Is this safe enough for user login and verification? (PHP, MySQL, Sessions) -

-

just want make sure have not missed obvious. need guys expertise on this.

user data in database: - password stored crypt() salted salt string stored in user table.

sessions: - when user logs on correctly create new row in sessions table unique sha256 hash session id. store user_id there see session exists user. - create cookie store session id in. - session removed when user logs out accessing logout function. - session automatically deleted on defined expiration time (e.g. 7 days)

authentication: - check if client has cookie session id in it. if cookie session id matches session id in sessions table, user authenticated.

what guys think? need else it?

edit: added method generate password:

public function generate_salt($password) {     $cost = $this->config['user__password_encrypt_cost'];     $salt = strtr(base64_encode(mcrypt_create_iv(16, mcrypt_dev_urandom)), '+', '.');      // prefix information hash php knows how verify later.     // "$2a$" means we're using blowfish algorithm. following 2 digits cost parameter.     $salt = sprintf("$2a$%02d$", $cost) . $salt;      // hash password salt     $hash = crypt($password, $salt);       return array(         'salted_password' => $hash,         'salt' => $salt      ); }

"safe enough" little difficult answer here other things consider:

  1. salt strength -- username or random value or time stamp? prefer latter two.
  2. are requiring ssl when password sent on wire? consider doing this.
  3. is cookie 'secure' , 'httponly' mitigate csrf? if can (depends on client support).
  4. are employees restricted accessing both salt , encrypted value? restrict has access sensitive information.
  5. which encryption algorithm , how many bits? try des 512 or stronger.
  6. do enforce password strength requirements? should!
  7. is db connection secure? important if db link on wan.

Comments

Post a Comment

Popular posts from this blog

google api - Incomplete response from Gmail API threads.list -

-
i plot number of emails in inbox on time using gmail api , i'm seeing lot of drop-outs, whatever reason i'm getting incomplete count of messages @ single time points. my plots here: https://plot.ly/~tdsmith/2 -- "drop-outs" i'm complaining trace shoots downwards , recovers previous level @ next timepoint. the code i'm using count emails here: https://github.com/tdsmith/gmail-plotly/blob/master/gmail-plotly.py#l47-l64 what can diagnose these faults?
Read more

Installing Android SQLite Asset Helper -

-
i need use ready made database. search solution on internet did not work until decided use mentioned library found here . however, found hard use library in installation procedures shallow beginners. i appreciate step step procedure on how use android studio. in struggle tried copying sources main/libs , adding line gradle did not work. use api 19 if helps. update here build.gradle // top-level build file can add configuration options common sub-projects/modules. buildscript { repositories { mavencentral() } dependencies { classpath 'com.android.tools.build:gradle:0.11.+' compile 'com.readystatesoftware.sqliteasset:sqliteassethelper:+' // note: not place application dependencies here; belong // in individual module build.gradle files } } allprojects { repositories { mavencentral() } } trying compile project error error:(9, 0) no signature of method: org.gradle.api.internal.artifacts
Read more

Qt Creator - Searching files with Locator including folder -

-
one quick question qtcreator : know possible use locator open files using "ctrl-k" shortcut. however, possible search files including locations? for example, let's want locate file named "main.cpp" in folder named "myfolder" , have lots of other main.cpp files. what should type locator in order open ? just type myfolder/main.cpp in locator
Read more