Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
Implementing Secure User Auth in PHP Applications with Long-Term Persistence
Jul 23, 2015 @ 10:14:23

On the Paragon Initiative blog there's a post showing you how to implement secure authentication with long term persistence (a secure "remember me" essentially) in a PHP application

A common problem in web development is to implement user authentication and access controls, typically accomplished through sign-up and log-in forms. Though these systems are simple enough in theory, engineering one that lives up to application security standards is a daunting undertaking.

Without a great deal of care and sophistication, authentication systems can be as fragile as a cardboard lemonade stand in a category five hurricane. However, for everything that can go wrong, there is an effective (and often simple) way to achieve a higher level of security and resilience.

He starts with a look at passwords - how to correctly hash them, how salts play into it and some suggestions about password policies. From there he gets into the "remember me" handling, giving two common problems with most systems: insufficient randomness and timing leaks (timing attack issues). He then proposes a different kind of solution, storing some additional information in the database record, a "selector" that's not timing dependent to find the record then use a timing attack safe method to compare the hashes. He ends the post with a brief look at account recovery and some things to watch out for if you plan to implement it.

tagged: secure authentication application longterm persistence

Link: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence

Resonant Core:
Remember Me Safely - Secure Long-Term Authentication Strategies
Feb 02, 2015 @ 11:18:42

On the Resonant Core blog there's a new post from Scott Arciszewski looking at some strategies for secure long-term authentication (usually in the form of "Remember Me" functionality).

Let's say you have a web application with a user authentication system, wherein users must provide a username (or email address) and password to access certain resources. Let's also say that it's properly designed (it uses password_hash() and password_verify() and rate-limiting; it doesn't have any SQli or XSS flaws). Everything is going well for a while, but eventually your users would like the convenience of a "Remember me on this computer" button. What do you do?

He proposes a few different solutions including:

  • the storage of credentials from the database in a cookie (a bad idea),
  • generating a unique token when the uses requests the "remember me" to store in a cookie
  • using two pieces of information, a random token and an "authenticator" for validation

He points out why the first two solutions aren't the best approaches and then gets into the details of how to handle the last recommendation. He includes both the SQL and the PHP code to make the token creation and verification work, performing an auto-login when the two values provided match up.

tagged: rememberme security authentication longterm strategy

Link: https://resonantcore.net/blog/2015/02/remember-me-safely-secure-long-term-authentication-strategies

HHVM Blog:
HHVM Long Term Support
Sep 03, 2014 @ 10:50:20

The HHVM (HipHop VM from Facebook) has released an update on their blog today discussing some of the long term support they plan to provide for the project and what kinds of things it will involve.

HHVM is known for its very intense and quick development pace: currently we ship to GitHub the exact same code we use to run the Facebook site within minutes of every commit, and we release a full version every 8 weeks. That is great and at the same time scary if you are trying to build a business or infrastructure around it. The HHVM team at Facebook understands that in order to reach every corner of the PHP landscape our users need to have some sort of commitment, in order to plan their deployments accordingly and to know how upstream will react to security and stability fixes in already released versions, for example.

Starting with HHVM v3.3, they'll be supporting two major versions at all times. They provide a table of versions and dates to give you an idea of when the support coverage period is and when they'll end. There's also some discussions about the packaged released for the various linux distributions and what kinds of updates might be included in the long-term support (LTS) updates.

tagged: hhvm support hiphop virtualmachine schedule longterm version

Link: http://hhvm.com/blog/6083/hhvm-long-term-support