Jump to content

Help, best practices, user registration, password security, authentication.


xekon

Recommended Posts

I have been developing a php web site. I have been trying to follow suggested best practices. I am running ubuntu minimalist install, and installed the following packages: nginx php5 php5-fpm postgresql phppgadmin php5-gd I have nginx up and running instead of apache.I have done some basic configuration for nginx.got my vhost setup and linked. and I am now able to browse my php pages on my local test machine running ubuntu. I have created my postgre database, and have a user setup. So I am to the point that I wanted to create a page to register/login/change password. I searched and found http://stackoverflow...asswords-safely it was posted back in 2010, it links to this guide using phpass: http://www.openwall....Users-Passwords The guide/tutorial was created using Mysql, I have been swapping out functions to their equivalent postgresql functions using the postgresql documentation. I modified the guide to the point that I can create new users in my postgre database. When I got to the point "How to authenticate existing users" I hit a snag. mysql version from guide:

} else { $hash = '*'; // In case the user is not found($stmt = $db->prepare('select pass from users where user=?'))|| fail('MySQL prepare', $db->error);$stmt->bind_param('s', $user)|| fail('MySQL bind_param', $db->error);$stmt->execute()|| fail('MySQL execute', $db->error);$stmt->bind_result($hash)|| fail('MySQL bind_result', $db->error);if (!$stmt->fetch() && $db->errno)fail('MySQL fetch', $db->error); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';}unset($hasher);}

my version:

} else { $hash = '*'; // In case the user is not foundpg_prepare($dbconn, "quser", 'SELECT pass FROM users WHERE pk_users=$1') or fail('pg_prepare failed ',pg_last_error($dbconn));$hashx = pg_execute($dbconn, "quser", array($user)) or fail('pg_execute failed ',pg_last_error($dbconn));$hash = pg_fetch_result($hashx, 1, 'pass'); if (!$hash && pg_last_error($dbconn))fail('pg_execute failed.2 ',pg_last_error($dbconn)); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';$op = 'fail'; // Definitely not 'change'}

I think it has to do with bind_result($hash) I used $hashx = pg_execute() I assumed it would take the results of pg_execute() and store it in the $hashx variable, and I thought that was what bind_result($hash) was doing in the mysql example. here is the error from the server logs: 2013/02/15 19:01:12 [error] 16860#0: *1 FastCGI sent in stderr: "PHP message: PHP Warning: pg_fetch_result(): Unable to jump to row 1 on PostgreSQL result index 5 in ..../testing.com/public/inc/user-man.php on line 91" while reading response header from upstream, client: 192.168.1.150, server: testing.com, request: "POST /inc/user-man.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "testing.com", referrer: "http://testing.com/inc/user-man.html" Also if anyone has any input weather or not this is still best practice for user registration/password security, please let me know. In addition to having a good user/password system I know that I am going to need to recheck my configuration for both nginx and postgresql to make sure everthing is locked down and secure, as well as user permissions, I have not looked for any info/guides on any of this yet. Thanks so much for any responses, I appreciate it.

Edited by xekon
Link to comment
Share on other sites

DOH! I figured out the problem. The php manual example shows using the first row as the result, once I changed the row to 0 it worked. So it must start at row 0 for results, not row 1 http://www.php.net/m...etch-result.php I am still very curious to know if there are any security concerns using this method/guide/tutorial. so for anyone that is curious here is the tutorial I followed: http://www.openwall....Users-Passwords on that page there is a archive with all of the example documents, I used the files from "demo4" folder, which is just before "How to enforce a password policy"I was having an issue getting that to work, and I am thinking some simple regex matching might be enough to enforce the password policy. For anyone that wants the complete edits to the file "user-man.php" for postgresql: http://pastebin.com/nb5YiBAX The authentication of this guide just checks if the supplied password is correct, now I need to read up on how to handle creating a session, so they stay logged in between pages and what not.

Edited by xekon
Link to comment
Share on other sites

hmm... not sure if there is any trouble, but when i am creating passes with users and such, i useally run MD5 protection over the pass as a start, and after that, a SHA1 over it, just to make sure the security is fine before sending it into the user database. but as far as i can read (not the biggest PHP understander yet, so if anyone see me i got it wrong, please correct), then it seems fine to me...

Link to comment
Share on other sites

MD5 and SHA1 both is not secure anymore. SHA512 SHA256 from SHA2 family, Blowfish(as already stated), Whirlpool etc is preferred way. . PHPass is good. but there is also native function http://php.net/hash for using different algorithm.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...