I am using the ION Auth library for Codeigniter. For security purposes, should I change the default URL/Controller from "/auth" to something that's unknown and more difficult to guess?
The "default controller exists purely as an example, you should not assume it is perfect.
That said changing it would be pointless. As soon as you provide a "login" link you would be telling people where it is...
The salts and encryption should be strong enough to keep people out. If you are REALLY worried about security, set up HTTPS.
You beat me to this Phil ;)
One other thing to add, I recommend creating routes for better URLs. So I map standard functions like login and logout; for example, auth/login maps to just /login.
Related
I am developing a web system in php using the laravel framework, I arrived at the part of authentication of users, where it is not allowed the type of user x access to page y. What is the best way to do this with laravel? I thought about creating a session and saving the id of the user, so every time he accesses a certain controller I check if he has access to the id or not. so I had some doubts.
Is this a good way to perform this authentication?
Is this really safe?
is there any way for the client to change my session?
What would be a better method for authenticating user access?
Laravel provides a very good authentication system out of the box. Even though Hacking is inevitable it provides very good protection and since Laravel is pretty popular framework you don't have to worry about the security part. if there is any security bug, patches will be available almost immediately.
And your second concern can a client can change the session ? the answer is NO, if you code it properly. session resides in the server unlike cookies, so there is no direct way for a user to change the session. if you follow good coding practices you are good to go.
And how do you limit userA from accessing pageB. This is a pretty common feature needed in almost all the applications. As of now Laravel does not provide an out of the box solution for this. but this is pretty simple, you can add a role column to the users table, and check whether user have appropriate permission in each page. Laravel keeps the user object in the session, and it is avilable via the auth() helper or Auth Facade. if you want a little sophisticated solution there is a package out there [entrust][1]. it seems a good choice.
You may want to read about
Authorization
Csrf Protection
Authentication
I hope I have addressed all your concerns
Laravel provides a simple way to authorize action thats purpose built for what you need:
https://laravel.com/docs/5.5/authorization
I am doing the security of my website and I'm using the Auth module that Laravel provides, as you know there are a lot of ways to perform security, you can use the middleware Auth to protect Routes, you can protect your controllers and views with the same module, that is what I'm doing right now.
I want to know from someone has experience hacking this system if just protecting my the routes where I want more security is more than enough, or I should keep protecting controllers and views that I don't want other people have access.
It is a simple question and I don't know if I should better put this question in the meta stack overflow.
Well, as far as i know, you can just protect routes. Routes are the way that people is going to access your application, they cant have access to the plain controller code. Using the auth you are going to create an "authentication" session, this is, you are going to protect the specific routes and give access just to an authorized person, this person is going to have an user/password to have access to your route. This is enough as route wise, but you (laravel takes care of it for you) have to be aware of sql injection and other stuff, thats the way that hackers will be able to have access to your information.
We have merchants logged in to a system, from which we want to link them to our Magento instance with some kind of admin token that will log them in directly without them having to manually login.
I see the rp_token field in the admin_user table but that appears to be related to a password reset, which probably isn't what we want.
Have done a bit of searching, found this thread which is related but is dealing with secret keys specifically (which will probably be my second challenge to resolve after resolving this one).
I'm guessing this isn't supported in core, but maybe there's a good extension out there to do it?
Or if not, what would be the best approach to implement? I'm guessing there is probably an event I could hook to look at a GET or POST param (which maybe could be a hash of the username and hashed password), then bypass the normal login() method which relies on username and plain text password.
That feels like it could be a little risky though? Any thoughts?
That feels like it could be a little risky though? Any thoughts?
This is extremely risky, but it can be done safely. I can speak on a similar issue I had in developing QuarkBar, an administration bar for Magento that is set to release this weekend.
So to show the bar, I need to verify the admin is logged in. Unfortunately that's hard to do on the frontend module, since there are two separate sessions. So to get around that I've created a quarkbar_session table. I use OpenSSL to store a secure crypt key once an admin is logged in, that I then check for on each request and match it to a cookie. If it matches, the admin is verified.
It's a little different from what you want of course, since I first set the key when the admin is logged in (it's an observer event). But it should get you started.
Source (NOT ready for production, use it for ideas): https://github.com/zschuessler/QuarkBar/tree/master/app/code/community/Zaclee/QuarkBar
Also, note that I'm storing the secure key so that I can access the admin backend. The solutions in your link say to disable it. You don't have to, check out QuarkBar for implementation.
I am trying to integrate two separate web applications - one is an existing custom web application with it's own security paradigm and the other is a reporting platform (JasperServer). I want to be able to use Jasper's web services interface to integrate the reporting functionality into our application. Our security model is complex and is home grown but I think there is hope.
We set a cookie that is an encrypted string containing a web service URI as the authentication source and a token which is stored in the database that is created when the user logs in and is destroyed when he/she logs out. I think I can leverage this to implement a kind of SSO in Jasper since it uses Spring Security.
What I THINK I should do is implement a pre-authentication filter that checks for the cookie I mentioned above. It could then decrypt it, make a web service call to the authentication source provided to verify the token is active in the database. If it is, that token can be used to point to user and role information that could be returned as a UserDetails object.
Unfortunately, I know enough to be dangerous but not enough to be effective. Am I on the right track? Does this solution sound tenable? If so, where would be a good place to start and are there any examples of something similar you could point me to? I've searched around quite a bit and have found nothing that quite fits the bill.
Thanks in advance to any and all who can provide me a glimmer of hope
Cookies are tied to a domain/subdomain/path and port. It is possible to set a cookie at the domain level so if you have something like webapp.mydomain.com and jasper.mydomain.com you may be ok assuming they are on the same port.
However be very careful about implementing your own SSO/Authentication framework. It requires a great deal of thought. As it stands your proposed implementation would be vulnerable to: replay, man in the middle, and XSRF attacks ... there may be other vulnerabilities but these are just 3 that come to mind ... sorry! :D
I'm using TurboGears with PyAMF behind a Flex client, and everything works well.
What I want to do is expose just a AMF login method to the world, and only allow access to other AMF functions once the user has logged in.
Also, once the user is known, I'd like the protected AMF methods to get the username from the auth information, so not every function has to start with the user_id.
Is there support for this sort of integration out there anywhere?
I have not done it, but I happened to have this bookmarked the other day via del.icio.us.
Hope it helps.
Using PyAMF With TurboGears 2
I ended up spending over a day hitting the /login url with html posts until it all worked. I couldn't use the repoze.who mechanism from within the Amf controller.
I don't think I'll choose Turbogears for my next project though... there have been problems with setup every time I've set it up, and having to do work-arounds like this is just because it's not a well thought out architecture.