Feed on
Posts
Comments

I am recoding my main website from scratch, yet leaving the back end database intact (as much as I can) but I am considering changing the procedures for logging in and storing the logged in data in the cookie to make for a more secure website, but this could cause potential inconveniences in both coding and the user experience as a whole.

For those that don’t know, a normal log in process using PHP would require a database with the following table layout:

ID Username Password
1 Shaun d77816afe83c90b2e9bf476a5bb81b65
2 James e7fd9675932fdb7e2e0ed1860613f615
3 Hung_Daddy 8332189037ebe7b280743783345c6f5c

The long string password would not be the persons real password, but an encrypted version of what they originally registered with. There is no way to reverse this type of encryption (MD5) and is deemed secure by a majority of web developers.

When you submit your username and password at a normal log in box, the username would usually be transmitted in plain text and the password would be converted to an MD5 hash then compared to the values in the database. For example, I submit my username as “Shaun” and password as “pen1s”. The MySQL query would be something along the lines of:

“SELECT * FROM users WHERE strtolower(`Username`)=strtolower(‘Shaun’) AND strtolower(`Password`)=strtolower(‘d77816afe83c90b2e9bf476a5bb81b65’) LIMIT 1”

The strtolower() function is just to ensure ‘Shaun’, ‘ShAun’ and ‘SHAUN’ are submitted and checked as ‘shaun’ – the database “Shaun” will be compared as lowercase too. Not using a strtoupper or strtolower, Shaun and SHAUN would return different results when logging in – this is mearly a way to avoid annoying the user.

We have submitted the query – if the user matches those submitted credentials, the script is notified and they are either logged in or asked to provide alternative credentials. In our case, the script would set a peice of uniquely identifyable information (Like the number 1, for Shaun, to identify me uniquely) into a cookie and the user would be logged in.

But is there a safer way to authenticate a user? Myself and Duncan spoke about having a third check in place with improved cookie security.

What if the database looked like this?

ID Username Password User_Pass
1 Shaun d77816afe83c90b2e9bf476a5bb81b65 718226f49c7089353023f08d06d99a8c
2 James e7fd9675932fdb7e2e0ed1860613f615 7c622f59ad0770353713379180ab9ecb
3 Hung_Daddy 8332189037ebe7b280743783345c6f5c de1f0d9c65a844e56536e0305c0a3b43

(Sorry about the blog width)

Where the User_Pass variable is an MD5 hash of the username and password like this “Shaunpen1s”

This would have significant security over the previous method, the script could hash the password, then hash the User_Pass (that the user submitted) then query this:

“SELECT * FROM users WHERE strtolower(`Username`)=strtolower(‘Shaun’) AND strtolower(`Password`)=strtolower(‘d77816afe83c90b2e9bf476a5bb81b65’) AND strtolower(`User_Pass`)=strtolower(‘718226f49c7089353023f08d06d99a8c’) LIMIT 1”

This would mean a third layer of security, where nothing IDENTIFYABLE is stored in the cookie. The “User_Pass” variable could be stored in the cookie to identify that user from other users and because no username and password combination could EVER be the same, the hash could never be the same too. A user could not open the cookie and simply modify their user ID (eg from 3 to 1) to become another user or to be an administrator because the only viewable information would be the User_Pass hash and there is NO WAY they would be able to change this hash into anything verifyable unless they knew the user/pass combination – and if this was the case, why would they be messing with the cookie?

This seems like a lot of information for such a small issue, but isn’t the integrity of the data stored and the protection of the data more important that the data itself?

I’d like to know peoples opinions on the above proposal and possibly any objections or problems that could arise with this system?

No Responses to “TBT4: Log in and authentication with cookies”

  1. on 03 Jun 2016 at 3:01 am zabourah
    PHP PHP

    zabourah

    Shaun's Blog » TBT4: Log in and authentication with cookies

Trackback URI |