e-commerce / Client Login security?

[Doggo]

Hi All,

I hope this is posted in the correct forum (pls inform me if not). Ok, I have been asked to develop a client login system for a new client and this is my first project that will involve the security issues of storing personal information (passwords / credit card data) and submiting personal data via forms.

I am confident that I can code this functionality although I do have a few concerns about the whole thing being completely secure and hack proof. Can anyone give me any advise on the security precautions I should / can take when storing personal information and allowing users to login to the client area? If you know of any good tutorials / articles and books to use a resource that would be marvellous.

Also - should I use sessions to control the access of users - is this safe too

Thanks in advance for your help

Mark

PS - I will be using Mysql / Php

[velocd]

I highly suggest not storing credit card details, given the sensity and importance of the information. I'm not sure what kind of ecommerce you have going, but if you're using something like Paypal or 2Checkout, usually storing credit card info isn't needed.

I would use sessions, and passwords that are MD5 hash encoded into the database (with a salt field, and require users to provide at least a 6 character long password).

Here are some tutorials:
http://www.devshed.com/Server_Side/PHP/Commerce/
http://www.zend.com/zend/tut/tutorial-paypal.php

[Mandibal]

and SSL as well.

[Doggo]

I highly suggest not storing credit card details, given the sensity and importance of the information. I'm not sure what kind of ecommerce you have going, but if you're using something like Paypal or 2Checkout, usually storing credit card info isn't needed.

Thanks for the response - I completely agree with you point about data sensitivity with CC detailed being stored. I am in 2 minds about doing this myself. On one hand, if you can make this secure I feel the user benifits from not having to continually re-type CC info. On the other hand, its pretty stressfull to have that kind of data stored in a DB.

Anyway, thats another topic. How complex is it to set up SSL as well?

[Mandibal]

google the name of your web server and ssl and you should find a fair amount of tutorials on setting it up. I actually havent had to do it so I cant say for sure but it seems that is is fairly easy using openSSL. There might even be a tutorial on sitepoint with apache/ssl. I'm sure another helpful soul will give suggestions maybe more specific as well.

[Andrew-J2000]

Hi All,

I hope this is posted in the correct forum (pls inform me if not). Ok, I have been asked to develop a client login system for a new client and this is my first project that will involve the security issues of storing personal information (passwords / credit card data) and submiting personal data via forms.

I am confident that I can code this functionality although I do have a few concerns about the whole thing being completely secure and hack proof. Can anyone give me any advise on the security precautions I should / can take when storing personal information and allowing users to login to the client area? If you know of any good tutorials / articles and books to use a resource that would be marvellous.

Also - should I use sessions to control the access of users - is this safe too

Thanks in advance for your help

Mark

PS - I will be using Mysql / Php

There are a number of vulnerabilities, which often plague websites with custom authentication. If your unsure, about security, I would strongly suggest avoiding creating your own, when dealing with sensitive data such as credit details.

A few tips,

• SSL (Secure Sockects Layer) is useless without flagging cookies as secure, ENSURE, you do this otherwise your placing overhead on your servers.
• Cookies, ensure you adopt a decent algorithm otherwise your sending data in plain text.
• Do not expose the session key in the URL.
• Avoid using persistant cookies and limit the the lifetime of the cookie.
  
  • encrypt the time stamp, as cookies can be edited.
• Reauthenticate when dealing with senstive data, usch as passwords or purchasing.
• select the right encryption otherwise unknowingly you could expose the data, even if it is encrypted.
• Block x No. of logins to avoid brute force attacks.
• Allow for random salts.
• Use a different username to their public name/identity.
• Dont simply check for the presence of a verifying cookie, validate it.
• avoid SQL injection, and similar errors.

Hope that helps you get started.

[Doggo]

There are a number of vulnerabilities, which often plague websites with custom authentication. If your unsure, about security, I would strongly suggest avoiding creating your own, when dealing with sensitive data such as credit details.

A few tips,

• SSL (Secure Sockects Layer) is useless without flagging cookies as secure, ENSURE, you do this otherwise your placing overhead on your servers.
• Cookies, ensure you adopt a decent algorithm otherwise your sending data in plain text.
• Do not expose the session key in the URL.
• Avoid using persistant cookies and limit the the lifetime of the cookie.
  
  • encrypt the time stamp, as cookies can be edited.
• Reauthenticate when dealing with senstive data, usch as passwords or purchasing.
• select the right encryption otherwise unknowingly you could expose the data, even if it is encrypted.
• Block x No. of logins to avoid brute force attacks.
• Allow for random salts.
• Use a different username to their public name/identity.
• Dont simply check for the presence of a verifying cookie, validate it.
• avoid SQL injection, and similar errors.

Hope that helps you get started.

Thanks for your detailed response - this is the kind of info I was really interested in and you seem like you have done this kind of thing before.

You menioned above about not creating my own authentication if I am unsure? Are you aware of any scripts that perform this functionality that are tried and tested that I could use?

Thanks

Mark

[Andrew-J2000]

Thanks for your detailed response - this is the kind of info I was really interested in and you seem like you have done this kind of thing before.

You menioned above about not creating my own authentication if I am unsure? Are you aware of any scripts that perform this functionality that are tried and tested that I could use?

Thanks

Mark

I can't say i've actually come across any real secure open source logins, but http://www.oscommerce.com/ seems to be quite popular as a package, although I haven't seen how it handles its security. Maybe this is what your looking for?

[felixz]

1. Use SSL (provides encryption)
2. Use a cookie ( I would use php sessions,
But keep them in browsers memory )
3. Check that User-Agent header didn't change. (Its unlikely someone could have changed considering the cookie can be only stored in memory of the browser.)
4. Validate all data. (prevents sql injection, and xss)
5. Dont trivialize actions. If an action has side-effects like placing order you should use post method in html form (prevent csrf)
6. Additional measures can be taken to prevent CSRF (cross site request forgery) like having a transaction id that changes with each form and that is hidden field in a form .