PHP best practice on user authentication for a website?

Question

i built several sites with very simple code of php and so far so good, but i happens that I'm now worried about topic "security" i wonder what is the best way to create a login/authentication process in PHP

this is what I currently do:

during registration the user submit an email and a password the password will be stored, in mysql, as an md5 string, so anybody but the user knows it.

when the user login, i do

SELECT * FROM usertable WHERE email = $emailsubmitted AND pass = md5($passsubmitted)

then if the sizeof the resulting array is more then zero, it means the user exists

so I set

session_start(); 
$_SESSION['logged'] = 'true';
$_SESSION[userid] = userid;

so for everypage the user browse i'll perform a check to see if the session variable exists.

BOTTOM LINE: I wonder if this is safe enough and how it can be improved.

"Safe enough" for what? Would seem sufficient for a bulletin board. Else: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords — mario, May 03 '11 at 23:31
You should re-use an existing authentication framework whenever possible, because, really, it's complex. For example, take a look at https://github.com/delight-im/PHP-Auth which is both framework-agnostic and database-agnostic. — caw, Oct 21 '16 at 21:36

score 3 · Accepted Answer · answered May 03 '11 at 23:45

3

Your SQL statement has an injection vulnerability in it. (This is under the assumption that the "submitted" suffix means the variable hasn't had any filtering done on it.) If a malicious user were to submit 'admin@example.com' AND 1=1;-- as an email address, they could log in with the credentials of "admin@example.com", irrespective of the password. I'd suggest to secure the input to the SQL and/or use stored procedures. I'd also suggest loading only the columns that you absolutely need; it will improve the speed of the query and allow less state to be held in suspension outside of the database.

Additionally, implement salting on the password. If someone were to retrieve the user's data from the database, the passwords would be an easy target for bruteforce and dictionary attacks (like rainbow tables). If you're really paranoid, consider switching from MD5 to SHA or another hashing function.

Make sure of which variables are set in your php.ini file and that they are set to values you expect. Depending on those settings, the array assignment to $_SESSION is also insecure. Some old web applications utilized a PHP 'feature' which made variables in the query string become global variables in the web application, which meant that when it executed $_SESSION['userid'] = $userid;, if a malicious user attached ?userid=1 to their query string, they would become the user with the user ID of 1, which often was the first user (or administrator).

answered May 03 '11 at 23:45

jmkeyes

3,751
17
20

sorry, I should have been more precise, but in my form I have a JS that prevent any weird chars, then in my sql i select only the field i need. – Francesco May 04 '11 at 02:01
also i;m running avery small community about food and i;m storing only recipes so no credit cards or so... – Francesco May 04 '11 at 02:03
2

@camelCase: Using Javascript for input validation isn't secure at all: the client can just ignore the Javascript you wrote and force the submission of a form anyway. Input validation __must__ be done on the server's side and _optionally_ on the client's side. Additionally, security is significant in __any__ context, no matter what the site provides for content. Show respect for your users and don't neglect security. – jmkeyes May 04 '11 at 02:13
i see you pointed out all the bad things that can happen but i dont see the solutions you think... when you say " I'd suggest to secure the input to the SQL and/or use stored procedures" what does it mean? translated in a example? – Francesco May 04 '11 at 04:42
Well, how would you prevent someone from submitting an invalid email or password? Implement that on the server side before querying the database. For example, use `preg_match` and a regular expression to extract a valid email. I mentioned the use of stored procedures because they allow you to both factor out "business logic" from "program logic", and they can encapsulate their argument values so that anything submitted can't "escape" back into the query. – jmkeyes May 04 '11 at 04:51

score 1 · Answer 2 · answered May 03 '11 at 23:27

The general logic is ok, yes. However, A simple md5 of the password is not good.

Not salting the password leaves the hash open to rainbow table lookups.
md5 is generally not considered a good hashing mechanism for passwords. I encourage you to take a look at http://www.openwall.com/phpass/

Side-note: Your SQL appears to be open to SQL injection.

score 1 · Answer 3 · answered May 03 '11 at 23:53

On top of the previously mentioned SQL injections I would recommend that you not check if the array is greater than zero, but instead if the array is equal to one.

The reason is that let's say somebody does modify your database and just runs a simple query to clear all of the passwords or set them to a specific entry, then checking for equal to one would stop that.

Also, let's say multiple users have the same password and they somehow SQL inject the username or you forget to check the username, then once again you will be safe with checking equal to one.

Ultimately, it is a minor thing, but when it comes to security every little bit counts.

thanks, this is the kind of little tips i'm trying to collect..;) — Francesco, May 04 '11 at 01:54

score 0 · Answer 4 · answered Dec 16 '12 at 21:32

0

The first thing i note is that you apply the MD5 hash to a php variable. That makes me think the password travels clear on the channel.

You should apply the MD5 Hash client-side with js here an example:

http://phpjs.org/functions/md5/

If you want to add another layer of security you should also consider using a salt in addition to the standard hash. This will shield you from any dictyonary attack or reverse hasing (see this: http://tools.benramsey.com/md5/)

answered Dec 16 '12 at 21:32

Francesco Panina

314
4
16

Francesco Panina now in 2021 http://tools.benramsey.com/md5 not load. Other place to know the tool?, other recomendation? now in 2021 http://tools.benramsey.com/md5 not load. Other place to know the tool?, other recomendation? – VyR Apr 03 '21 at 12:29

PHP best practice on user authentication for a website?

4 Answers4