SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru glenngould's Avatar
    Join Date
    Nov 2005
    Posts
    662
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PunBB's User Login - Is it secure?

    This is the relevant part of the login script of PunBB. It uses cookies to store userID and password (hashed).

    Code PHP:
    if (isset($_POST['form_sent']) && $action == 'in')
    {
    	$form_username = trim($_POST['req_username']);
    	$form_password = trim($_POST['req_password']);
     
    	$username_sql = ($db_type == 'mysql' || $db_type == 'mysqli') ? 'username=\''.$db->escape($form_username).'\'' : 'LOWER(username)=LOWER(\''.$db->escape($form_username).'\')';
     
    	$result = $db->query('SELECT id, group_id, password, save_pass FROM '.$db->prefix.'users WHERE '.$username_sql) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
    	list($user_id, $group_id, $db_password_hash, $save_pass) = $db->fetch_row($result);
     
    	$authorized = false;
     
    	if (!empty($db_password_hash))
    	{
    		$sha1_in_db = (strlen($db_password_hash) == 40) ? true : false;
    		$sha1_available = (function_exists('sha1') || function_exists('mhash')) ? true : false;
     
    		$form_password_hash = pun_hash($form_password);	// This could result in either an SHA-1 or an MD5 hash (depends on $sha1_available)
     
    		if ($sha1_in_db && $sha1_available && $db_password_hash == $form_password_hash)
    			$authorized = true;
    		else if (!$sha1_in_db && $db_password_hash == md5($form_password))
    		{
    			$authorized = true;
     
    			if ($sha1_available)	// There's an MD5 hash in the database, but SHA1 hashing is available, so we update the DB
    				$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$user_id) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
    		}
    	}
     
    	if (!$authorized)
    		message($lang_login['Wrong user/pass'].' <a href="login.php?action=forget">'.$lang_login['Forgotten pass'].'</a>');
     
    	// Update the status if this is the first time the user logged in
    	if ($group_id == PUN_UNVERIFIED)
    		$db->query('UPDATE '.$db->prefix.'users SET group_id='.$pun_config['o_default_user_group'].' WHERE id='.$user_id) or error('Unable to update user status', __FILE__, __LINE__, $db->error());
     
    	// Remove this users guest entry from the online list
    	$db->query('DELETE FROM '.$db->prefix.'online WHERE ident=\''.$db->escape(get_remote_address()).'\'') or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
     
    	$expire = ($save_pass == '1') ? time() + 31536000 : 0;
    	pun_setcookie($user_id, $form_password_hash, $expire);
     
    	redirect(htmlspecialchars($_POST['redirect_url']), $lang_login['Login redirect']);
    }

    -How secure is that to use this type of method for user authentication?
    -Using sessions instead would be more secure as I know, but how do you handle "remember my password in this computer" situations with sessions? Don't you have to save something in cookies?

  2. #2
    SitePoint Addict
    Join Date
    Jun 2006
    Location
    Durban, South Africa
    Posts
    287
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is secure because the password entered is checked against the password from the data base, but I don't think the SQL is protected from SQL injections, so if you knew the first persons password, you should be able to get in. So I think this is fairly safe, but the first account is a little vaunerable.

  3. #3
    SitePoint Guru glenngould's Avatar
    Join Date
    Nov 2005
    Posts
    662
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Supposing we have the cookie file of a user, we get in by just using it, don't we?

    I guess same applies for session based logins with "remember my password" option (as in sitepoint?).

  4. #4
    SitePoint Addict
    Join Date
    Jan 2005
    Location
    Ireland
    Posts
    349
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by glenngould View Post
    Supposing we have the cookie file of a user, we get in by just using it, don't we?

    I guess same applies for session based logins with "remember my password" option (as in sitepoint?).
    Potentially. Sometimes you see software put in some extra checks, for instance, if an IP address other than the one the session was created with tries to is the session cookie then it may disallow it.

    However, session stealing can happen whether it is by cookie, or fields in the request URL. For instance, what happens if someone copies and pastes the URL they a viewing which has a session id in it?

  5. #5
    SitePoint Addict
    Join Date
    Jan 2005
    Location
    Ireland
    Posts
    349
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by poizn View Post
    It is secure because the password entered is checked against the password from the data base, but I don't think the SQL is protected from SQL injections, so if you knew the first persons password, you should be able to get in. So I think this is fairly safe, but the first account is a little vaunerable.
    It appears safe to me. Even though the password is escaped for SQL, it isn't used in it's raw form in SQL. The check happens from the retrieved password of the query, using sha1 or md5. Even the SQL update only deals with MD5 and SHA-1 - and these don't produce any characters which would conflict with SQL.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •