security - PHP Authentication


Currently my authentication looks like this:

User enters username/password combination Sent to the server, the username and password are salted and hashed (md5) and checked against the database.

If correct, and the user has specified, a month long cookie is set.

If the user does not specify to set a cookie, they are automatically signed out after five minutes of inactivity.

My question is simply if I need to, and how to, make this more secure. I'm pretty fluent in PHP, but I'm not as well off in security. Any help, pointers, leads, and general assistance would be appreciated.

Thanks. :)




Just make sure you are stripping slashes from the username and password to avoid SQL Injection with mysql_escape_real_string and that should be all the security you need.




Here are some ideas:

  1. Most important is to use SSL. Password is sent over clear text which means anybody can see it.
  2. What is the cookie you are setting? Can I copy that cookie and then be authorized as you? Maybe think about creating a random token and set that
  3. Are you protecting against cross site forgery and cross site scripting?

That's all I can think of.




Sounds like you are trying to invent a new authentification. Do not do - Follow Amir's advice instead.

But if you want to tweak the crypto by all means, here is an idea with Javascript:

The salt is not secret. Send it to the client, together with anonce - another random value of enough entropy.

The client sends backnonce + hash(timestamp + hash(salt + password)). The server than checks ifnonce is recent.

This would counter any replay attack.

(By+ I denote concatenation.)

People are also looking for solutions to the problem: php - jquery autocomplete: works for first value, how to enable it for next?


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.