Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Alejandro Celaya:
How to properly implement persistent login
Feb 10, 2016 @ 10:55:37

In his latest post to his site Alejandro Celaya shares some suggestions about how to make a good, safe persistent login feature for your application. This is usually referred to as the "remember me" handling and is widely used to help improve the overall user experience.

I'm sure you are familiar with those "remember me" checkboxes in login forms. They are a common way to allow a user to keep his/her session in a web application for an extended period of time when he is in a trusted computer.

One could think that it is a small and easy-to-implement feature, but it has indeed a lot of considerations. [...] In this article I’m not going to show you how to implement a persistent login in one or another programming language, but what are the good practices that should be followed when you implement it in the way you want.

He starts off with some thoughts about the wrong way to handle the persistent login (like just making a long-life cookie) and what some of the consequences could be. Instead he suggests using a cookie (with a random generated token) that's long running, maybe 2 weeks. The difference here is that this token is then refreshed once the token is validated and reset. This reduces the risk of an older token being used on another source too. He also shares some other security concerns to think about in this setup including the use of one-time tokens, potential multiple persistent sessions and when it might be good to re-prompt for the password.

tagged: persistent login security rememberme implementation advice options

Link: http://blog.alejandrocelaya.com/2016/02/09/how-to-properly-implement-persistent-login/

Marc Morera:
You Probably Need Bundle Dependencies
Feb 10, 2016 @ 09:04:18

In this post to his site Marc Morera responds to some comments from another post about bundles dependencies in Symfony-based applications.

This post tries to answer the Magnus Nordlander’s blog post, and to explain why the Symfony Bundle Dependencies is not just a personal project to fulfill my bundles dependencies, but a practice we should implement in all our Symfony bundles as well.

Believe me, I had a big post to explain why people really need this bundle, but I think that you don’t need these words, but a simple and real example.

He points out a more "real world" example of why this kind of dependency system can be useful in Symfony development. He points out a common service (security.encoder_factory) that's used widely across many bundles, but also defined as a dependency in each. If the bundle dependency structure/tool was in wide use, this dependency would be define elsewhere and not as a part of the bundle itself.

tagged: bundle dependencies symfony security factory example

Link: http://mmoreram.com/blog/2016/02/09/you-probably-need-bundle-dependencies/

PHP.net:
PHP 5.6.18 & 5.5.32 Released
Feb 05, 2016 @ 09:49:31

On the main PHP.net site they've officially announced the release of the latest versions in the 5.6.x and 5.5.x series: PHP 5.6.18 and PHP 5.5.32.

The PHP development team announces the immediate availability of PHP [5.5.32 and 5.6.18]. This is a security release. Several security bugs were fixed in this release. All PHP [5.5 and 5.6] users are encouraged to upgrade to this version.

As always you can download this latest release from either the main downloads page or from windows.php.net for the Windows binaries. If you'd like to see exactly what was fixed in these releases, check out the full Changelog.

tagged: language version security bugfix upgrade

Link: http://php.net/archive/2016.php#id2016-02-04-3

TutsPlus.com:
Fortifying Security in WordPress, Part 1
Jan 25, 2016 @ 11:19:15

The TutsPlus.com site has posted the first part of a series wanting to help you secure your WordPress installation even more effectively. In part one of the series they cover some of the basics of securing the installation itself and the environment it lives in.

Do you think WordPress is secure? It's OK if you don't, because many people think WordPress is an insecure content management system, yet it's very far from the truth... at least today. [...] I'm sorry if you think the other way, but it doesn't. Frequent patches don't necessarily mean that a piece of software is poorly coded against security threats.

[...] The important thing here is to be responsive and preemptive, and that's something that WordPress excels at. [...] Yet, nothing is a hundred percent secure. We're living in times in which scientists are about to crack the code in our brains! Nothing is impenetrable, including our brains apparently, and WordPress is no exception. But the impossibility of 100% security doesn't mean we shouldn't go for 99.999%.

The remainder of the post is broken down into two different tips with the code/configuration changes and descriptions for what you need to update:

  • Securing the .htaccess File
  • Security Tricks for the wp-config.php File and Its Contents

The second item on that list also gets into some of the constant definitions and some advice on generating good "salt keys" for the configuration.

tagged: tutorial wordpress security series part1 htaccess configuration

Link: http://code.tutsplus.com/tutorials/fortifying-security-in-wordpress-part-1--cms-25403

PHP.net:
PHP 5.6.17 & 5.5.31 Released
Jan 08, 2016 @ 09:41:39

The main PHP.net site has announced the release of the latest versions of the PHP 5.6.x and 5.5.x series: PHP 5.5.31 and PHP 5.6.17.

The PHP development team announces the immediate availability of PHP [5.6.17 and 5.5.31]. This is a security release. Several security bugs were fixed in this release. All PHP [5.6 and 5.5] users are encouraged to upgrade.

As always, you can down load the source of this latest release from the downloads page from the main site (or your mirror of choice) and the Windows binaries from windows.php.net. Full details of the changes in these two releases are included in the Changelog.

tagged: language release bugfix security php55 php56

Link: http://php.net/archive/2016.php#id2016-01-07-3

SitePoint PHP Blog:
Easier Authentication with Guard in Symfony 3
Dec 22, 2015 @ 09:49:03

The SitePoint PHP blog has posted a new tutorial from author Daniel Sipos showing the Symfony framework users out there how to do easier authentication with Guard, a newer component introduced to the framework to take some of the complexity out of the process.

The Symfony2 security system is a complex part of the framework, one that is difficult to understand and work with for many people. It is very powerful and flexible, however not the most straightforward.

[...] With the release of version 2.8 (and the much awaited version 3), a new component was accepted into the Symfony framework: Guard. The purpose of this component is to integrate with the security system and provide a very easy way for creating custom authentications. It exposes a single interface, whose methods take you from the beginning to the end of the authentication chain: logical and all grouped together.

He starts off with the configuration changes you'll need to add/make to use the Guard component, defining an "in memory" admin user type. He shows how to define the firewall to use a Guard form authenticator and update the security configuration with the path matches and related roles. He then gets into the controller side of things, defining a loginAction and a simple username/password form in the matching view. Finally, he updates the services configuration for the authenticator and creates the full FormAuthenticator class to go along with it. He then explains each piece of this puzzle and how it all works together to make the authentication happen.

tagged: authentication guard symfony3 tutorial easy introduction security

Link: http://www.sitepoint.com/easier-authentication-with-guard-in-symfony-3/

Paragon Initiative:
Let's Re-Think Security Trade-Offs
Dec 16, 2015 @ 12:38:08

On the Paragon Initiative blog there's a post that suggests changing your thinking about security trade-offs, those concessions we make every day in the development choices we make around the security of our applications versus other concerns.

The theory goes: You cannot have perfect security against all possible threats all the time for free. Usually, we expect our applications to incur a cost (usually in terms of CPU, memory, or electricity usage) in order to be secure. It seems logically correct that, if you need more security, your cost must therefore be higher.

Fortunately, this is not always true! Sometimes, given a choice between two solutions, the more secure option costs less than the insecure one.

The article points out that what we think might be a "fair tradeoff" between two choices may only look as much on the surface. They give the example of random number generation and the speed involved in using the random functions versus the true CSPRNG in PHP 7 (or the compatibility library). The article also points out that even those in the security industry make these same kinds of decisions. Essentially they lesson they're trying to suggest is that trade offs in security are usually based on the wrong assumptions or a limited knowledge of the technologies offered.

And if you reach the point where you have to make a choice between a secure option and an insecure option that might be better by some other metric, make sure you actually document and measure this trade-off. You might find that the benefit of the insecure choice is negligible, and that you therefore should opt for security.
tagged: security tradeoff performance unfair expert libsodium assumption

Link: https://paragonie.com/blog/2015/12/let-s-re-think-security-trade-offs

Matthew Weier O'Phinney:
Secure PHAR Automation
Dec 15, 2015 @ 12:32:54

There's always been an issue with the creation of Phar packages in PHP and the security around them. There's been recommendations about creating signatures and only using secure connections for updates and rollbacks. Unfortunately there isn't an overly easy way to handle this yet. However, Matthew Weier O'Phinney has written up a post showing his workflow for doing these kinds of things, making use of the Box project to help with some of the more detailed parts.

For a variety of reasons, I've been working on a utility that is best distributed via PHAR file. As has been noted by others (archive.is link, due to lack of availability of original site), PHAR distribution, while useful, is not without security concerns, and I decided to investigate how to securely create, distribute, and update PHAR utilities as part of this exercise.

This is an account of my journey, as well as concrete steps you can take to secure your own PHAR downloads.

He starts by outlining the "roadmap" of the features he wants to include and the steps to take to create this more secure phar archive. It includes the use of both current, local tools and services (like Box and GitHub pages). He then walks through the steps in the full process:

  • Create an OpenSSL Key
  • Use Box to create the PHAR
  • Generate a version file
  • Create the gh-pages branch
  • Write self-update/rollback commands
  • Enable Travis-CI for the repository
  • Create an SSH deploy key
  • Archive and encrypt the secrets
  • Write a deployment script
  • Add the script to travis

While this seems like a lot of steps to just get a more secure phar set up, Matthew has done the hard work for you here and includes all of the commands, configuration examples and steps you'll need to take to fully set the process up. If all goes well, his example in his last "push and watch it work" section will go off without a hitch.

tagged: phar archive security signed https update rollback travisci tutorial

Link: https://mwop.net/blog/2015-12-14-secure-phar-automation.html

Zend Developer Zone:
On Security and PHP
Dec 14, 2015 @ 10:23:46

On the Zend Developer Zone Cal Evans has posted an article about a topic that's always hot in any development community - security. In his post, "On Security and PHP", he comments on some recent metrics reported by a larger application security company and provides a bit more realistic view into the world of PHP security (and some possible downfalls of their metrics).

Yet another consultant group has decided that their traffic stats are too low so they need to “shake things up a bit”. As usual, they picked PHP as the whipping boy. No, I am not going to link to them; too many people are already doing that unironically. [...] So we have a consulting group that has discovered that compiled languages have fewer security issues than dynamic languages. In other news, water is wet. This insight isn’t a revelation to anyone who has worked with a compiled language.

He also points out the leap they make between the PHP-related results to the two pieces of software that power a large part of the web, WordPress and Drupal. He mentions the recent installation statistics published by Jack Skinner and how, when it boils down to keeping the actual language secure, nothing is better than keeping things patched. Cal summarizes the current state of things (and where we should be heading) well:

We can all agree that PHP code used to be notoriously insecure due in part to it’s low point of entry, but so was the entire Internet. As we learn, we are writing better and more secure code. Sadly reports like the one highlighted here do nothing more than perpetuate old stereotypes. The truth is that yes, PHP code has flaws, much like Python code, node.js code, and Ruby code. We’ve got fewer this year than last, and hopefully, we will have fewer next year. We are getting better. Sadly, not all applications get better at the same rate. Some people just will not bother to patch old code. That is not a language problem, that is a people problem. (It doesn’t lessen the importance of the problem, but let’s at least properly identify it)
tagged: security zenddeveloperzone development language version

Link: http://devzone.zend.com/7052/on-security/

Joshua Sampia:
CORS Slim PHP Setup
Nov 05, 2015 @ 10:38:47

In this post to his site Joshua Sampia shows how to set up and configure CORS in your Slim-based application. CORS or Cross-Origin Resource Sharing, lets you further lock down what sources can access your application and some requirements around the ones that can.

Ok, another PHP post but this time it’s about setting up some middleware for a slim PHP application.

Let me set this up. We are building a simple REST API for use with a basic phone native app (both Android and iOS). Me being new to this, I wasn’t sure if the native app domain call is considered cross browser or not, plus there are some outside companies we are working with who MAY access the API as well. [...] I setup some middleware by extending the Slim Middleware class and adding them via the app.

He talks about the steps he had to take in the middleware to set up an AccessControlOrigin middleware (and two others requiring HTTPS and HTTP Basic Auth). He includes the simple code to send the required HTTP headers to support CORS on the response object and the update to his Javascript to include credentials with every request.

tagged: cors slim framework security middleware https httpbasic authentication crossorigin

Link: http://joshuasampia.com/2015/11/05/cors-slim-php-setup/