Home / CMS


    Secure PHP login with database js for http sites

    2012-12-29 00:00
    30857   0   0

    Topnew CMS uses secure PHP login with database, such as MySQL, PostgreSQL, SQLite or CUBRID.

    Topnew CMS 3.0 uses almost perfect secure PHP login algorithm with https site, which is unhackable, well at least the algorithm. However we need to take care of those http sites. The following is a revised PHP login for http site since Topnew CMS 4.0:

    Global Salt

    /cms/cms.php : function cms_sn(){return 'Please update this global salt at install or when your site is hacked';}

    Just in case the site is hacked, by updating above salt, will force all password invalid, as a result, any user will need to update password at login next time.

    However the login or user password system is pretty strong, and let's have a look in detail:

    Table: user

    CREATE TABLE user (
    pid int NOT NULL PRIMARY KEY,
    pass char(48),
    email varchar(99) NOT NULL,
    created date,
    closed date,
    salt int NOT NULL DEFAULT 0,
    sid int NOT NULL DEFAULT 0,
    error smallint NOT NULL DEFAULT 0,
    UNIQUE KEY user_uk_email (email)
    )


    Each time login successful, new random salt will be generated, it is int and should be secure enough, however it can be varchar and more secure, however at this stage, not necessary.

    Global Salt algorithm

    function cms_salt($a='',$b=''){
    $a=md5($a);
    if (!$b) $b=rand().cms_sn();//js not need this line
    $b=md5($b);
    if ($a[0]==$b[0]) return hash('sha256',$a.$b);
    if ($a[0]>$b[0]) return hash('sha256',$b.$a);
    return hash('sha256',$a.$b.$a);
    }


    User Salt algorithm

    function cms_salt_user($user,$updated=''){
    $salt=cms_salt(cms_sn(),$user['email']);
    $salt=cms_salt($salt,($updated ? $updated : $user['updated']));
    return cms_salt($salt.$user['pid'],$user['created']);
    }


    Here is the Secure PHP Login Algorithm for http site

    1) client input email, password, and click Login button. jQuery sends email to server. For http site, this is visible to the middle man.

    2) server check user table and feedback user_salt. This should be also visible to the middle man.

    3) client encode password and send to server

    function enc_pwd(p){
    var pwd=md5(p);
    var salt=$('#user_salt').text();
    var pos=parseInt(pwd.charAt(0),16);
    var pass=cms_salt(pwd,salt);
    return cms_enc(pwd,pass.substr(pos,48));
    }


    Above is the login.js which is also visible by the middle man. However let's have a closer look, see if the middle man can hack it.

    Firstly, raw password is md5() hashed, and becomes pwd

    Secondly, pwd is salted with user_salt and becomes pass

    Thirdly, chop pass at 48 chars from hex value of first char of pwd

    Now please note that at this stage, pass is exactly same value saved in table user.pass value

    Finally, encode(md5pwd,pass48) and send back to server.

    The middle man can only catch the result of encode, he need time to decode this sha256

    Server user/password validation

    Server receives email,encoded password and now validates.

    A) Get user info upon email and reject if account does not exist, or is closed, or password is in lost status etc

    B) As server knows user.pass so it is easy to decode(encode,pass) and get md5pwd and timestamp at encode

    C) Server return failed login if encode timestamp is too old, current setting is 480 seconds. So even the middle man hacked the sha256 in 481 seconds, he is still rejected. And we doubt if he can hack it, as he only knows the result of the encode and the algorithm, but does not know the 2 parameters at all.

    D) Once login successful, a new rand user salt will be generated and update the user.salt and update user.pass based on new salt

    What about no js

    If browser does not support javascript, the login still works however it sends raw email/password to server and of course it will be visible to the middle man on http sites.

    Hopefully it is a good secure PHP login algorithm, and I would like to hear from you for any improvement.

    Related readings:
    Next » Login logout and password

    Comments

    Leave a commentEdit comment

    Category