Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
SemihalDevs2015-09-15 23:44:21
PHP
SemihalDevs, 2015-09-15 23:44:21

How to create a secure authorization algorithm?

Hello. I rummaged through a bunch of sites in search of an example of secure authorization in PHP, but did not find anything sensible (or the material is already outdated).
But still sketched some algorithm .. Connoisseurs, please tell me where his problem areas are and how to solve them.
So:

  1. User login and password entry
  2. Password hashing on the client side. Something like this: sha1(sha1(password, login) + randomKey). randomKey is generated randomly with each new authorization, in order to constantly send a different hash to the server (protection against interception).
  3. We send the received hash and randomKey to the server
  4. We check the hash of the client and and sha1 (hash_s_server + randomkey) on the server
  5. If the authorization is successful, then we write down a session "key" in the cookie.

Further, let's say by key 123 ($_SESSION['123']) we will get the necessary data about the user (login, last login, etc.)
Actually, this is not a complicated algorithm. But the question is this: how to protect yourself from session hijacking (binding by IP saves exactly until the IP changes :().
And what are the more global problems of such an algorithm?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Andrew, 2015-09-16
@OLS

Can you implement something similar:
https://en.wikipedia.org/wiki/Salted_Challenge_Res...

Report
Y
Yuri Yarosh, 2015-09-16
@voidnugget

Well, firstly, it is worth understanding what is the difference between authentication and authorization - from the outside, such a question looks rather ridiculous. Secondly, if https is considered an insecure environment, you can forward Diffie-Hellman keys and encrypt traffic with AES, but this is for complete paranoids, and you can also screw HMAC-SHA256 ... sha1 (sha1 (whatever)) from the point of view of cryptography full "pe". Usually it is customary to make backends stateless and store all information within the user session, salted and encrypted. And, directly, the passwords themselves in BCrypt / SCrypt etc.
Authentication in this case may look like this
: 1. Keys are exchanged
2. The person sends his login-password to the server via an encrypted channel
3. In response, it receives the user session object, which is stored in
cookies the need for session storage.
4. Optionally, CSRF tokens are generated within the user session.
5. Optionally, all traffic needs to be escaped, including all sorts of JSONP and so on. Angular generally from the box requires all JSONP to be prefixed with such a miracle ")]}',\n"

Similar questions
S
StayAtHome2015-04-01 12:24:02
How to distinguish a web request from a regular page from a request from the extension itself from a Chrome/Opera extension? 4Reply
E
Evgeny Samsonov2015-04-05 17:45:37
What is the name of the USB device? 3Reply
S
sergeybogevolny2015-04-06 21:36:50
Is there an example of interaction between bootstrap wizard form and php? 2Reply
M
Matvey Bubenets2017-04-20 04:38:37
How to disable Remote Desktop Licensing? 6Reply
P
podde2019-10-07 17:31:28
How to create an automatic signature in Service desk? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question