PHPAuthentication

A PHP implementation of password login

• Introduction
• Features
• Caveats
• Usage
• A complete example
• Download
• Legal

Introduction

I needed a simple login code for individual PHP pages. For obvious security reasons I could not accept code that POSTs the password in cleartext. I could not accept code that POSTs a hashed password either, as a rogue can get access just by reusing the hashed password as is.

One popular type of robust authentication is the challenge/response scheme: the server generates a random string (challenge), the client sends back a one-way hash of the challenge combined with the password (response), the server creates its own copy of the response and compares it with the client's. Upon match, the authentication is successful. To implement this scheme the server must keep track of the several login requests and of the corresponding challenges issued, while client identification is done with cookies. Given the sessionless nature of the world wide web, the only way of doing this is by keeping a register of all requests and of all sessions. This is typically done in some database table PHP writes in. However, I didn't want to rely on a database: I was looking for some light code I could insert in as many individual pages as needed without messing with a database at every new situation. One can also use a flat file on the server as an alternative to a database table, but still I wanted to refrain from letting such "service" files proliferate.

So it looks like a hopeless set of requirements, but I found a way out that works for me, a sort of compromise between security and constraints. One compromise is that the password is written (or generated) in the PHP page; however, it never travels in the network nor shows in the HTML source code in client's browser. This was OK with me, because in order to read the PHP source code one would need to have my FTP login credentials (or be the server's administrator), but at that point he has power over my whole site, not just one page. The other compromise is that the challenge is not random; however, it is not easy to spoof as it is based on information the server has about the client, the most difficult to spoof being its IP address. Please be aware of such weaknesses if you intend to use this software. It is important to set a limited lifetime to a session, because if someone can spoof a valid cookie, he will be able to reuse it to the end of its life, and this is true even if the legitimate user has "logged out".

Features

• no cleartext password through the network
• stateless: no database or disk file needed to keep track of CHAP negotiation
• no credentials replay is possible, unless using same IP, same browser version and same platform before the cookie expires
• self-contained: no external libraries needed
• response to challenge is passed through POST: no track in server’s logs

Caveats

• the browser must have javascript and cookies enabled
• the password shows in cleartext in the PHP script
• users cannot change the password
• a change of IP address or browser causes session abort
• logging out wipes the cookie off the client, but the session token will be accepted by the server to the full configured lifetime.

Usage

• put the following code at the beginning of the PHP program:

  require "PHPAuthentication.php";
  $auth = new PHPAuthentication('my_secret_password');
  $priv = $auth->check_privileges();
  

  $priv is true if the user is logged in, false otherwise
• insert the following code in the HTML <header>:

  <?php $auth->javascript_login_function() ?>

• in the body, put the following code where you want a link to login/logout interface:

  <?php $auth->login_logout_link($priv) ?>

  and use the boolean $priv previously defined in conditional code wherever needed along the PHP program.

A complete example

<?php
require "PHPAuthentication.php";
$auth = new PHPAuthentication('my_secret_password');
$priv = $auth->check_privileges();
?>
<html>
<head>
<title>PHPAuthentication proof-of-concept</title>
<?php $auth->javascript_login_function() ?>
</head>
<body>
<p><?php $auth->login_logout_link($priv) ?></p>
<?php 
if($priv)
  print "<p style='color:#c00'>session active</p>";
else
  print "<p style='color:#00c'>session inactive ($auth->failure_reason)</p>";
?>
</body>
</html>

Download

Current version is v1.0 released on 27 Feb 2009.

• PHPAuthentication-1.0.zip

This software is free under the terms of the GNU General Public License: use it, share it and have fun! If you use this software and are happy with it, please consider donating.

Legal

This is PHPAuthentication v1.0, a PHP implementation of password login.

Copyright © 2009 Alberto Longhi <al@regoloarmonico.com>

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

For more information on the GNU General Public License please see http://www.gnu.org/licenses/.

This program includes the MD5 JavaScript implementation by Paul Johnston. Thank you Paul.