Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
SemihalDevs2015-09-15 23:44:21
PHP
SemihalDevs, 2015-09-15 23:44:21

How to create a secure authorization algorithm?

Hello. I rummaged through a bunch of sites in search of an example of secure authorization in PHP, but did not find anything sensible (or the material is already outdated).
But still sketched some algorithm .. Connoisseurs, please tell me where his problem areas are and how to solve them.
So:

  1. User login and password entry
  2. Password hashing on the client side. Something like this: sha1(sha1(password, login) + randomKey). randomKey is generated randomly with each new authorization, in order to constantly send a different hash to the server (protection against interception).
  3. We send the received hash and randomKey to the server
  4. We check the hash of the client and and sha1 (hash_s_server + randomkey) on the server
  5. If the authorization is successful, then we write down a session "key" in the cookie.

Further, let's say by key 123 ($_SESSION['123']) we will get the necessary data about the user (login, last login, etc.)
Actually, this is not a complicated algorithm. But the question is this: how to protect yourself from session hijacking (binding by IP saves exactly until the IP changes :().
And what are the more global problems of such an algorithm?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Andrew, 2015-09-16
@OLS

Can you implement something similar:
https://en.wikipedia.org/wiki/Salted_Challenge_Res...

Report
Y
Yuri Yarosh, 2015-09-16
@voidnugget

Well, firstly, it is worth understanding what is the difference between authentication and authorization - from the outside, such a question looks rather ridiculous. Secondly, if https is considered an insecure environment, you can forward Diffie-Hellman keys and encrypt traffic with AES, but this is for complete paranoids, and you can also screw HMAC-SHA256 ... sha1 (sha1 (whatever)) from the point of view of cryptography full "pe". Usually it is customary to make backends stateless and store all information within the user session, salted and encrypted. And, directly, the passwords themselves in BCrypt / SCrypt etc.
Authentication in this case may look like this
: 1. Keys are exchanged
2. The person sends his login-password to the server via an encrypted channel
3. In response, it receives the user session object, which is stored in
cookies the need for session storage.
4. Optionally, CSRF tokens are generated within the user session.
5. Optionally, all traffic needs to be escaped, including all sorts of JSONP and so on. Angular generally from the box requires all JSONP to be prefixed with such a miracle ")]}',\n"

Similar questions
N
ne_mo2015-10-24 13:52:17
How to assign the .active class to the first element of an array using a foreach loop? 2Reply
R
Rodion2018-02-27 18:28:31
Problem with @section 'title'? 0Reply
E
Eugen_D2011-09-11 02:09:09
Installing Php+Mysql on iPad 2Reply
H
HellWalk2020-04-29 14:27:43
PHPUNIT: How to return different values ​​in mock method? 2Reply
M
Maxim Stikharev2018-02-28 09:50:20
Why doesn't continue work? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question