authentication - can i have a second look?

[agnivohneb]

This is my first step into security for websites. Most of the time I just get another program to do all the work for me but it never gave me the customization that I needed. So I created this app for my websites. It seems to work fine, I was just wondering if someone that has experience with security have a look at my code before I actually use it.

You don't need to put it on your server because I just want an opinion on the code. But if you must I would like to not that it is not done and I don't have any installer for it so you will have to do it all manually.

First you will need to extract the contents to wherever you want on your server.
Go into the folder auth and open the file config.php in your favorite editor.
Setup all of your settings for the mysql server
change $ezauth_location to what ever location the auth folder is located
change $ezauth_home to your home page, most of the time it is just the root of your server
you can leave $ezauth_secret_word the same it is just used as a salt. when i get an installed made for this that will automatically be set to a random string.
you will need to import this sql into your database to create the table and the default login

MySQL:

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; CREATE TABLE IF NOT EXISTS `ezauth__users` (   `id` int(11) NOT NULL auto_increment,   `username` varchar(100) NOT NULL,   `password` varchar(100) NOT NULL,   `access_level` int(11) NOT NULL,   `name` varchar(100) NOT NULL,   `email` varchar(100) NOT NULL,   PRIMARY KEY  (`id`),   UNIQUE KEY `username` (`username`) ) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ; INSERT INTO `ezauth__users` (`id`, `username`, `password`, `access_level`, `name`, `email`) VALUES (1, 'admin', '65ebe7c86c6c487dcd3d4749c5e2d08e', 3, 'Administrator', 'admin@yourdomain.ca');

That should be it to get it going. all that you need to do is go to the test.php in the root and it will take you to the login page the login is USER: admin PASS: admin
if it is write it will take you back to test.php and tell you the secret.

[agnivohneb]

i will be adding an admin area to create users easily and will also have an option for the admin to select and allow users to register. but that will be coming within a few days

some of you may be wondering what the auth levels are.
0=all
1=registered, special, admin
2=special, admin
3=admin only

[jeffgreco13]

So you're just looking for an opinion? I think it's quite good... you seem to have everything you need in a neat little OOPHP package. It's hard to judge these things because there are unlimited ways to make them. Basically it just has to suit your needs...

MOST of all, be secure against SQL injections and if I'm not mistaken, you've done so..

[agnivohneb]

ok thanks.
now i am going to start the admin section

[Tony]

jeffgreco13 @ Sat Dec 20, 2008 5:14 pm wrote:

MOST of all, be secure against SQL injections and if I'm not mistaken, you've done so..

As well as XSS and CSRF, to name a few more common exploits.

[Dan]

I whould use sha1 or better rather the md5 for password hashs. md5 is not as strong as more modern hashing systems.

Also i would add in the posbility for it to be acessed threw a ssl conection. Right now "http" is hardcoded in at one point when "https" will be used for a secure connection.

I think there is a posblity for a SQL injection in this code threw the username. Unless the server is set up to automaticly strip slashs and such out of the post fields i think you could get somthing in threw the username field. Particaitly in checklogin where $user is just dumped in to the sql string and $user is a parm set by $_POST['username'] directly. I could be wrong, i looked at the code prity quick and i have not done any big PHP coding in a bit.

[md]

You should also look into OpenID. It really simplifies the entire login process.

[Unforgiven]

Dan @ Sun Dec 21, 2008 10:07 pm wrote:

I whould use sha1 or better rather the md5 for password hashs. md5 is not as strong as more modern hashing systems.

And salt them!


http://en.wikipedia.org/wiki/Salt_(cryptography)

[Dan]

Unforgiven @ 24th December 2008, 3:31 pm wrote:

And salt them!

They are salted, maybe you should look at the code :p

[Amailer]

Yep, definitely need to check for injects.

php:

$_SESSION['ezauth_user'] = $_POST['username'];

In your login.php is not checked for any injects. After that its used straight in an sql statement.

php:

$query = 'SELECT * FROM ' . $GLOBALS['ezauth_sql_prefix'] . 'users                                         WHERE `username` =\'' . $_SESSION['ezauth_user'] . '\'                                         LIMIT 1' ;

You can just use http://ca.php.net/mysql_real_escape_string in your sql statements.