Home / CMS
2012-12-29 00:00
30857
0
0
Topnew CMS uses secure PHP login with database, such as MySQL, PostgreSQL, SQLite or CUBRID.
Topnew CMS 3.0 uses almost perfect secure PHP login algorithm with
https site, which is unhackable, well at least the algorithm. However we need to take care of those
http sites. The following is a revised PHP login for http site since Topnew CMS 4.0:
Global Salt
/cms/cms.php : function cms_sn(){return '
Please update this global salt at install or when your site is hacked';}
Just in case the site is hacked, by updating above salt, will force all password invalid, as a result, any user will need to update password at login next time.
However the login or user password system is pretty strong, and let's have a look in detail:
Table: user
CREATE TABLE user (
pid int NOT NULL PRIMARY KEY,
pass char(48),
email varchar(99) NOT NULL,
created date,
closed date,
salt int NOT NULL DEFAULT 0,
sid int NOT NULL DEFAULT 0,
error smallint NOT NULL DEFAULT 0,
UNIQUE KEY user_uk_email (email)
)
Each time login successful, new random
salt will be generated, it is int and should be secure enough, however it can be varchar and more secure, however at this stage, not necessary.
Global Salt algorithm
function cms_salt($a='',$b=''){
$a=md5($a);
if (!$b) $b=rand().cms_sn();//js not need this line
$b=md5($b);
if ($a[0]==$b[0]) return hash('sha256',$a.$b);
if ($a[0]>$b[0]) return hash('sha256',$b.$a);
return hash('sha256',$a.$b.$a);
}
User Salt algorithm
function cms_salt_user($user,$updated=''){
$salt=cms_salt(cms_sn(),$user['email']);
$salt=cms_salt($salt,($updated ? $updated : $user['updated']));
return cms_salt($salt.$user['pid'],$user['created']);
}
Here is the Secure PHP Login Algorithm for http site
1) client input
email, password, and click
Login button. jQuery sends
email to server. For http site, this is visible to the middle man.
2) server check
user table and feedback
user_salt. This should be also visible to the middle man.
3) client encode password and send to server
function enc_pwd(p){
var pwd=md5(p);
var salt=$('#user_salt').text();
var pos=parseInt(pwd.charAt(0),16);
var pass=cms_salt(pwd,salt);
return cms_enc(pwd,pass.substr(pos,48));
}
Above is the login.js which is also visible by the middle man. However let's have a closer look, see if the middle man can hack it.
Firstly, raw password is md5() hashed, and becomes pwd
Secondly, pwd is salted with user_salt and becomes pass
Thirdly, chop pass at 48 chars from hex value of first char of pwd
Now please note that at this stage, pass is exactly same value saved in table
user.pass value
Finally, encode(md5pwd,pass48) and send back to server.
The middle man can only catch the result of encode, he need time to decode this sha256
Server user/password validation
Server receives
email,encoded password and now validates.
A) Get user info upon
email and reject if account does not exist, or is closed, or password is in lost status etc
B) As server knows
user.pass so it is easy to decode(encode,pass) and get
md5pwd and timestamp at encode
C) Server return failed login if encode timestamp is too old, current setting is 480 seconds. So even the middle man hacked the sha256 in 481 seconds, he is still rejected. And we doubt if he can hack it, as he only knows the result of the encode and the algorithm, but does not know the 2 parameters at all.
D) Once login successful, a new rand user salt will be generated and update the
user.salt and update
user.pass based on new salt
What about no js
If browser does not support javascript, the login still works however it sends raw
email/password to server and of course it will be visible to the middle man on http sites.
Hopefully it is a good secure PHP login algorithm, and I would like to hear from you for any improvement.
Related readings:
Next »
Login logout and password
Comments
Leave a commentEdit comment