PHP Security of login application

Hey all of you PHP geeks, and hack开发者_如何学编程ers, if some of you listen ;o) I'm creating a login system, for some upcoming site, which a lot of people will be using, I'm sure - or at least I hope so :)

• So, my question is: WHEN is my login system and stuff like that secure enough? Is it ever gonna be "secure enough"?

I got form validation, where I check, what's send to the database. My passwords are md5 hashed. And people are told to create strong passwords.

• Are there something called: "Secure enough"?
  • I'm thinking: All the big sites like facebook and stuff like that, must be having more then this? Is it something that I need? And if so, how?

Some links and stuff like that, would be nice. Thanks in forward :o)

Security is a never-ending process. Your code will never be "secure enough." You should apply all of the security techniques you know, and learn those you don't. Then stay current, monitor your logs, and update your code as necessary.

In general, a login system is a bad place to reinvent the wheel. There are plenty of commonly-used systems available that have been checked and rechecked by many eyes, and are probably more secure than any you or I will be able to write ourselves. This is a good opportunity to take advantage of the "wisdom of the masses" and use a well-tested third-party system.

If you're worried about security, you shouldn't use md5 hashes to store your passwords. Md5 is designed to be fast, meaning that if a hacker gets your hashes, they can be cracked quickly. You should use something like bcrypt for storing passwords.

http://codahale.com/how-to-safely-store-a-password/

You have all kinds of security vulnerabilities:

• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Session attacks
• Using nonsecured connection (non-HTTPS)
• Passwords in plaintext/weak encrypting
• Weak passwords

I recommend you to look them all up and choose a framework for developing web applications that already resolves all or most of these issues for you automatically.

BTW: md5 is not safe anymore, I recommend you to use hash_hmac('sha256', $password, $salt) which also takes care of salting.

It's kinda ironic how I found this after reading over my own question.

Having written a couple of login libraries myself, heres the advice I can give:

1. Validate form input (server side), to prevent XSS (cross site scripting), CSS injection, & SQL injecttion
   • for correct length
   • ctype
   • If ctype is not alpha numeric add slashes
   • Add html entities to prevent XSS, if HTML is imperitive use an HTML filter
   • Use a password strength API to ensure decent passwords
2. Hash the passwords, and don't forget the salt! Also MD5 is weak, use SHA-256
3. Log the IPs incase anything goes wrong
4. Make backups of your SQL databases

With all that said I still suggest you use openID or a php library/class.

On my latest little website, I hope I somewhat avoid some level of complexity with security by using openid, instead of fully implementing my own auth system. Thus, I don't really store passwords.

I believe MD5 in considered weak, but I'm not convinced that really matters - if you can keep your hashes safe - by using openid, I took that component out of the equation for me. Granted, if openid gets owned, then, yeah, obviously that's a problem too.

Still, you want to do a fair bit of input filtering. Do what you can to limit the input you do take in, make sure you're running on a fully patched server (check in often) and be sure you're running processes that can't access things they don't strictly need access to. So, for example, if your web service runs as root, well, then you deserve to have your server turned in to a palace of pr0n.

Just some thoughts - granted, I'm not exactly a security guy.