Secure Website Login Programming with PHP & MySQL
By Jeff Skrysak
2006-08-17
More Extreme Methods of Securing Login with PHP & MySQL
More Extreme Methods In page 1 of this article, I listed the most basic methods necessary for security. What will follow are some more extreme measures, which I refer to as "paranoid". I like that word, and in the security arena, it's a very good attitude to have. Don't mistake a paranoid security measure with a roadblock or hindrance. Though they can be one in the same, they don't have to be. What do I mean? For example, a paranoid company may tell you that the only time you can enter a server room is from 3:30 PM to 5:00 PM, one person at a time. Such a rule would no doubtedly hinder you're ability to do work. A counter example may be a paranoid company that logs *every* single failed login attempt into their system. It does not hinder your work, but sure does go above and beyond the most basic security. Paranoid Methods - Every login failure alerts an administrator
It doesn't have to be a siren going off, it could be a simple email detailing the date, time, IP address, and attempted login name. - Store/log every user login
Instead of storing only the last login, and the current login of each user, create a table in your database soley for the storing of *all* logins. Give it fields to store the user name, password, date, time, and IP address. - Third login failure disables the account, and/or disables by IP address
After three tries.....
If someone fails to log in while using a valid login name, disable that account and alert an administrator.
If someone tries to log in while using a login name not found in the system, log that IP address and block logins from that IP address.
Note: For the first to be accomplished, your user account table needs to have a field called "disabled" of type TINYINT (to set it to 0 or 1) or ENUM (to store "Y" or "N"). - Use .htaccess and .htpasswd to double protect a site
In addition to a basic PHP login page that asks for authentication, put in place .htaccess and .htpasswd restrictions. It's pretty flimsy, but adds that little bit of extra security to make you feel safe at night. - Authenticate by IP address, in addition to login and password
Not only should you authenticate a user by their login name and password, but you can also put in a third element: their IP address. If the user is always going to be logging in from the same computer (or subnet) you can also check their IP address to see if it matches one allowed by the system. This will protect you from someone trying to log in at an unauthorized location, such as from their home. Or, it will stop an outsider from using a login/password they got using devious means. However, as with *any* other security measure, this can be circumvented by spoofing an IP address. Don't let that stop you though. This paranoid method would add a third wrench in the works of any intruder, making it just that much more difficult to break in. - Create separate, role based MySQL accounts
In page one of this article, I recommended you give users limited access depending on their role or job. The same should happen for the MySQL accounts your PHP code uses behind the scenes. For example, there should be a MySQL user account that is restricted to only SELECT access on the user account table. It's main purpose is to be used in the login authentication. Because the login page is the most visible to intruders, its parts are the most vulnerable. If intruders somehow find out the MySQL username/password in its PHP code, they may be able to use that to run their own SQL queries. For the other portions of your site, the same rules above apply. Create MySQL accounts with restricted access, depending on the code they are meant to be used in. Portions of your site that allow people to view data should internally use MySQL user accounts that only have SELECT access. Etc.... you get the idea. - Use stored procedures (similar to user defined functions)
In MySQL 4.0 (and below) there are functions that can created by using the CREATE FUNCTION statement. In MySQL 5.0 and above, there will be the ability to create stored procedures by using the CREATE PROCEDURE statement. If you create your own stored procedure to authenticate a login, you minimize the ability for someone to see the internal structure of your database. It also allows you to minimize the data returned, especially if someone is able to insert a malicious SQL statement into your code. However, using just stored procedures is not the end all solution. It should be use in conjunction with a limited-ability MySQL user account (see above). - Gracefully handle CRITICAL failures
This is more of an idea for exception handling than for security, but it can be for both. Often times a critical failure is the result of an intruder trying to do something they shouldn't be, which then "breaks" your site. Instead of dying ( using the die() function ) try something else.
For example, many PHP programmers will do this:
$result = @mysql_query($query, $db) or die("Could not get data");
That's a good thing to do, it allows the code to die gracefully. However, the above will alert the intruder that the error was caught, giving them feedback and allowing them to try something different next time. Or, it will look *unprofessional* to a normal user when your site dies.
Create your own function called "capturecritical()" and in addition to aborting all further processes, that function should log information and email it to an administrator. An improved example would then be:
$result = @mysql_query($query, $db) or capturecritical("MySQL Query Error in XYZ.php, line 24", mysql_error(), $user, time());
Your function would accept as varaibles a basic title, in this case the default "MySQL Query Error", then a more verbose description (in this case, the mysql_error() data), the user account that instigated it, and the date/time it happened. The function would then email an administrator with that data, or log it to a log file. It will also tell the user a critical error has occured.
Tutorial Pages:
»
Secure Website Login Programming with PHP & MySQL
» More Extreme Methods of Securing Login with PHP & MySQL
»
Conclusion
|
|
|
