Home » Secure Web Coding

User Authentication

Posted by admin

I wish I had a nickle for each web site I have seen that does one of the two following mistakes.

  • Asks a person to login, then, when logged in sets a cookie to some value like "secure" or "admin" or something as the method of checking for authentication on each page load.
  • Stores passwords in the database in plain text.

Both issues are very insecure and very lazy things to do. Fortunately both are also incredibly easy to remedy and can make your web site much more secure.

User Authentication

After a person logs in, don't set a generic cookie, cookies are stupidly easy to spoof. Instead, set a couple cookies (or store them in session variables) that are an encrypted version of the username and password they logged in with. This will create a two layer security scheme to be checked against the database each page load. Both bits of info have to be correct to be authenticated. Even better, store an encrypted version of their "role" value or something like that too, or the record ID of their profile in the database...that adds another layer.

The more layers of info any hacker would have to get right in order to gain access to anything the harder it will be to do. Each page load just verify that one signle record has all the info stored in the various cookies or session variables in a single, easy query against the database. If it does not match, empty or delete all those variables.

Encryption

For encryption of passwords, cookie values, or whatever else, there are hashing algorithms available on the net for most any platform...there are also standard one way hashes such as MD5 and SHA1. Both of those have been hacked (so they are not really one way any more) but between them you can do some weird process to make your own encryption technique. For example, get the SHA1 of the password, MD5 that, reverse the string and MD5 it again...or something like that. Use your imagination and see how wacky you can get.

For the passwords in the database, the same rule applies, encrypt it before storing it. If the database gets broken into at least the users passwords won't be jacked, as many users use the same password for lots of stuff.