Problem 19: Security
Task: to make a fairly secure authentication mechanism in PHP.
Method 1.
A random sequence is transmitted to the form; on the server side, it is stored in the table in the SESSION_ID && S_KEY combination. Client-side conversion is performed
sha1 (sha1 (password) + S_KEY). sha1 (password) is the expected password hash in the database, S_KEY is the transferred sequence. As a result, we have a constantly changing hash that is safe to transfer to the server.
On the server, the resulting hash is compared with sha1 (password_from_db + S_KEY). If it is the same, in the $ _SESSION ['user'] variable we enter the loaded instance of the user class.
It's all good and right, but not quite sekurno.
')
What can an attacker do?
1. Steal cookies with session.
2. Intercept traffic and steal the session again.
What do we need?
We need to be sure that the session is tied to the user on the other side.
IP is not an option, it can be replaced. Yes, and for people sitting behind a NAT, IP will be common.
What to do?
Use remote port. As a rule, the browser does not change the port for the site, and it remains unchanged for a long time. NAT also does not change the port, because it needs it to forward packets.
Note: this method is applicable only to critical parts of the system. Method 1 is enough for the user. This is because no one guarantees that the port is static for the entire session, and this will entail constant logins that the user simply does not wash.
Method 1.
A random sequence is transmitted to the form; on the server side, it is stored in the table in the SESSION_ID && S_KEY combination. Client-side conversion is performed
sha1 (sha1 (password) + S_KEY). sha1 (password) is the expected password hash in the database, S_KEY is the transferred sequence. As a result, we have a constantly changing hash that is safe to transfer to the server.
On the server, the resulting hash is compared with sha1 (password_from_db + S_KEY). If it is the same, in the $ _SESSION ['user'] variable we enter the loaded instance of the user class.
It's all good and right, but not quite sekurno.
')
What can an attacker do?
1. Steal cookies with session.
2. Intercept traffic and steal the session again.
What do we need?
We need to be sure that the session is tied to the user on the other side.
IP is not an option, it can be replaced. Yes, and for people sitting behind a NAT, IP will be common.
What to do?
Use remote port. As a rule, the browser does not change the port for the site, and it remains unchanged for a long time. NAT also does not change the port, because it needs it to forward packets.
Note: this method is applicable only to critical parts of the system. Method 1 is enough for the user. This is because no one guarantees that the port is static for the entire session, and this will entail constant logins that the user simply does not wash.
Source: https://habr.com/ru/post/50061/
All Articles