CodeIgniter auth security model

Question

I've built a custom auth system for CodeIgniter (I know there are various 3rd party libraries available but this is for my own benefit) but I'm worried I'm missing something obvious that could bring the whole thing down.

I use CI sessions (through the database) and encrypt cookie values for a little bit of probably pointless obfuscation. Logins take place over SSL (and cookies are modified to be secure only). I also use phpass to hash passwords for storage, though thats not really relevant here. There may be a weak link in this part somewhere but my main concern is that page-to-page checks basically consist of a if is_logged_in = true type approach along with their username in the session. This bit concerns me as it seems a bit too 'easy'. Is this approach quite vulnerable? Should I be computing a page-by-page hash of, say, user-agent or whatever and making sure they match?

Any pointers would be most appreciated. Like I said, I'm aware of pre-existing solutions but I'm trying to learn me some learning here :)

Answer 1

I am not familiar with phpass but check to see if it uses MD5 because if it does then it's not good enough. Use bycrypt http://www.memonic.com/user/pneff/id/1qHCT

Answer 2

P.S: I am no security expert so I prefer using system that are inspected by security-experts: openid, facebook connect, twitter(oauth), google signin, etc

But here is my Checklist(I can think off):

• use SSL to make sure nobody can read your password when sent over the wire.
• you should sanitize all your input($_POST, $_GET, $_SERVER, etc). If is not a local variable you should be careful. So for example you should sanitize $_SESSION['is_logged_in'] using this filter => $var = filter_var($_SESSION['is_logged_in'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); AGAIN You should do that for all input coming from the server, because they aren't safe. The best approach is to use whitelist instead of blacklist. Because there is a chance you will miss something.
• Use PDO to minimize risk of sql-injection.
• Don't store your passwords in your database in plain text, but hash them. Still risky business I guess. Because recently gawker/lifehacker has been comprimised(wondering how it could happen?). I guess your phpass is pretty solid because owasp also recommends it.
• Be aware off for XSS attacks. Is already done because of sanitizing input
• Take measures against CSRF. This can also be very dangerous if for example you can modify e-mail adress when user is logged in. Next step is to sent an e-mail to reset your password and your system is comprimised.

Answer 3

Everything you mentioned is good. I'm not familiar with phpass however. Make sure that when you hash the passwords, that you are using a salt.

An if_logged_in = true check is sufficient because session data is stored server-side. The reason for checking things such as user-agent is to help protect against session hijacking, where one person obtains another person's session ID.