security - PHP Authentication
Currently my authentication looks like this:
User enters username/password combination Sent to the server, the username and password are salted and hashed (md5) and checked against the database.
If correct, and the user has specified, a month long cookie is set.
If the user does not specify to set a cookie, they are automatically signed out after five minutes of inactivity.
My question is simply if I need to, and how to, make this more secure. I'm pretty fluent in PHP, but I'm not as well off in security. Any help, pointers, leads, and general assistance would be appreciated.
Just make sure you are stripping slashes from the username and password to avoid SQL Injection with mysql_escape_real_string and that should be all the security you need.
Here are some ideas:
That's all I can think of.
Sounds like you are trying to invent a new authentification. Do not do - Follow Amir's advice instead.
The salt is not secret. Send it to the client, together with a
nonce- another random value of enough entropy.
The client sends back
nonce + hash(timestamp + hash(salt + password)). The server than checks if
This would counter any replay attack.
+I denote concatenation.)