security - PHP Authentication

734

Currently my authentication looks like this:

User enters username/password combination Sent to the server, the username and password are salted and hashed (md5) and checked against the database.

If correct, and the user has specified, a month long cookie is set.

If the user does not specify to set a cookie, they are automatically signed out after five minutes of inactivity.

My question is simply if I need to, and how to, make this more secure. I'm pretty fluent in PHP, but I'm not as well off in security. Any help, pointers, leads, and general assistance would be appreciated.

Thanks. :)

458

Answer

Solution:

Just make sure you are stripping slashes from the username and password to avoid SQL Injection with mysql_escape_real_string and that should be all the security you need.

783

Answer

Solution:

Here are some ideas:

Most important is to use SSL. Password is sent over clear text which means anybody can see it.
What is the cookie you are setting? Can I copy that cookie and then be authorized as you? Maybe think about creating a random token and set that
Are you protecting against cross site forgery and cross site scripting?

That's all I can think of.

396

Answer

Solution:

Sounds like you are trying to invent a new authentification. Do not do - Follow Amir's advice instead.

But if you want to tweak the crypto by all means, here is an idea with Javascript:

The salt is not secret. Send it to the client, together with anonce - another random value of enough entropy.

The client sends backnonce + hash(timestamp + hash(salt + password)). The server than checks ifnonce is recent.

This would counter any replay attack.

(By+ I denote concatenation.)

People are also looking for solutions to the problem: php - jquery autocomplete: works for first value, how to enable it for next?

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question