PHP login form safety

Question

I have googled this pretty much since I am new to this kind of security thing, but I still have some doubts.

---

SITUATION

I am developing a website for a firm (mostly with PHP of course) and I need to protect all the pages. I have made a login form and I am crypting the password with md5 in the database. I had in mind to do this:

1. Login form. If the user authenticated with the correct username and password, create a $_SESSION["logged"] = 1;
2. Now you are logged. In each page of the website I check if the $_SESSION["logged"] is set and has the value of 1. If yes, I display the content of the page.

In this way, if you try to open a random page in the website, without logging, I am able to show an error page (because when I check the $_SESSION["logged"] I see that it is unset/it hasn't the value of 1).

---

QUESTION(s)

I have NOTHING stored in the client, I am doing everything server-side and I was wondering if this method is safe enough. I have seen around that people used this kind of approach that I thought but I have also read that they are going to encrypt the data in a session. Is that really needed?

I was also wondering: when the user (after the login) closes the website and the browser, does the session destroy automatically or I have to handle something on-close calling the session_destroy();?

As I have already said, I haven't much experience in this stuff but I guess that doing everything server-side is better. I don't want to use cookies.

Answer 1

MD5 is absolutely not suitable for "crypting the password". Your process will be insecure and your client will be vulnerable. Look up password_hash as an absolute bare minimum.

I have NOTHING stored in the client,

Perhaps you are unfamiliar with how sessions work. There will be a cookie on the client machine. You can improve your security of this cookie by using a better-than-default session name/key generator such as whirlpool.

Your security will be paramount to use a TLS layer such as Lets Encrypt which is a free community supported TLS layer and fairly secure (actually it appears to be very secure but I can't beleive that something free is so good so I persist in withholding a litle bit of judgement!)

You also NEED TO TELL PHP YOU ARE USING TLS This is very important and you need to edit the php.ini file to tell PHP to use only HTTP and Encrypted cookies for sessions, such as with session_set_cookie_params.

Judging by your question you really, really bette be using Prepared Statements and fully qualifying your database interactions to avoid SQL Injection and database compromise.

Session_destroy is relatively worthless, stop caring about it. What you want to be using is regularly running session_regenerate_id typically every few page loads (say 5).

Some further reading: PHP Sessions and Security.

Final Thought

As I have already said, I haven't much experience in this stuff

Then you're going to miss things, make mistakes and the chances that your clients website is at risk from abuse or compromise is grealy increased.

Most Important Thought

• Get a TLS certificate from a Reputable Certificate Authority. Get a server admin to help you correctly install and setup the certificate for your domain.

EDIT:

This is a good link to read.

Answer 2

Whatever you are doing looks correct to me.. Answers to your questions:

• The server side method of managing session is safe. You can leave your session unencrypted as you are only storing the status of logged in user inside it.
• When the user closes the website, you will not get any event on your server. To close the session, you should:
  • Call session_destroy(); on logout action
  • Set a shorter session timeout, so that the session will be automatically destroyed after a specified time of inactivity
• Doing everything at the server side is better in the case of session

A tip on using MD5:

• It's not safe to use MD5 to encrypt passwords as it is not a strong encryption algorythm. Use mcrypt or another PHP method instead.

Answer 3

Well, I would recommend you to save your user id in session. Why? You may need to get info about user, and then using this session you can get all info related to your user. You should use session_destroy() in your logout page, if you have one. As you see, when you close your website, which is made with session, and open it again, you need to log in again. So you don't need to use session_destroy (and actually can't). I don't really know why you should encrypt session info, so sorry. I heard, that it's possible to take session, but I don't know much about it, sorry :/ Can session value be hacked? here you may find some info.

Answer 4

First of all: It's 2016, Don't use MD5 for password encription as it's not secure.

It would be better to use at least SHA1 and better would be SHA256 or higher encription for your passwords.. If you want to make it more secure SHA 256 would be a good start.

Consider using a TLS certificate... Let's encrypt is free is good enough for most websites.

Post your code and maybe someone will be able to help you in the right direction..

Good luck!