Help making a login script more secure

superbeastie · 08-27-2005, 12:05 PM

OK, I am helping a freind who is the leader of a clan in a online game. I am making some scripts to make life easier for him, the ones I am doing at the moment are to view applications from a database and he cna then choose accepted, failed etc.

Anyway I have created a simple login for him which lets him gain access, but everyone else wont gain access, so What I want to know is how I can make it more secure (I don't want an overly complex way (as its nothing that big)).

Code:

<?php
header( 'HTTP/1.0 401 Unauthorized' );
header( 'WWW-Authenticate: Basic realm="Applications"' ); 
//start session
session_start();

// connect to the mysql server
$conn = @mysql_connect("tom","****","harry")
or die ("Could not connect to mysql table");

// select the database
$rs=@mysql_select_db("tom",$conn)
or die ("Could not select database");

//create query
$sql="select * from adminuser where admin='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'";


$rs=mysql_query($sql,$conn) or die(mysql_error());
//if ok

if($rs && mysql_num_rows($rs))
{
$_SESSION['username'] = $PHP_AUTH_USER;
header("Location:appmain.php");
}
else
{
echo"Incorrect Password";
}
?>

On a side note on "admin pages" if a user tries and views it, I set it so it echos the exact same code as the sites 404 page (to make it look like the page does not exist). Do you think that 404 trick is good?

redhead · 08-27-2005, 12:51 PM

You might considder reading this thread on securing your submitted passwords.

Quote:

Do you think that 404 trick is good?

hmm.. perhaps a 410 - gone or 403 - denied will be more suitable..
The "security through obscurity" will only work for so long..

superbeastie · 08-27-2005, 01:08 PM

Quote:

Originally Posted by redhead

You might considder reading this thread on securing your submitted passwords.
hmm.. perhaps a 410 - gone or 403 - denied will be more suitable..
The "security through obscurity" will only work for so long..

That page was abit confusing (well some of it I understood, but it didn't really help my problem that much.)

BTW
But surely a 403 error would show the file DOES exist, which I would think would make it easier for any script kiddies to try and start doing things.

PS its not just passwords, I want advice about, any small exploits that you can see and how to correct them would be great.

redhead · 08-27-2005, 02:30 PM

Quote:

But surely a 403 error would show the file DOES exist, which I would think would make it easier for any script kiddies to try and start doing things.

Then I have a question, how do you verify a login then ?? a user needs to access a page, and verify with valid username/password if that user, beeing admin or kiddie, gets a 404 when they try and access that page, the login sequence is lost.
Or is it on other admin pages (appmain.php) you do this, ie:

PHP Code:


		
			
if(!$_SESSION['username']){

    header( 'HTTP/1.0 404 Page Not Found' );

    exit;

    }

so you would have to have logedin in order to even access the other pages.

Once you start giving other users access to view the things in your database, you need a way to determain if their action is valid due to their admin status or not, in that regard I'd rather start the design fase with implementing the handling of an invalid attempt. That beeing if it's a needed functionality at this stage or not.

Quote:

its not just passwords, I want advice about, any small exploits that you can see and how to correct them

For later use, once you start expanding, I'd place the mysql connection in a seperate file or function, so you'd only need to call that when you wan't to fetch/add something to your database.

superbeastie · 08-27-2005, 02:41 PM

RE: the 404 thing, what I did was this:

there is a page where the admin logs in, once the admin logs in he can gain access to all the other pages. But a user who is not logged in, all he or she would see is a 404 page so it gives the impression that that file does not exist (when in fact it does). The only page they could find would be the login page, but the rest they should not be able to find.

But basicly there is only one admin, on this thing who uses what I made. (altough I have access too incase something goes wrong), Alot of the code snippets on the internet for making passwords harder to break are IMO abit to complex for something that is not really that BIG to worry about security as much, also I have never done anything like encrypting\password securing before, so I am a total noob, who just needs to start at some simple things.

From what I have seen I should do something like this (altough not EXACTLY like this)

$key="d89!0A";
$scthash=md5('$key');
$password="$password.$scthash";
...etc...

or am I going across the wrong lines completely

redhead · 08-27-2005, 03:35 PM

For a simple usage, this could be an aproach.

PHP Code:


		
			
$salt="some_key_here";

$salted_passwd=md5($PHP_AUTH_PW.$salt);

$sql="select * from adminuser where admin='$PHP_AUTH_USER' and password='$salted_passwd'";

that way, if your database is compromised so the lurker can figureout someones passwd, they might be able to find something that mathes the md5-sum, but they'll never find the real passwd because you salt the submitted one, befor you check it up against the one in the database. Which would make a compromised one double salted, befor you check it against the lurked one.

superbeastie · 08-28-2005, 03:40 AM

Thanklyou I will give that a try.

redhead · 08-28-2005, 05:28 AM

Just remember that the stored md5 encrypted password will have to salted with the same key.

DJMaze · 08-29-2005, 07:48 AM

here's code snippets of one of my PHP5 scripts.

If you understand it it would be easy to use in PHP4 as well.

Code:

<?php
if (!Visitor::is_admin()) {
    if (Visitor::is_member()) { Report::error('You have no access', 403); }
    Report::error('no access', 401);
}

    private function login_http()
    {
        if (isset($_SERVER['PHP_AUTH_USER'])) {
            $name = $_SERVER['PHP_AUTH_USER'];
            $password = $_SERVER['PHP_AUTH_PW'];
        } elseif (substr(php_sapi_name(), 0, 3) == 'cgi' && isset($_SERVER['REMOTE_USER'])) {
            $a = base64_decode(substr($_SERVER['REMOTE_USER'],6));
            if (strlen($a) > 6 && $a != ':') { list($name, $password) = explode(':', $a); }
        }
        if (!isset($name, $password)) { Report::error('no access', 401); }
        global $CONFIG;
        $member = Member::get($name, moo_hash($password, true));
        if (empty($member) || !is_array($member) || ctype_digit($name) || intval($member['user_level']) < 2) {
            // no such member or no admin account
            Report::error('no access', 401);
        }
        self::member($member, !empty($_POST['remember']));
    }

class Report {

    public function error($message, $title='ERROR', $redirect=false)
    {
        global $MOO, $TPL, $CONFIG, $PAGE;
        if ($redirect) { URL::refresh($redirect); }
        if ($title == 401) {
            $title = (defined('_ACCESSDENIED') ? _ACCESSDENIED : 'Access Denied');
            header('WWW-Authenticate: Basic realm="CMS"');
            header('HTTP/1.0 401 Unauthorized');
        } elseif ($title == 403) {
            // We understood the request, but we refuse to fulfill it.
            // Authorization will not help & the request SHOULD NOT be repeated.
            $title = 'Forbidden';
            header("$_SERVER[SERVER_PROTOCOL] 403 Forbidden");
        }
        # etc.
    }
}

The 'cgi' mode only works in apache with the following in .htaccess

Code:

RewriteRule ^(.*)$ $1 [E=REMOTE_USER:%{HTTP:Authorization},L]