开发者

PHP Authentication

开发者 https://www.devze.com 2023-01-31 07:52 出处:网络
Currently my authentication looks like this: User enters username/password combination Sent to the server, the username and password are salted and hashed (md5) and checked against the database.

Currently my authentication looks like this:

User enters username/password combination Sent to the server, the username and password are salted and hashed (md5) and checked against the database.

If correct, and the user has specified, a month long cookie is set.

If the user does not specify to set a cookie, they are automatically signed out after five minutes of inactivity.

My question is simply if I need to, and how to, make this more secure. I'm pretty flu开发者_JAVA技巧ent in PHP, but I'm not as well off in security. Any help, pointers, leads, and general assistance would be appreciated.

Thanks. :)


Just make sure you are stripping slashes from the username and password to avoid SQL Injection with mysql_escape_real_string and that should be all the security you need.


Here are some ideas:

  1. Most important is to use SSL. Password is sent over clear text which means anybody can see it.
  2. What is the cookie you are setting? Can I copy that cookie and then be authorized as you? Maybe think about creating a random token and set that
  3. Are you protecting against cross site forgery and cross site scripting?

That's all I can think of.


Sounds like you are trying to invent a new authentification. Do not do - Follow Amir's advice instead.

But if you want to tweak the crypto by all means, here is an idea with Javascript:

The salt is not secret. Send it to the client, together with a nonce - another random value of enough entropy.

The client sends back nonce + hash(timestamp + hash(salt + password)). The server than checks if nonce is recent.

This would counter any replay attack.

(By + I denote concatenation.)

0

精彩评论

暂无评论...
验证码 换一张
取 消