Logging in

Hi

I’m not new to php but I’m starting to learn it again and I have a problem that I do not know how to solve. I’m creating a system for my applications (Windows Form) where a user can register and use it. (Note: I’m not using a browser!) and I’m using php/mysqli.

I’ve read too many topics on how to store passwords safely in a db and such so I get the general idea but I’m sure my method is not very secure. So here goes.

I have a user in my db (Testing with EasyPHP via localhost for now) and I want to check if a user logs in correctly with my application ; my procedure is as follows.

  1. User enters their details (Username & Password)
  2. After hitting submit/login , my app communicates with the php script via http requests and sends data
    by cookies. So it sends the username to the script
  3. Script does a query and searches for the username to check if it exists

Here’s the real problem: I’m using SHA1 (I can only use hash functions that both php and my app can use) for hashing and each user has their own unique salt which is stored in the db. I need to retrieve the salt (YES I know this is a very bad idea indeed!) so I can hash the password and send it to the script for verification. But this seems very flawed as I don’t want to expose a salt even if it’s unique because the hacker could find out and try to get the password this way. Security is not that paramount so I don’t want to use SSL but I want to be prepared just in case.

For people who use this method (Storing password salts in the db) how do you proceed with checking login ?
Can someone suggest a better method that mine

Nubcake

I don’t know how much this will help you for I wrote this in OOP. I just say while I’m just use this for a blogging website and I would not for any $$$ transaction website. I do say it should keep the script kiddies away, I hope. :wink: I retrieve the user’s name, password and salt before I let them in and after I do a Cross-site request forgery check by using a security token. The token not needed, but I thought I might state this for I didn’t want you to go “What the heck is he doing?” :smiley:

Like I said I don’t know how much help this is going to be?

[php]public function login_user( $user, $user_pwd, $login_ok)
{
$database = parent::connect();
/* create a prepared statement */
if ($stmt = $database->prepare(“SELECT id, username, password, salt, email, confirmed FROM users WHERE username=?”)) {

	    /* bind parameters for markers */
	    $stmt->bind_param("s", $user);
   
	    /* execute query */
	    $stmt->execute();
   
	    /* bind result variables */
	    $stmt->bind_result($row['id'], $row['username'], $row['password'], $row['salt'], $row['email'], $row['confirmed']);
   
	    /* fetch value */
	    $stmt->fetch();
   
   
	    /* close statement */
	    $stmt->close();
	} 
			

	// The Above checks to see if the username is in the databese 
	// The Belows checks the password.
	if($row)
	{
	    
	    $this->check_password = hash('sha256', $user_pwd . $row['salt']);
	    for($round = 0; $round < 65536; $round++)
	    {
		   $this->check_password = hash('sha256', $this->check_password . $row['salt']);
	    }
	    
	    if($this->check_password === $row['password'])
	    {			   
		   // If they do, then we flip this to true
		   $login_ok = true;
	    }
	    
	}	
	
	// If the user logged in successfully, then we send them to the private members-only page
	// Otherwise, we display a login failed message and show the login form again
	if($login_ok)
	{		   
	   
	    unset($row['salt']);
	    unset($row['password']);
	   
	    $_SESSION['user'] = $row;		    	
	    $_SESSION['action_token'] = generate_secure_token();  
	   		  
    	    header("Location:user.page.php");                	   
	    exit;	   
	}
	else
	{
	    // Tell the user they failed
	    //echo "Login Failure<br />";
	    header("Location:index.php");
	    ob_end_flush();
	    exit;		   
	}		
	
			
}[/php]
<?php [php]function generate_secure_token($length = 16) { return bin2hex(openssl_random_pseudo_bytes($length)); // important! this has to be a crytographically secure random generator } function html_escape($raw_input) { return htmlspecialchars($raw_input, ENT_QUOTES | ENT_HTML401, 'UTF-8'); } [/php]
Sponsor our Newsletter | Privacy Policy | Terms of Service