit();
}
?>

Thanks again for this useful article.


Top
 Profile  
 
PostPosted: Mon Jun 04, 2012 4:15 pm 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
Never knew md5 hashing algorithm could be so easily compromised - the reasons mentioned now make me feel wary of md5.
I thought they were an established standard for storing passwords.

I have used md5 on a live website of mine. Now what do i do for the existing list ?

Infact i am using md5 on a current under-development project - will change it.
But really don't know what to do about my already live website.

SESSION['signature'] is a great idea that i heard for the first time - will definitely try to use it.

About security issues like session fixation attacks, session hijacking etc mentioned above - thanks for the excellent link specially the pdf link


Top
 Profile  
 
PostPosted: Tue Jun 05, 2012 12:44 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Live24x7 wrote:
> I have used md5 on a live website of mine. Now what do i do for the existing list
> ?
you can't do much for existing passwords (if this is what you are referring to), they will have to be re-entered by the user if you want them to enjoy the use of the new hash algorithm.


Top
 Profile  
 
PostPosted: Tue Jun 05, 2012 11:38 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Disclaimer: I have limited experience with user login security issues. That said, I think the appropriate action to take for an existing site using MD5 hashing would depend on how critical the security issues are on that particular site. If it is non-critical (say, a game site), I wouldn't recommend changing it. If it involves financial or deeply personal data, you could add a new password column in your user database for the bcrypt hash, then announce a security improvement program to your users: they will be redirected to a page where they can set a new password for their account (which you would hash into the new column), but after some date, perhaps several months away, accounts not changed will be inactivated, requiring them to set the new password. In the meantime, your authentication process could first check to see if a new password exists and if so, use it to authenticate, otherwise use the old password, during the transition period. After some period of time, any remaining accounts without the new password could just be deleted, since they would likely be abandoned.


Top
 Profile  
 
PostPosted: Tue Jun 05, 2012 11:43 am 
Offline
DevNet Resident
User avatar

Joined: Sat Jun 01, 2002 10:16 am
Posts: 1136
Location: San Diego CA
Or you could do it in a more transparent fashion. Set a "flag" in the database to indicate whether or not the encryption has been changed. Use the flag to determing which method is current whenever they login. Users should be changing passwords periodically anyway, so encourage them to do so, and if md5 is still in use when they change their password change it at that time and reset the flag.


Top
 Profile  
 
PostPosted: Tue Jun 05, 2012 12:28 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
WHAT?? Users should be changing passwords periodically?? What a radical idea! (Come on, tell me the truth, Bill, do YOU change yours periodically?--I'll be honest, I only do it when I'm forced to.)


Top
 Profile  
 
PostPosted: Wed Jun 06, 2012 11:02 am 
Offline
DevNet Resident
User avatar

Joined: Sat Jun 01, 2002 10:16 am
Posts: 1136
Location: San Diego CA
I was speaking theoritically. You should hear the language I use when some furshluginner bank makes me change my password. It would make you proud to have been in the same Navy with the Submarine Service.


Top
 Profile  
 
PostPosted: Wed Jun 06, 2012 11:18 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Actually I AM proud to have been in the same Navy as you silent and deep guys! GO NAVY!


Top
 Profile  
 
PostPosted: Wed Aug 15, 2012 4:05 am 
Offline
Forum Newbie

Joined: Wed Aug 15, 2012 3:16 am
Posts: 2
Though still novice in php, i found this tutorial very usefull and it is opening a way for me to become a good php programmer. thanks a lot to the author


Top
 Profile  
 
PostPosted: Fri Aug 23, 2013 2:16 am 
Offline
Forum Newbie

Joined: Thu Aug 22, 2013 1:56 am
Posts: 15
Very good tutorial for mysqli, this is my week point.


Top
 Profile  
 
PostPosted: Wed Nov 13, 2013 5:05 pm 
Offline
Forum Newbie

Joined: Tue Nov 12, 2013 10:40 pm
Posts: 2
how you would log the user out using a "logout" link
or how you would say "Hello, USER!" but instead of user it uses the username that matches with the id created


Top
 Profile  
 
PostPosted: Wed Nov 13, 2013 6:23 pm 
Offline
Forum Newbie

Joined: Tue Nov 12, 2013 10:40 pm
Posts: 2
i think i got it, but i just want to make sure... everything seems to be working fine. the logout page is what im not so sure of..

the logout link leads to "mysite.poo/logout/" page were the code below is in an index.php
Syntax: [ Download ] [ Hide ]
<?php
if (!isset($_SESSION['user_id']) || ($_SESSION['authenticated']) != TRUE || !isset($_SESSION['signature']))
{
        session_start();
    session_unset();
    session_destroy();
        header("Location: http://mysite.poo/Login/");
}
?>
 


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 40 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group