Logging in with sha1() encryption

Question

Hey guys, I added this to my sign up code :

$password=mysql_real_escape_string(sha1($_POST['password']));

and now it inserts the password into the database while its encrypted. But signing in doesn't seem to work anymore. Here is the login code.

function checklogin($username, $password){
            global $mysqli;

        $password=sha1($password);
            $result = $mysqli->prepare("SELECT * FROM users WHERE username = ? and password=?");
            $result->bind_param("ss", $username, $password);
            $result->execute();

        if($result != false){

            $dbArray=$result->fetch();


            if(!$dbArray){
                echo '<p class="statusmsg">The username or password you entered is incorrect, or you haven\'t yet activated your account. Please try again.</p><br/><input class="submitButton" type="button" value="Retry" onClick="location.href='."'login.php'\">";
                return;
            }
            $_SESSION['username']=$username;

            if(isset($_POST['remember'])){
                setcookie("jmuser",$username,time()+60*60*24*356);  
                setcookie("jmpass",$password ,time()+60*60*24*356);
            }

        redirect();
        }

Answer 1

You don't need the mysql_real_escape_string anywhere for this. Also, instead of storing the password in the $_COOKIE, generate a unique id/login and user agent hash, maybe by hashing

$key=md5(time().uniqueid().$user_id); $ua=md5($_SERVER['user_agent']);

and store $key & $ua in your users database along with the expiry time. Also store the $user_id, $key and $ua in cookies (and session) with expiry set accordingly.

Then when you find a user with a cookie/session with ckey/ua set, check if their current user_agent is same as stored, if the $key corresponds to key in db with the user and if the expiration time has elapsed. (Don't trust expiry of cookies, they can be extended manually)

Answer 2

Don't design an authentication system if you are new to cryptography and security. This is an actual answer.

You don't log in with sha1. You don't store passwords like that. You don't authenticate like that. You don't create session keys or cookies like that.

You need to read up on best practices.

Here's a link to the RSA PKCS #5 v2.1 standard for password based cryptography. You need to start here for an understanding of issues related to passwords.

You should read PKCS #3 or RFC2631 to understand how to set up your cookies.

You should read OWASP's information about session IDs to prevent session hijacking.

There's a wealth of tutorials on this stuff, but I understand it's hard to tell what's good information and what's bad when everyone is making their own claims. I suggest starting with these courses from google on encryption, it may give you a background knowledge to help you reason what's good and what's bad.

You're best off using one of the other long-existing and well tested authentication schemes.

---

All that being said, you're probably running the $password variable through sha1 two times.