0

In the past we were using passwords stored in md5 and then the $userId_$md5password in cookies to validate a user logged in ... this was extremely poor security so it was time to change it.

The system is a VPS so I don't think anyone else can get access to session variables, the database or filesystem. Login and registration pages make use of ssl to submit data.

Upon registration user passwords are now crypted in this manner before being sent to the database:

$salt = to64(getRandomBytes(16));

if (CRYPT_BLOWFISH == 1) 
    $securePassword = crypt($password, '$2a$10$'.$salt);

Sessions are now used instead of plaintext cookie authorization and the php.ini file includes:

session.use_trans_sid = 0
session.use_only_cookies = 1
session.hash_function = sha512
session.hash_bits_per_character = 5

Sessions are started and configured like this ensuring no secure data is kept within a session:

session_set_cookie_params("86400", "/");
session_name("auth");
session_start();

$_SESSION['userId'] = $row[0];
$_SESSION['created'] = time();

Session id's are regenerated every 30 minutes so the system is kept rotating:

if($_SESSION['created'] + 30 * 60 < time())
{
    session_regenerate_id ();
    $_SESSION['created'] = time();
}

Sessions are set to expire after 24 hours if a user doesn't use the site again within this time, is this too long an amount of time?

We may also add ip/http user agent checks to the sessions but at the moment I think it's okay as the id can't be faked?

Have I missed out any glaring security holes?

I'll also point out that this system will work alongside openid and our servers won't be storing details such as credit cards just emails, usernames and bio information, not that that makes a difference in data protection.

Improve this question
2
  • 1
    if you use ssl when user enters login/pass you've done almost all possible in this case. One little addition though - do session_regenerate_id just right after accepting user login/pass. To get rid of session fixation of any kind. Commented Jan 17, 2012 at 21:10
  • 24 hours is quite a long session timeout time. I would say that an 8 hour period is sufficient for nearly all sites. usually 30 to 60 minutes is considered 'normal'. Commented Jan 23, 2012 at 11:42

1 Answer 1

Reset to default
1

You wrote "Login and registration pages make use of ssl", does that mean that you switch back to HTTP for the other pages? In this case, the session cookie would be sent plaintext for this other pages (or even for an image request).

You can make sure, that the session cookie is sent only to HTTPS pages, but you will lose the session for HTTP pages:

session_set_cookie_params('86400', '/', '', true, true);

Note the first true, it means that the cookie will be sent only to HTTPS pages. The second true tells the browser, that JavaScript must not access the session cookie (it depends on the browser if that is done correctly).

I would suggest one of these solutions:

  1. Use HTTPS for the whole site, this is the easiest and safest way.
  2. Separate the two concerns, maintaining the session, and authentication. This article shows how you can safely switch between HTTP and HTTPS.
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

At the moment my advertising providers don't use https for one of the tags so I can't use it sitewide without getting the insecure warnings, however I'm working on this and when done I will be able to. Then I could just do, if user logged in, use https. If I were to implement a temporary $_SESSION['ip']; check, that would stop it until https was sorted and enabled?
@Silver89: A given user might bounce between different IP addresses depending on their proxy server, so I wouldn't trust that.
@Silver89 - Then i would encourage to do so. Even better would be to use HTTPS all the time, even before the login. Then you can configure the server to deliver HTTPS only, and wouldn't have to make sure that HTTP is not allowed after login.
Does https slow the site down at all? Or are we talking micro seconds?
@Silver89 - It's an open discussion, how much HTTPS slows down the server, and i couldn't find much practical information. I have a site on HTTPS-only myself, and didn't notice any difference at all, but it's a low traffic site. If you don't expect very much traffic on your site, then i would make it HTTPS only. Here a link to an article of GMail, when they switched to HTTPS: imperialviolet.org/2010/06/25/overclocking-ssl.html

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.