php - What is the most secure method of logging someone into a website? -

-

i trying ascertain best way keep logged website after have verified log in correct.

i tried have @ "keep me logged in" - best approach upvoted answer said should generate token , store token in database! surely wholly unsecure because takes database hack , cookie editing elses account?

could please provide me date secure way of doing this? thanks.

we posted blog secure authentication long-term persistence (a.k.a "remember me"), largest difference between blog post , ircmaxell's answer "keep me logged in" - best approach separation of lookup (which not constant-time) , validation (which constant-time).

in strategy outlined in our blog post, aren't storing tokens in database, you're storing sha-256 hash of token. if attacker leaks these values, has crack sha-256 hashes of strong random tokens. they're better off launching reverse shell lets them authenticate user (or proceed take on entire machine local kernel exploit).

logging in (simple , basic)

  • use bcrypt. password_verify(). don't generate own salts.

    if want go mile, consider bcrypt + aes library encrypt password hashes (which helpful if have database , webserver on separate hardware, since compromising database won't give them encryption key).

  • rate-limit failed attempts. example: after 5 failures per ip or username, require captcha.

long-term persistence ("remember me")

when logging in:

  1. generate secure random token.
  2. generate secure random identifier.
  3. store identifier , token in rememberme cookie.
  4. store sha256 hash of token in database.
  5. when user lands on page, if have rememberme cookie, grab identifier , database search.
  6. if there authentication token identifier, grab sha256 hash.
  7. compare hash of token provided cookie sha256 hash in database using hash_equals().
  8. if succeeds, set session variable user's id. generate new token. if fails, delete entry database.

advantages of strategy

  • if successful sql injection attack leads tokens being leaked, attacker has sha256 hash of various tokens. not helpful compromising accounts.
  • database searches not constant-time. why identifier separated token.
  • sequential identifiers leak activity level of application, many businesses wish keep confidential. random identifier obfuscates detail.

disadvantages

  • (future stackoverflow authors should feel free populate list if discovered.)

Comments

Post a Comment

Popular posts from this blog

Java 3D LWJGL collision -

-
i making 3d java game lwjgl library, , wondering how add collision detection, player not go through models. i using obj models. here objloader class, loads models: package renderengine; import java.io.bufferedreader; import java.io.file; import java.io.filenotfoundexception; import java.io.filereader; import java.util.arraylist; import java.util.list; import models.rawmodel; import org.lwjgl.util.vector.vector2f; import org.lwjgl.util.vector.vector3f; public class objloader { public static rawmodel loadobjmodel(string filename, loader loader){ filereader fr = null; try { fr = new filereader(new file("res/"+filename+".obj")); } catch (filenotfoundexception e) { system.err.println("couldn't load file!"); e.printstacktrace(); } bufferedreader reader = new bufferedreader(fr); string line; list<vector3f> vertices = new arraylist<vector3f...
Read more

spring - SubProtocolWebSocketHandler - No handlers -

-
i have ugly error during deploying spring app on jboss. 18:11:16,025 error [org.apache.catalina.core.containerbase.[jboss.web].[default-host].[/consumer]] (msc service thread 1-7) exception sending context initialized event listener instance of class org.springframework.web.context.contextloaderlistener: org.springframework.context.applicationcontextexception: failed start bean 'subprotocolwebsockethandler'; nested exception java.lang.illegalargumentexception: no handlers @ org.springframework.context.support.defaultlifecycleprocessor.dostart(defaultlifecycleprocessor.java:176) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor.access$200(defaultlifecycleprocessor.java:51) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor$lifecyclegroup.start(defaultlifecycleprocessor.java:346) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.s...
Read more

methods - python can't use function in submodule -

-
my folder structure this: pythonstuff/ program.py modulea/ __init__.py foo.py bar.py here's code bar.py : def hello(): print("hello, world!") here's code program.py : #!/usr/bin/env python3 modulea import bar bar.hello() i run $ python3 program.py somehow error: file "program.py", line 3, in <module> bar.hello() attributeerror: 'module' object has no attribute 'hello' edit: __init__.py file empty. edit2: after trying realized had bar.py in root directory contained hello() method. bar.py in modulea/ directory empty. add it import os __all__ = [] module in os.listdir(os.path.dirname(__file__)): if module != '__init__.py' , module[-3:] == '.py': __all__.append(module[:-3]) the init .py files required make python treat directories containing packages; done prevent directories common name, such string, unintentionally hiding v...
Read more