php user management systems

Question

I'm on my last steps to open my website, but the only thing that drove me crazy is the php user management. I found a lot of resources about building these systems and I believe that I can write them in my own way. The thing is that when it comes to security I get so freaking out what to go with. For example, when it comes to sending sensitive information over SSL, some people suggest to make sure that the info is encrypted in the registration form so that attacker can't hack it. And some other suggest to make sure that the debugging messages don't show when an error happen so that the attacker can't retrace the links .etc.

now as I read from here and there that md5 is not safe anymore so I'm wondering how would hash new user password and etc... I found a link to some programmers who already offer some user management, but not sure if they are good enough since I'm concerned about security as a priority CodeCanyon

so now what are the security measures that I have to be focusing on? are there any resources related to that?

Thanks,

Answer 1

You don't have to (you shouldn't) choose between the different things people tell you to implement. Good security is always layered, meaning that you implement as many protections as you can. This approach has multiple purposes. Each layer can prevent different attacks. Each layer can prevent attackers with different experience. Each layer can increase the time needed for an attacker.

Here are some tipps useful for authentication systems.

• Don't show debugging outputs
• Don't use MD5 hashes. SHA2 or even better, bcrypt are much better
• Use salts when storing passwords
• Use nonces on your forms (one time tokens)
• Always require SSL encryption between server and client
• When accessing your database on the server, make sure that information leakage or its client-side manipulation not possible (eg. avoid injection attacks, with database drivers use prepared statements, etc.)
• Make sure all failed logins (no matter what the reason) take the same amount of time to prevent timing attacks
• When a logged-in user starts a risky operation (changing pwd, payment etc.), re-authgenticate him
• Never store passwords cleartext, not ever, not anywhere
• Require a minimum complexity for the password
• !!! Secure your php sessions (another large topic, worth its own discussion) -

As you can see, there a lot you can do (and more people will probably tell you even more stuff), what you really should do depends on the risks you are willing to accept. But never rely on a single security measure, always have a layered approach.

Answer 2

Answering your direct question: It has been proven that MD5 does have collisions and there are rainbow tables floating around (see Wikipedia). PHP does have quite some hash functions available all having different advantages and disadvantages. Please also see the comment section on php.net.

Concerning general web application security I'd recommend you take a look at the OWASP project that is about making web applications more secure. A good start would be to take a look at the Top Ten security vunerabilities ("Top Ten" in the blue box).

Answer 3

use sha1 for storing password , prevent sql injection and xss script as input field. session hijacking , fixation prevention.

Answer 4

At first you should send your data via SSL (TSL) to the server, this will encrypt. Also you should use a CSRF protection for any form you send to the server.

When you have implemented your functions and they work you should try to hack your site by yourself. Try to inject SQL, JS through the forms, try to manipulate the date after the form was send, you can also try to produce erros that will be written to you PHP error log even that could be executed if your server settings are weak. (http://en.wikipedia.org/wiki/Hardening_(computing))

When you store the password in your database use an seeded hash function, if anyone is able to hack your database and get the hashs he will not be able to encrypt them without the seed.

Your will find many information about all the techniques via google.