Secure HTML login form how to ?

S

SBSP

Senior Member
Joined
Sep 7, 2007
Messages
667
Reaction score
16
Hi.

How can i make sure that my login form is secure enough ?
(I dont know much about web dev)

This is that i have.

login.html
PHP: 
<form>
Username: <input type="text" name="fUsername" /><br />
Password: <input type="password" name="fPassword" />
</form>


and
Auth.asp
PHP: 
Dim strUserName
Dim strPassword

<%
strUsername = (request.querystring("fUsername"))
strPassword = (" " & request.querystring("fPassword"))

"Select * from Users where USER_NAME = Username"
if SQLquery(USER_NAME) = strUsername then
if SQLQuery(Password) = strPassword then
create a cookie (IsLoggedIn) = "TRUE"
create another cookie with uniqueusername="strUsername"
else
cookie islogged in  = false
end if
else
cookie islogged in  = false
end if

if cookie isloggedin="true" then
'Code here
else
Failed login messgae here
end if

%>

Then on all the other pages i just run code inside the if cookie isloggedin="true" statement

I dont think the above is good enough
Is it possible to create a "Fake" cookie and just set the cookie value to isloggedin="True"
Because if you can then i'm @#%#@ ?

How should i do this without using sessions I hate sessions , cus you have to create a session for all declared strings ?
 
<html>
<head><title>Access Control</title></head>
<body>
<?php
//connect to mysql server
$connection = mysql_connect("*****","****","****")
or die ("Couldn't connect to server");

//Select Database
$db = mysql_select_db("486027", $connection)
or die ("Couldn't select database");
//Select from table
$query = "SELECT * FROM users";
$result = mysql_query($query)
or die ("Query Failed:" . mysql_error());
$row = mysql_fetch_array($result);


if ($_REQUEST["username"] == $row["name"] and $_REQUEST["password"] == $row["password"]){
?>
<h2>Password Accepted</h2>
<?php
}
else {
?>
<h2>Access Denied</h2>
<?php
}
?>
</body>
</html>

hope this helps....,I'm a php noob.
 
Thanks dude, but that's exactly what i'm doing in ASP.

I could just cut out the cookie part and put all the code in the if inside the other if. (After the username and password were verified from input compared to the SQL result)

But the problem with that is, then i have to supply a username and password on all other pages.
This is do-able but then i have to transmit the username and password back and forth from one page to another
by using a hidden text box, which is worse.
 
Last edited:
I would worry more about SQL injection attacks if I were you. You should be using stored procedures for your data access instead of writing SQL statements in your code.

To get around someone faking the cookie, you should store the ASP session id in the cookie, that way when you read the cookie you can match up the session id. Someone faking a cookie would have no way to know what the session id is and therefore it would be impossible to fake.
 
deweyzeph said:
I would worry more about SQL injection attacks if I were you. You should be using stored procedures for your data access instead of writing SQL statements in your code.

To get around someone faking the cookie, you should store the ASP session id in the cookie, that way when you read the cookie you can match up the session id. Someone faking a cookie would have no way to know what the session id is and therefore it would be impossible to fake.
Click to expand...

+1.

Store some random session id in the database under the user table, check and update when the cookie/session is read and updated.

I've seen a nice javascript login method, it went something in the line of this:
html form post is captured by a javascript function inside the page, it's md5'ed, then posted through.
Basically what you'd see if you half-router the post:

html form -> md5 data, <-- webserver sees this md5, then checks "select * from table where user = md5(user) and password = md5(pwd).

This is much more secure than just sending the post through in plaintext.

At the end of the day you still want to secure yourself against SQL injection or XSS.
 
deweyzeph said:
I would worry more about SQL injection attacks if I were you. You should be using stored procedures for your data access instead of writing SQL statements in your code.

To get around someone faking the cookie, you should store the ASP session id in the cookie, that way when you read the cookie you can match up the session id. Someone faking a cookie would have no way to know what the session id is and therefore it would be impossible to fake.
Click to expand...

That makes sense. thanks!
Talking about that maybe its a good idea to also save a random value and using that random value as the session Id.
then just kill the cookie upon logout.

As for the SQL injection, I never thought about using stored procs.
How ? if you have access to create , delete and select then surly you have access to the database ?

I found a asp function which filters out or "Blacklist" specific SQL statement commands that i wont need like DROP,TRUNCATE ect ect. from SQL strings
I only need "Insert into" and "Update" but those are just as dangerous.
 
Last edited:
SBSP said:
That makes sense. thanks!
Talking about that maybe its a good idea to also save a random value and using that random value as the session Id.
then just kill the cookie upon logout.

As for the SQL injection, I never thought about using stored procs.
How ? if you have access to create , delete and select then surly you have access to the database ?

I found a query which filters out or "Blacklist" specific SQL statement commands that i wont need like DROP,TRUNCATE ect ect.
I only need "Insert into" and "Update" but those are just as dangerous.
Click to expand...

With classic ASP you can get the current session id using Session.SessionID. DO NOT MAKE UP YOUR OWN SESSION ID. The session id that ASP provides is encrypted already. You will not come up something better yourself.

You need execute permissions to the database to create and run stored procedures.
 
Whatever happened to storing passwords encrypted in the DB? I would also be wary about SQL injection and sanitize inputs. You login-cookie should be a session ID which can be validated against the web-servers session id and should expire. In your scenario, I can drop a man-in-the-middle attack and just overwrite the cookie.
 
Yea i know but if do a traditional Man in the middle attack on the HTTPS certificate you can still get a hold of the password
cus the password will be transmitted in clear text since your PC will be issuing a fake cert knowing how to decrypt it the password will then be in clear text.

If you send the password encrypted inside a HTTPS connection you can just send the same encrypted value without decrypting it your self cus the server will do it for you. but atleast most browsers warn you.

This is getting complicated
 
Ok so i have been pondering and thought things through a bit more.

PHP: 
<%
Dim frmEmail
Dim frmPassword
Dim SQLQuery
Dim SQLEmail
Dim SQLPassword
Dim MySessionID
Dim SessionCookie
Response.Cookies("SessionCookie") = "GO AWAY FOOL!"

'***********************************BOF-ENCRYPTION FUNCTION***********************************
Function Encrypt(StringToEncrypt)
Dim CurChar
Dim Charcount
Dim NewString
Dim CovertBackString
NewString = 0
Charcount = 0
Do
Charcount = Charcount + 1
CurChar = asc(mid(StringToEncrypt,Charcount,1)) * (7 + 13 * 2 * 16 * 36  * 1453 ) * (21 * 15)
NewString = NewString & CurChar
if Charcount = len(StringToEncrypt) then exit do
loop
CurChar = 0
Charcount = 0
Do
Charcount = Charcount + 1
if Charcount = Len(NewString) - 2 then exit do
CurChar = Chr(mid(NewString,Charcount,2))

if cint(asc(CurChar)) >=33 then
    if cint(asc(CurChar)) <=99 then
    'Do nothing
    else
    CurChar = ""
    end if
else
CurChar = ""
end if

'Take out 39 and 34 = ' and "
if CurChar = "'" then
CurChar = "A"
end if

if CurChar = """" then
CurChar = "-"
end if

CovertBackString = CovertBackString & CurChar
loop
Encrypt = CovertBackString
End Function
'***********************************EOF-ENCRYPTION FUNCTION***********************************

frmEmail = request.form("femail")
frmPassword = request.form("fpassword")

'Connect to Database
Set connection = CreateObject("ADODB.Connection")
connection.ConnectionString = "Provider=sqlNCLI;Server=MEDIACENTER\sqlEXPRESS;Database=SAMPLE;Uid=sa;Pwd=password01#;"
connection.Open()
Set SQLQuery = connection.Execute("SELECT * FROM USERS WHERE EMAIL = '" & frmEmail & "'")

While Not SQLQuery.EOF
SQLEmail = SQLQuery ("EMAIL")
SQLPassword = SQLQuery("PASSWORD")
SQLQuery.MoveNext
Wend

if frmEmail = SQLEmail then
    if SQLPassword = Encrypt(frmPassword) then
        'Login is correct save Encrypted Session ID into cookie
        Response.Cookies("SessionCookie")=Encrypt(Session.SessionID)
    end if
end if



MySessionID = Encrypt(Session.SessionID)
SessionCookie = Request.Cookies("SessionCookie")


if MySessionID = SessionCookie then
    Response.write "<br><br><br><br><br><br><center>YOU ARE LOGGED IN</center>"
    'Rest of code here
else
    Response.write "<br><br><br><br><br><br><center>AUTHENTICATION FAILED</center>"
end if

I created a function to encrypt strings.
The function is used to store an encrypted password in the database, it's also used to take the current sessionID , encrypt it then save it inside a cookie,

Upon logon it will encrypt the supplied password from the user and then compare it to the already encrypted password value in the database.

Once done it will use the same encryption to encrypt the session ID that gets saved in the cookie.
for other asp pages it will take the current session if encrypt it then compare the value to the encrypted value inside the cookie, if everything matches it will allow it through.

I'm going to alter the encryption function a bit to make use of the day number and month number in the encryption algorithm. So then the algorithm changes everyday, and then with that set the session id to change on a daily basis

After that i need to work on SQL injection by filtering out specific characters and SQL syntax.

I.E

The user supplied "[email protected]" as the user name and the ASP code will then select it from the SQL database like this.

Select Username,Password from USERS where Username = 'Username supplied by User from the initial form'

A hacker can then create an account.
And then instead of logging in with [email protected] he can try
[email protected] and USERNAME = '[email protected]' the sting will then become a modified SQL addon.

so the ASP code will try Select Username,Password from USERS where Username = '[email protected]' and Username = '[email protected]'

and the sql resault will be 2 lines instead of expecting 1 line.

I'm sure if you play around you can get authenticated with someone else's password.

So i need to try and filter out AND OR ect ect.
Thanks for the guidance :D
 
SBSP said:
That makes sense. thanks!
Talking about that maybe its a good idea to also save a random value and using that random value as the session Id.
then just kill the cookie upon logout.

As for the SQL injection, I never thought about using stored procs.
How ? if you have access to create , delete and select then surly you have access to the database ?

I found a asp function which filters out or "Blacklist" specific SQL statement commands that i wont need like DROP,TRUNCATE ect ect. from SQL strings
I only need "Insert into" and "Update" but those are just as dangerous.
Click to expand...

In Oracle, I assume the other db's are the same ?? Its to do with the privileges you need to give to the database login account. In order for your front end to do the insert, update etc. you have grant these privileges to the login account to ALL the tables that your application uses. Whereas using a stored procedure, the login account doesnt not get any insert, update and delete privileges. Instead it only gets the execute privilege on the stored procedure. This also makes maintenance easier, because you can add tables etc. and you dont have to worry about creating priviliges on them. Its all in the stored procedure. If someone accesses your db remotely bypassing your front end, they cant insert, update or delete when they shouldnt. They only have priviliges on the stored procedure, which if written well enough will function well whether called from the web or someother client.
 
Ok so like this.
Revoke all permissions to database only allow asp access to execute a stored proc.
The stored proc then uses functions to send information on what to do "INSERT" "DROP" ect ect like this.

Function AddField (strUsername, StrPassword) ect ect so then "In laymans terms" you have created your own Instert and delete command ?
 
Yes.

Your stored procedure contains the insert, update delete statements, not your web code

Edit: the other advantage of this approach is that outsiders can't see the structure of your database.
 
Last edited:
Ok i get you.

one other problem.
With the above mentioned code, if i log in as user then stay on the page after the login happened.

I then create another file called hack.asp and put this in it Response.Cookies("Email")="[email protected]"
when i run the new cookie in different tab it overwrites the current one.

If i then go back to the login page and refresh it, it returns the info of [email protected]. without having to login or know addifrentuser's password:mad:

I know cookies are bound to the website hostname and the webserver wont allow the outside to create files, but if have 2 computers with a my own off line DNS server.
I could edit the host records to point the the hostname to 127.0.0.1 and then over write the cookie.

after that disconnect the DNS, connect inter net and my browser will then carry on using the fake cookie, i have not tried this but
i assume it will work. ????

There must be away to do this
Maybe its time for me to drop VB6 and go onto .net
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X