[Website] PHP Ideas: Cookies and Security Checks

[xBlackPlagu3x]

Hello, E*PVP community! I hopefully have a relatively useful PHP guide/release for you here today.

After all the PHP I've done with websites over the last couple of years, I've never really learned more than I have on the last project I had begun working on, which was a PHP, tick-based MMORPG (a tick-based MMORPG is a MMORPG that allows the user do do RPGish actions, but the server part of it is refreshed every time the user either loads the page, or every set time or so. For instance, the leaderboards might be set to update every 15 minutes).

One thing that really had me thinking about this, is how I handle registration and cookies. Cookies used wrong are very dangerous to a user's security. Here's some PHP code that basically says

Code:

if ($COOKIE['adminlevel'] == 4)
{
    // Execute code here
}

And let's say a user's admin level was not 4, but maybe 1 being a basic member. Using a Cookie editor, they could easily change that number to 4, and get by the adminlevel check.

What I've come up with, while yes, it might be slightly inefficient since you could use Sessions instead, but in cases where you need to use Cookies, or you just want to be safe, I've come up with this:

When a user registers, it takes their username and password and Sha1 hashes them both.

Afterwards, it creates a "secretkey" variable that combines both of those new hashed values and creates a Sha512 hash out of it generating quite a long secret key and then stores it in the database.

Why this is useful is because when I write my PHP code, I force every page that let's a user perform some sort of action to check the secretkey and then see if the user's cookies match the value in the database. If it doesn't, it gives them a javascript alert and notifies me via email that they've changed their cookies.

You might be thinking "Okay, well they could change their secretkey too."
Well no, because since the secretkey is generated using algorithms, every key is unique. They'd have to know a user's username and password both and hash them in order to get the new values, and then hash both of those values to get the new value.

Some might say there's an easier way, but this way has worked for me, and if you need to use Cookies and don't have any security knowledge then this would definitely be a start.

EDIT:

 Spoiler

suggested that a good idea would be to include the "admin/member level" into the hash itself and then salt the hash with a number unique to the user like possibly the user's entry number in the database. This would allow you to simply compare the hash with the hash in the database in case the user attempted to change his hash to become an admin of some sort. While this is definitely going somewhere, a potential problem I can see is if you needed to adjust the member level of a user, such as adding him/her as an admin, or demoting him/her from mod to a normal member.

DEFINITELY worth thinking about though.

He also had this to say:

 Spoiler

Quote:

Originally Posted by Zeroxelli

Also, people who will say that they use sessions because not all browsers support cookies: Sessions are cookies. The data is stored on the server side, but there is still a cookie (the session id number) stored in the browser. This can be worked around by simply including the SID in the url, i.e. mypage.com/index.php?sid=YOURSIDHERE

Edit: Keeping in mind, that sessions can be even more insecure. Obtaining someone's session id on a website that doesn't check IP/etc will instantly allow you to become logged in as them.

This is also very important to know.

Sorry this is a big wall of text, and over time I'll re-word my explanations and make this post more beautiful, but here it is for now. If you'd like the PHP file, it can be downloaded as an attachment.

- xSherufanir/xBlackPlagu3x; Please rate the helpfulness of this. ^^

[Zeroxelli]

Hmm, one suggestion would be: include the permission type (1, 4, or whatever) in the hash. So if they did change the permission type, the hash wouldn't match anymore. Also, you don't need to keep the hash in the cookies, as you can simply regenerate it every time you load something important given the username, password, and permission type. Though, instead of storing the username and password in the cookies, store their hash (and maybe salt it with a number unique to that user, maybe the entry number of their account entry in the database.)

Also, people who will say that they use sessions because not all browsers support cookies: Sessions are cookies. The data is stored on the server side, but there is still a cookie (the session id number) stored in the browser. This can be worked around by simply including the SID in the url, i.e. mypage.com/index.php?sid=YOURSIDHERE

Edit: Keeping in mind, that sessions can be even more insecure. Obtaining someone's session id on a website that doesn't check IP/etc will instantly allow you to become logged in as them.

Anywho, thanks for the release.

[xBlackPlagu3x]

Quote:

Originally Posted by Zeroxelli

Hmm, one suggestion would be: include the permission type (1, 4, or whatever) in the hash. So if they did change the permission type, the hash wouldn't match anymore. Also, you don't need to keep the hash in the cookies, as you can simply regenerate it every time you load something important given the username, password, and permission type. Though, instead of storing the username and password in the cookies, store their hash (and maybe salt it with a number unique to that user, maybe the entry number of their account entry in the database.)

Also, people who will say that they use sessions because not all browsers support cookies: Sessions are cookies. The data is stored on the server side, but there is still a cookie (the session id number) stored in the browser. This can be worked around by simply including the SID in the url, i.e. mypage.com/index.php?sid=YOURSIDHERE

Edit: Keeping in mind, that sessions can be even more insecure. Obtaining someone's session id on a website that doesn't check IP/etc will instantly allow you to become logged in as them.

Anywho, thanks for the release.

Holy cow, you just totally simplified about 40+ lines of PHP code I've made. >.< Thanks for the idea, if it's cool, can I update my post with what you said? I'll include that you said this of course.

[Zeroxelli]

Quote:

Originally Posted by xBlackPlagu3x

Holy cow, you just totally simplified about 40+ lines of PHP code I've made. >.< Thanks for the idea, if it's cool, can I update my post with what you said? I'll include that you said this of course.

Ah, sorry about that, I think. xD Kinda meant that for people reading this, but hey, whoever it helps. Go ahead, I don't mind. Whenever you find something useful from me, feel free to use it.

Edit: Here, I wrote this up real quick:

PHP Code:

<?php

    $session = array( // Example, you'd probably be using $_SESSION or $_COOKIES
        'Username' => 'mrTestUser924', 
        'Password' => 'superTopSecretStuff', 
        'Salt' => 0x15); // = 21 - Maybe they were the 21st entry in the database?
    
    function MakeHash($username, $password, $hashSalt)
    {
        $userHash = hash('SHA256', $username + $hashSalt);
        $passHash = hash('SHA256', $password + $hashSalt);
        $hashData = hash('SHA512', $userHash + $passHash + $hashSalt);
        return $hashData;
    }
    
    $myHash = MakeHash($session['Username'], $session['Password'], $session['Salt']);
    echo "Username: {$session['Username']} - Password: {$session['Password']} - Salt: {$session['Salt']} - Hash: {$myHash}\n";
?>