mailing list archives
RE: Reviewing security parameters
From: "V. Poddubniy" <vpoddubniy () mail ru>
Date: Fri, 16 Apr 2004 23:01:29 +0400
Don't forget to set cookie as HttpOnly (this is useful at least for
users of IE 6 SP1). This will tell browser not to tell on-page scrips
From: Simon Lemieux [mailto:lemieuxs () ca inter net]
Sent: Friday, April 16, 2004 8:47 PM
To: webappsec () securityfocus com
Subject: Reviewing security parameters
I just composed a login page for my administration of my website.
I just wanted to make sure I had taken everything in consideration when
programming that php script. My main focus is, of course, security.
At first a login variable is initialized with "guest" in it. If the
whole script fails or if the user was not granted access, it will return
"guest". It is then the duty of the index.php (that called my login
script) to check what login was returned and take action if it was
"guest", like refusing all access. But as you see the script is also
designed to let a guest come in and still use some things.
Guest access is denied on my administration page of course.
The script checks if it was run using SSL. If not it will automatically
return the "guest" user and will print a link to the same page with
https://... So it always authenticate users with SSL.
Also, the inputs the user will send to login are the forms _REQUESTs
that contains login and password and then the input become a COOKIE
which contains a random ID. All these inputs are checked to see if they
are trustable; they must contain only letters and numbers, I've also
allowed some punctuation but no " or '...
The Cookie ID is a string of 32 characters given randomly and stored in
a login database with the user's IP address and user ID.
So I check to see if both ID and IP matches the user's.
At any point if the Cookie contains wrong information or if it contains
untrustable characters, the user is disconnected (ie. all login records
are closed and user will have to re-auth).
Logins, disconnection, bad login/passwords, untrustable characters are
reported in a Log database.
Do you guys think this script is safe?
Dedicated to audio/visual and interactive artwork. http://xilo.cjb.net/