WebApp Sec mailing list archives
Re: Reviewing security parameters
From: Ilya Sher <ilya79 () actcom net il>
Date: Fri, 16 Apr 2004 21:09:04 +0300
Simon Lemieux wrote:
Hi there, I just composed a login page for my administration of my website.I just wanted to make sure I had taken everything in consideration when programming that php script. My main focus is, of course, security.At first a login variable is initialized with "guest" in it. If the whole script fails or if the user was not granted access, it will return "guest". It is then the duty of the index.php (that called my login script) to check what login was returned and take action if it was "guest", like refusing all access. But as you see the script is also designed to let a guest come in and still use some things.Guest access is denied on my administration page of course.The script checks if it was run using SSL. If not it will automatically return the "guest" user and will print a link to the same page with https://... So it always authenticate users with SSL.Also, the inputs the user will send to login are the forms _REQUESTs that contains login and password and then the input become a COOKIE which contains a random ID. All these inputs are checked to see if they are trustable; they must contain only letters and numbers, I've also allowed some punctuation but no " or '...The Cookie ID is a string of 32 characters given randomly and stored in a login database with the user's IP address and user ID.So I check to see if both ID and IP matches the user's.At any point if the Cookie contains wrong information or if it contains untrustable characters, the user is disconnected (ie. all login records are closed and user will have to re-auth).Logins, disconnection, bad login/passwords, untrustable characters are reported in a Log database.
DOS - log overflow maybe.
Do you guys think this script is safe?
It is simplier to me (I guess for others too) to see the code (not that I'm security expert but hey - that's another eyes of php programmer on your code). Can't tell you till than.
Thanks, Simon
Current thread:
- Reviewing security parameters Simon Lemieux (Apr 16)
- Re: Reviewing security parameters Ilya Sher (Apr 16)
- RE: Reviewing security parameters V. Poddubniy (Apr 16)
- Re: Reviewing security parameters Jared (Apr 16)
- Re: Reviewing security parameters Matt Summers (Apr 16)
- Re: Reviewing security parameters Jared (Apr 16)
- Re: Reviewing security parameters exon (Apr 16)
- Follow-up: Reviewing security parameters Simon Lemieux (Apr 17)
- Message not available
- Re: Follow-up: Reviewing security parameters Simon Lemieux (Apr 21)
- Message not available
- <Possible follow-ups>
- RE: Reviewing security parameters Pitts, Christopher C. (Apr 16)
- RE: Reviewing security parameters Scovetta, Michael V (Apr 16)
- RE: Reviewing security parameters Auri A. Rahimzadeh (Apr 16)