Security Login - PDO

Asked

Viewed 551 times

0

I’m studying how login/logout is using PHP PDO.

That code I understood: https://github.com/setyongr/pdo-login-tutorial, I’m using it as a reference.

But I have the following doubts:

  • What I should take into account to know if the login and session are safe?

  • Of course it’s important to validate, sanitize the data, but... and besides, what I can do to make the system safer?

php

  • PDO is not a login system. It is just a database connection class, you can use the mysqli_* function and it will be the same thing. Just know how to use. See this question also: https://answall.com/questions/102445/system-de-login-com-php/102485#102485

2 answers

2

If you really consider "security" this library already has problems by itself and others that can be created by you.

Password without null filter (0x00)

The use of $hashPasswd = password_hash($password, PASSWORD_DEFAULT); assuming that the $password is a password informed by the user, as used here, is a problem.

PHP has big problems with null bytes, it always had problems with this and apparently will always have. It’s not from today. PHP was even vulnerable to nulls on include() that allowed you to remove the file extension.

In the case of password_hash() if the user informs the password 123%004567 in fact this is the same as 123, string will be interrupted in 0x00.

If you want proof of this:

var_dump(password_verify('a', password_hash(pack('H*', '6100626364'), PASSWORD_DEFAULT)));
// Resposta: True

There is no CSRF protection

I will give as an example to logout page. I can just make one <img src="https://seusite.com/logout.php"> on my website and when the user accesses it will disconnect from your website.

A simple way to solve it is to create a CSRF-Token, a unique and impressive code (for the attacker) and compare it securely.

In other words:

if(!hash_equals($_SESSION['CSRF'], $_GET['CSRF-Token'])){
    echo 'Token errado';
}

The $_SESSION['CSRF'] would be generated using $_SESSION['CSRF'] = unpack('H*', random_bytes(64)[1]);, then the customer should send this code so that it could logout.

The same applies to all other website operations. You can also code for each activity, so the user access the website, as well as can derive the specific key for each accessed page.

There may be other mistakes. An example is the absence of filters (email can be any arbitrary string, which is not an email) and there is no confirmation if the email is true, for example.

Also the session is static (does not use the session_regenerate_id). The difficulty of Bcrypt is the standard (10, particularly think very low) and does not make use of the password_needs_rehash which could be used to increase the difficulty of old passwords (when the user was accessing).

Then comes your question:

What I should take into account to know if the login and session are safe?

Several things, but I will mention what I consider most important:

  1. Preventing a malicious script from reading session cookies, the PHP session uses an identification cookie (PHPSESSID) if someone has access to it will have access to the connected account.

  2. Prevent an attacker from being able to set the cookie the victim will use. Similar to what happens in "1", but now instead of the attacker reading the cookie he makes the victim use the cookie of his choice.

  3. Stop anyone who intercepts the packets from the network from seeing the information. Specifically you should do something so that you can’t get session identifiers. As well as in the worst case to prevent the user from connecting to a fake website.

  4. Prevent an external website from abusing cookies already initiated by you, an external website should be unable to use an open session if it is not exposed to a CSRF, mentioned in the above example.

  5. The session identifier (the cookie, the PHPSESSID) must be printable and strong enough to prevent someone from entering other accounts.

Of course, prevent attacker from entering the server and having access to the folder where sessions are stored. In general, I think I commented on these problems here.

Of course it’s important to validate, sanitize the data, but... and besides, what I can do to make the system safer?

I think I answered above. There are N things that can make the system insecure or safe, many of them may not even be in the code itself, but in the environment around it.

  • Excellent answer, thank you so much for having a basis of what I will need to study. Do you have any reference of study material on CSRF, PHPSESSID, any site that makes practical approach to the subject?

0

I use Rule that are rules every user type in my systems have a Rule, if you are an administrator you get ex Rule=0 or a normal user Rule=1 and so I check if that user has such permission to be in that system location if I do not redirect to the main page, I also use: 

    <?php 
        session_start();
        if(!$_SESSION['logado']){
            echo "
            <script type=\"text/javascript\">
                alert(\"Entre com um Usuario Valido!\");
                location.href='login.php';		
            </script>";
        }
        
    ?>

  • Thanks Tulio, but taking into consideration the example I mentioned, only this user class, which has user validation, email and session is safe? I’m finding so little, PHP frameworks seem to utilize various forms of security, wanted to understand what else I can take into account in this regard

  • then taking into consideration the PDO validation that I read in git guy is all ok but on the plus and Voce that has to implement as said above, encrypting the information validating Session etc.

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.