0

I have googled this pretty much since I am new to this kind of security thing, but I still have some doubts.

SITUATION

I am developing a website for a firm (mostly with PHP of course) and I need to protect all the pages. I have made a login form and I am crypting the password with md5 in the database. I had in mind to do this:

  1. Login form. If the user authenticated with the correct username and password, create a $_SESSION["logged"] = 1;
  2. Now you are logged. In each page of the website I check if the $_SESSION["logged"] is set and has the value of 1. If yes, I display the content of the page.

In this way, if you try to open a random page in the website, without logging, I am able to show an error page (because when I check the $_SESSION["logged"] I see that it is unset/it hasn't the value of 1).

QUESTION(s)

I have NOTHING stored in the client, I am doing everything server-side and I was wondering if this method is safe enough. I have seen around that people used this kind of approach that I thought but I have also read that they are going to encrypt the data in a session. Is that really needed?

I was also wondering: when the user (after the login) closes the website and the browser, does the session destroy automatically or I have to handle something on-close calling the session_destroy();?

As I have already said, I haven't much experience in this stuff but I guess that doing everything server-side is better. I don't want to use cookies.

Alberto Miola
  • 4,643
  • 8
  • 35
  • 49
  • 3
    md5 is a very weak hash. Better use phps `password_verify()` and `password_hash()` functions. – Philipp Jul 26 '16 at 08:52
  • And do not forget to salt your password to prevent precalculated hash attacks – 0xAffe Jul 26 '16 at 09:34
  • 1
    Adding to what @Philipp said: ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 26 '16 at 12:35
  • 1
    @0xAffe if the OP will use PHP's functions there is a random salt created for each hash. – Jay Blanchard Jul 26 '16 at 12:36

4 Answers4

3

MD5 is absolutely not suitable for "crypting the password". Your process will be insecure and your client will be vulnerable. Look up password_hash as an absolute bare minimum.

I have NOTHING stored in the client,

Perhaps you are unfamiliar with how sessions work. There will be a cookie on the client machine. You can improve your security of this cookie by using a better-than-default session name/key generator such as whirlpool.

Your security will be paramount to use a TLS layer such as Lets Encrypt which is a free community supported TLS layer and fairly secure (actually it appears to be very secure but I can't beleive that something free is so good so I persist in withholding a litle bit of judgement!)

You also NEED TO TELL PHP YOU ARE USING TLS This is very important and you need to edit the php.ini file to tell PHP to use only HTTP and Encrypted cookies for sessions, such as with session_set_cookie_params.

Judging by your question you really, really bette be using Prepared Statements and fully qualifying your database interactions to avoid SQL Injection and database compromise.

Session_destroy is relatively worthless, stop caring about it. What you want to be using is regularly running session_regenerate_id typically every few page loads (say 5).

Some further reading: PHP Sessions and Security.

Final Thought

As I have already said, I haven't much experience in this stuff

Then you're going to miss things, make mistakes and the chances that your clients website is at risk from abuse or compromise is grealy increased.

Most Important Thought

  • Get a TLS certificate from a Reputable Certificate Authority. Get a server admin to help you correctly install and setup the certificate for your domain.

EDIT:

This is a good link to read.

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
  • Yes, I am already using PDO and I bind every param, that is not a problem. I just wanted to know how could improve my session – Alberto Miola Jul 26 '16 at 08:57
  • The problem with security is that it's such a wide topic and there is a lot of reading involved to have the best security involves understanding the *type* of threat you're up against. Read the links in my anwer they're all pretty helpful. Lots to read through but should give you a good understanding of Session afterwards. Good luck `:-)` @DK64 – Martin Jul 26 '16 at 09:00
  • @DK64 The link at the bottom of my answer is a good link about session security. That's well worth taking in. – Martin Jul 26 '16 at 09:05
  • Thank you! I need to make experience with this and I am reading your links, they are very interesting! I am going to implement that session_regenerate_id that looks very good ;) – Alberto Miola Jul 26 '16 at 09:07
1

Whatever you are doing looks correct to me.. Answers to your questions:

  • The server side method of managing session is safe. You can leave your session unencrypted as you are only storing the status of logged in user inside it.
  • When the user closes the website, you will not get any event on your server. To close the session, you should:
    • Call session_destroy(); on logout action
    • Set a shorter session timeout, so that the session will be automatically destroyed after a specified time of inactivity
  • Doing everything at the server side is better in the case of session

A tip on using MD5:

  • It's not safe to use MD5 to encrypt passwords as it is not a strong encryption algorythm. Use mcrypt or another PHP method instead.
wanjarisushil
  • 87
  • 3
  • Thanks! In fact, I was thinking that I could force the user to log out so that I can call session_destroy(); – Alberto Miola Jul 26 '16 at 08:50
  • Javascript onBeforeUnload or onUnload events can be handled to detect if the user is navigating away from your webpage and you can ask him to logout. But this is one of the worst practice to follow :) – wanjarisushil Jul 26 '16 at 08:54
  • It is not that md5 isn't strong enough (it isn't though), but it's the fact MD5 is far too fast! – Martin Jul 26 '16 at 09:09
0

Well, I would recommend you to save your user id in session. Why? You may need to get info about user, and then using this session you can get all info related to your user. You should use session_destroy() in your logout page, if you have one. As you see, when you close your website, which is made with session, and open it again, you need to log in again. So you don't need to use session_destroy (and actually can't). I don't really know why you should encrypt session info, so sorry. I heard, that it's possible to take session, but I don't know much about it, sorry :/ Can session value be hacked? here you may find some info.

Community
  • 1
  • 1
Danielius
  • 852
  • 5
  • 23
0

First of all: It's 2016, Don't use MD5 for password encription as it's not secure.

It would be better to use at least SHA1 and better would be SHA256 or higher encription for your passwords.. If you want to make it more secure SHA 256 would be a good start.

Consider using a TLS certificate... Let's encrypt is free is good enough for most websites.

Post your code and maybe someone will be able to help you in the right direction..

Good luck!

Martin
  • 22,212
  • 11
  • 70
  • 132
jagb
  • 912
  • 11
  • 26
  • ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 26 '16 at 12:36
  • Yes, that's true, it's the best to use PHP's built-in functions to encrypt passwords, however SHA256, SHA512, RipeMD, or WHIRLPOOL etc are still widely used by a lot of websites, even some very large websites still use them for password encryption so maybe that's the reason why they get hacked so now and then ;) – jagb Jul 26 '16 at 17:46