• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Is my PHP code secure?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

View previous topic :: View next topic  
Author Message
BenB
Just Arrived
Just Arrived


Joined: 06 Mar 2010
Posts: 0


Offline

PostPosted: Sat Mar 06, 2010 3:27 am    Post subject: Is my PHP code secure? Reply with quote

Okay, so I'm using PHP and want to make an encryption method for storing a random value in the user's cookie as a method of authentication so they don't need to log back in every time they visit the site. Would the code below be secure?

$salt = "some random characters I made up";
hash('sha256', $salt.microtime(true).mt_rand(10000000,99999999));

Thanks!
Back to top
View user's profile Send private message
gnix
Just Arrived
Just Arrived


Joined: 11 Dec 2009
Posts: 0


Offline

PostPosted: Mon Apr 05, 2010 8:27 am    Post subject: Reply with quote

Trust me, the problem is rarely the random number used to track a user, but the website's cookie management.

gnix

p.s.: In any case, your random value is random for sure. Wink
Back to top
View user's profile Send private message
krugger
SF Mod
SF Mod


Joined: 08 Jun 2006
Posts: 16777209


Offline

PostPosted: Tue Mar 22, 2011 6:41 pm    Post subject: Reply with quote

A hash is 32 letters long, with 16 options per letter. So walking the entire key space takes 2^36 attempts, so it is a bit challenging.

The most common problems will be someone sniffing the cookie and replaying it. Anyway how do you validate the hash in the cookie the user sends you?
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Wed Mar 23, 2011 12:54 am    Post subject: Reply with quote

krugger wrote:
A hash is 32 letters long, with 16 options per letter. So walking the entire key space takes 2^36 attempts, so it is a bit challenging.

Assuming 32 letters, I think you mean 16^32 == (2^4)^32 == 2^(4*32) == 2^128 attempts Smile (as a worst case scenario for the attacker, of course)

In BenB's case, sha256 is being used, so for a pure brute force approach it would take 2^256 attempts (again as a worst case scenario).
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register