Reputation: 1397
PHP User class security assistance?
I am new to class development in PHP, however I am still quite confused by the concept of sessions.
Question 1: Can sessions be changed by client manipulations? If not can I set static sessions and use them without validation?
Question 2: How should I be managing my user accounts?
I do use SALT however, a code is generated during registration and inserted into DB where it's used for login reference. Any corrections with explanation would be much appreciated, as well anything about sessions being modified by client.
class user {
private $username = '';
private $password = '';
private $salt = '';
public $prefix = 'rhs_';
function __construct () {
$this->username = '';
$this->password = '';
$this->salt = '';
session_start();
}
public function login ($username, $password) {
$mysql_conn = Database::obtain();
$username = $mysql_conn->escape($username);
$sql = 'SELECT `password`, `salt`, `first_name`, `last_name`, `permission` FROM `accounts` WHERE `username`="'.$username.'"';
$row = $mysql_conn->query_first($sql);
if(!empty($row['password'])) {
$encrypted = md5(md5($mysql_conn->escape($password)).$row['salt']);
if ($encrypted == $row['password']) {
$_SESSION[$this->prefix.'username'] = $username;
$_SESSION[$this->prefix.'password'] = $password;
$_SESSION[$this->prefix.'name'] = $row['first_name'].' '.$row['last_name'];
$_SESSION[$this->prefix.'permission'] = $row['permission'];
header('location: ?page=cpanel');
} else {
return false;
}
} else {
return false;
}
}
Upvotes: 0
Views: 689
Answers (2)
Reputation: 61771
I am new to class development in PHP
Even if you are experienced programmer making an unsafe authentication system is easy as pie. You should be using OpenID(or systems like that like for example facebook connect) instead. They have security-experts as employees. I created a little library you can use for this. You can see a demo at http://westerveld.name/php-openid//
Can sessions be changed by client manipulations? If not can I set static sessions and use them without validation?
It can not be changed by clients, but a users session could be stolen by hackers. You need to prevent session-fixation => session_regenerate_id
How should I be managing my user accounts?
You probably should not do this, because the change you make a mistake is BIG. But below are some quick tips:
- You should use phpass to store your password in the database. Because I did notice you are not using key stretching. You should perform a benchmark, and if you can generate hashes quickly, then you are definitely not securing your passwords safely. Bcrypt is a very good for hashing(used by phpass. You should use that library), because it is Moore's law proof.
- Protect your users against CSRF.
- You should read the OWASP top 10.
I also have created a little authentication library just for the fun of it. And I think it is pretty safe although for example logout.php is still vulnerable to CSRF although this is not really a big problem(and the fix is very easy).
Upvotes: 0
Reputation: 52372
A session is a file on your server where variables can be written and saved. Each session file corresponds to one active visitor to your site. PHP automatically deletes files that haven't been read from or written to for ~24 minutes.
Sessions are linked to users by a cookie. When a user browses to your page where you use sessions, PHP checks to see if a specially named cookie was sent with the request, containing their session identifier.
- If the cookie exists, that identifier tells PHP which session file to open and read to populate
$_SESSION. - If no cookie exists, a new identifier is generated and sent as a cookie to the user, and a new empty session file is created.
Since the sessions are files on your server, your users cannot modify them.
Upvotes: 3