Nov 21, 2009

Extremely Secure Authentication System

 		free web hosting
Open Discussion & Free Web Hosting > Computers & Tech > Programming > Scripting > PHP

Extremely Secure Authentication System

OpaQue
Aug 15 2005, 08:45 AM
Today, I was thinking of experementing with Authentication tricks in PHP. I just came up with this thing.

Firstly, Validating the username and password in the database. Once that is done, In order to track the user (the main place where most hackers get successful)

We can set 2 cookies.

1> Member ID
2> MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT )

Any hacker who tries to obtain session ID or even tries to setup a fake cookie with ID, will have to take additional pain to determine the IP address of the target. Not only that, he will have to even fake User-agent which has details of OS and Browser. SALT can be anything, Its just there for added security. So that a member who comes to know bout this trick, Should not be able to generate his own MD5 Key.

FOR ADDED SECURITY, We can make use of SESSION ID and use it to validate the cookie. Then the data in the Cookie would be,

MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT and SESSION-ID )

and the SESSION can contain the member information bit.

What do you think?

[This concept can be used with PHP / JSP / ASP or any other scripting language]

 

 

 


Comment/Reply (w/o sign-up)

jipman
Aug 15 2005, 10:04 AM
[offtopic]
Guess what.... I use almost the same thing for authentication on my site, but i use GET variables instead of cookies, but that's only because of my laziness.
[/offtopic]

but arent' you forgetting about passwords?

MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT )

Do you mean this anyway?

MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT and PASSWORD)

I think it's quite hackable though. Ip's are easy, just look at this forum or emailing would do too, username is also quite guessable or is displayed somewhere else on the site, and user-agents are also not really unique or untraceable. So basically all you need to bruteforce is a salt and password. I doubt if this is secure enough for real important stuff, but I do think it's good enough for scripts that don't require top-notch security (like my site tongue.gif )

note. You could also store the md5 of the password instead of just the pass. Since a lot of people use the same passwords for a lot of things at least if they get hacked on one site, they won't risk being hacked on everything tongue.gif. So you would get this

MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT and MD5(PASSWORD))

 

 

 


Comment/Reply (w/o sign-up)

vizskywalker
Aug 15 2005, 12:59 PM
This is going to make me sound like a neb, but what do you mean by
QUOTE
In order to track the user (the main place where most hackers get successful)
Does this mean that most hackers get in by simply creating a cookie on their home computer so that they don't have to spoof the login script?

And I thought cookies and sesions were two different things? So jip, could you please explain what exactly a Session ID is there, would it be creating a PHP session and cookies?

Also, as far as MD5ing the password, it would be better to store the password in the database in an MD5 hash, otherwise, all some has to do to find out the password is get viewing priveleges of the database.

~Viz

Comment/Reply (w/o sign-up)

Trekkie101
Aug 15 2005, 03:40 PM
Thats sort of like the new SMF 1.1 login system, apart from its using SHA-1.

Basically, hashes the password using lowercase letters, and then mixes it with the salt,. which changes daily IIRC, and the password hash looks different every day, so even if you broke the hash once, the salt would change and the password in the DB would be updated to use the new salt. And it comes with a really big and weird script to do all that.

Comment/Reply (w/o sign-up)

OpaQue
Aug 15 2005, 04:18 PM
You guys are not understanding my point here.

If you use password, then every access to the script will require one more additional Query to the database. Here the question is about speed too.

The password thing is verfied at the time of login. Once logged in, in order to track him and keep him logged, we use this. If we had to use password, then every check would require another extra Query.

Here, We got "REMOTE_IP and USER-AGENT and Member ID, Session ID and SALT "

Now, Remote IP takes time. I mean, he has to work on it to spoof it.
2nd, User-agents, the hacker has to guess what user-agent the orginal person is using. Again, thats difficult.

Member ID can be obtained from the other Cookie or session Data.

Session ID is unique again.

Salt can be a very long MD5 string. or may be MD5(md5(salt)).

Then you combine all these things and you create the MD5(all the above). This value is going to be stored in the cookie which will be returned. everytime the user surfs your site, here and there. You can check whether its him or not by using all those parameters.

I don't understand how putting in the password is going to make it secure any further. Because Member-ID is unique there. The rest of the things belong only to the user.

If a hacker wants to hack, the only way he can get quite successful is if he uses the same computer. Even in that case, The PHPsession ID should be same, which will be another tough thing to break.

Hacker cannot get the data (member-id) in the session variable as it is stored on the server and not on the client pc.

Comments and Ideas Welcome.

I just want to think of any other possibilities for validating members and keeping them logged securely.

Comment/Reply (w/o sign-up)

vizskywalker
Aug 15 2005, 04:28 PM
So let me amke sure I understand correctly:

Step 1: The user logs in as usual

Step 2: Two cookies are placed on the users computer
2a) A cookie containing only the member ID which identifies the user to the server
2b) A cookie containing an MD5 of the users IP address, Web browser, username, a salt, and the session ID

Clarification: The session ID will change every time the user logs in, correct?

3) Every time the user accesses a page, the second cookie identifies whether or not the user is truly the logged in user and not a hacker who managed to create a cookie with a valid member ID

Do I have all of that correctly, what I'm not really clear on is what you mean by tracking the member. If it means what I think it means then I see some issues.

~Viz

Comment/Reply (w/o sign-up)

OpaQue
Aug 15 2005, 04:58 PM
Clarification: The session ID will change every time the user logs in, correct?
YES.

The Second cookie identifies the user.

The first cookie verfies if it is genuine. smile.gif

Comment/Reply (w/o sign-up)

vizskywalker
Aug 15 2005, 05:00 PM
So when the server recieves the cookie containing a weird md5 it goes, ahah, this is user whatever. Then it checks to see if the member ID matches that user?

What if I log in from home with firefox, then want to login from school where I have to use IE?

~Viz

Comment/Reply (w/o sign-up)

OpaQue
Aug 15 2005, 05:03 PM
Everytime you change your location, obviously your ENVOIRNMENT VARIABLES will change and you will be asked to login again. And that time, new values will be set in the cookie.

Comment/Reply (w/o sign-up)

vizskywalker
Aug 15 2005, 05:08 PM
So what would a hacker do otherwise that this cookie prevents?

~Viz

Comment/Reply (w/o sign-up)

Got an Opinion! Express your Views! (no registration):-
Add your Reply/ Opinion/ Views/ Comments/ Suggestion/ Questions/ Queries etc.
Posts with decent grammar & English will be accepted and please refrain from profanities.
For asking a Question, We recommend you to sign-up (for free) so that you can track the topic easily.
Nature of your Post*: Opinion/ Reply/ Comments
Question/Query
Feedback to us.
       
Name   Email
Title/Question*

This textarea will convert to Rich-Text automatically (IE, Firefox, Chrome)

Similar Topics

Keywords : extremely, secure, authentication, system

  1. Authentication Script
    PHP Help #2 -- I need help tweaking it - it won't work (1)
  2. File Self Secure?
    is it avaible (6)
    I just learn php. We store the pass word of Mysql in a file right. So is there any way to may a pass
    protect that file . i mean they could hack and find out the place of the file (ex like in forum) and
    drop all sercure data /huh.gif" style="vertical-align:middle" emoid=":huh:" border="0"
    alt="huh.gif" />....
  3. User Authentication Session Handling Problems
    Authorization server variables not staying across pages (14)
    This is quite a bit of problem I am facing, and I cannot point exactly where I am going wrong. I
    have been lurking around here at the Asta Host forums with regard to login and user authentication
    scripts and I have got as far as this: - Starting a session - Registering a session variable -
    Using the variable to check if the user is authenticated or not. - Authenticating the user through
    MySQL database - Logging of the user, by setting the session variable to un-authenticated I have
    been able to achive the following things too that I think is not related to this proble....
  4. How Do You Create A Secure Loging?
    with PHP and mySQL (4)
    I've read a few articles, and looked up the code of certain files and some of them seem to work
    differently. I'm trying to create a login script, which would require PHP and mySQL to run,
    however, I'm not quite sure how to approach it since I'm only just learning PHP. I'd
    like to know, what is the most secure and effective login? I've heard you can add a salt to
    encrypted passwords, etc, and well as using sessions (sid). It's just like to know what methods
    are best for creating a secure login script. Thank yo ufor readin this. ....
  5. PHP: How Can I Create An Authentication System?
    (8)
    I'm making a financial site based on PHP/MySQL, there are two sections in that site, first
    one which is a free section have news, stocks calculator and chat. second section which is paid
    section has the same fetures plus a portfolio manager for each member, financial analysis also it
    has a game which is available to members only too. The Problem i face at the moment is i need to
    code a php/mysql authentication system so only paid members can access the pages which is in the
    second section, i tried to code it but never succeded, any help is so welcomed /smile.gif"....
  6. PHP Based Site Access Authentication - Help
    How to block parts of your web-site ?? (4)
    How can i program my web page using php that when the value of the login box is equal to some string
    then go to my success.html otherwise on my fail.html????help me guys!
    ------------------------------------ It would help the readers far better to understand what your
    problem is - if you state the nature of it in short in your topic title, instead of just "Php help".
    It'll also get you a lot more responses. Am changing your topic title to give you an example.
    All the best /smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /> m^e....


      7. Looking for extremely, secure, authentication, system

See Also,

*SIMILAR VIDEOS*
Searching Video's for extremely, secure, authentication, system
advertisement



Extremely Secure Authentication System

Affordable Web Hosting, Low cost Web Hosting - ComputingHost.com