Can someone give me some security tips for my site?

[CavemanUK]

Hi Guys,

Im strictly a hobbyist with php and mysql development and have made a site for a bit of fun for my bosses company. Its a private site for us to store a few jobs and things. Its written completely by me and as its written using PHP5 and MySQL.

Ive done my best to make it as secure as possible but im sure there are better ways of handling sessions and logging in etc...

basically, i have a login page that displays a form asking for username and password. This submits using "post" to a php script that checks that against the database for a valid user.

If the number results is 1 then it sets a session variable like so..

$_SESSION['db_is_logged_in'] = true;

This is then checked on every other page in the site. If $_SESSION['db_is_logged_in'] is found as not true, the user is redirected back to the login page.

I have noticed on occasion that the site will just revert back to the login page. This is especially true when logging in via mobile devices.

I've had a bit of a read and a suggested alternative is to save a cookie with a random session id variable and to have any specific session data saved to the database. is this a better way of doing things? im assuming this way would be susceptible to being sniffed if i was to access the site from a public hotspot?

I would be gratefull for anybody elses thoughts on security/authentication and best practices.

Thanks

 

[angelwatt]

Here's some resources from my own reference list of helpfulness. Happy reading.

Sites:

• PHP Security: http://phpsec.org/
• PHP Security: http://phpsecurity.org/
• http://www.serversidemagazine.com/php/php-security-measures-against-csrf-attacks
• PHP Login System w/ Admin Features, http://www.evolt.org/node/60384
• http://www-128.ibm.com/developerworks/opensource/library/os-php-encrypt/?ca=dgr-lnxw97PHP-encrypt - PHP Encryption for the Common Man
• http://net.tutsplus.com/videos/screencasts/how-to-build-a-login-system-for-a-simple-website/
• http://www.evolt.org/article/PHP_Login_System_with_Admin_Features/17/60384/index.html
• http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html
• http://hungred.com/useful-information/php-better-hashing-password/

Books:

• Essential PHP Security (2005, Chris Shiflett)
• Pro PHP Security (2005, Chris Snyder and Michael Southwell)
• php|architect's Guide to PHP Security (2005, Ilia Alshanetsky and Rasmus Lerdorf)
• The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (2007, Dafydd Stuttard and Marcus Pinto)
• Apache Security (2005, Ivan Ristic)
• PHP Security & Cracking Puzzles (2006, Maxim Kuznetsov and Igor Simdyanov)
• Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (2008, Paco Hope and Ben Walther)

 

[CavemanUK]

Hi, Thanks for the links.. I'm gonna start reading through them now... Im curious about peoples personal preferences and why?

Here's some resources from my own reference list of helpfulness. Happy reading.

Sites:

• PHP Security: http://phpsec.org/
• PHP Security: http://phpsecurity.org/
• http://www.serversidemagazine.com/php/php-security-measures-against-csrf-attacks
• PHP Login System w/ Admin Features, http://www.evolt.org/node/60384
• http://www-128.ibm.com/developerworks/opensource/library/os-php-encrypt/?ca=dgr-lnxw97PHP-encrypt - PHP Encryption for the Common Man
• http://net.tutsplus.com/videos/screencasts/how-to-build-a-login-system-for-a-simple-website/
• http://www.evolt.org/article/PHP_Login_System_with_Admin_Features/17/60384/index.html
• http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html
• http://hungred.com/useful-information/php-better-hashing-password/

Books:

• Essential PHP Security (2005, Chris Shiflett)
• Pro PHP Security (2005, Chris Snyder and Michael Southwell)
• php|architect's Guide to PHP Security (2005, Ilia Alshanetsky and Rasmus Lerdorf)
• The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (2007, Dafydd Stuttard and Marcus Pinto)
• Apache Security (2005, Ivan Ristic)
• PHP Security & Cracking Puzzles (2006, Maxim Kuznetsov and Igor Simdyanov)
• Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (2008, Paco Hope and Ben Walther)

 

[web_god61]

your system is not recommended as it leaves you vulnerable to [session hijacking]<-- google it, if using sessions you'd want to check against a second piece of data like an ip address.

I also hope your hashing your passwords in the database, minimum use md5() personally I usa sha1() + salt but the important thing is that the passwords aren't stored in plain text.

The only sure way I know of to protect against being sniffed is to use ssl which can really slow down your website, so using ssl depends on what your protecting and how likely you are to being attacked.

The reason you'd use a cookie is to create a persistent logon, meaning to keep the user logged in for a set duration of time regardless if they close the browser window (sessions die when the window is closed).

heres a quick start guide i like to use http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/

You seem to understand the concept of check the authentication on each page which is good, if you modify your method a little you'll be good to go.