Login System
From FiFormsWiki
FiForms offers a modular login system, with authentication classes that can be selected in the configuration. Up to FiForms version 1.1, FiForms has only offered one pre-built authentication module: HTTP Basic Authentication. We are in the process of designing a new, more advanced, and more secure login system which relies on cookies and a system of hashing, encryption, and key escrow to protect the authentication credentials.
Contents |
Authentication Modules Overview
Basic Authentication
FiForms Advanced Authentication
Development Notes
Just a place to keep notes about how we're implementing this thing.
Configuration Variables
- AUTH_SERVER
- AUTH_USER
- AUTH_PASSWORD
- AUTH_TIMEOUT
- AUTH_IPMATCH
Setup
MySQL has several logins with grants on the application data, for example:
- anonymous (with permission to read only usernames and encrypted session information)
- user (normal user logins, which vary by role. One mysql login corresponds to one role, with multiple applicaiton users able to use the same role)
- admin (admin, or root, user, with permission to modify user login info)
FiForms maintains a separate user authentication database. Users are mapped to one or more roles within the application. Roles are mapped directly to a MySQL login username (as described above). However, the login password is not stored under the role: the MySQL username/password for each role is encrypted using a salted hash of the user login password. Without the login password, an offline attack on the FiForms user database will not reveal MySQL credentials. During login, a second, differently salted hash of the login password is used for a challenge-response authentication, to protect against passive network sniffing attacks. During the session, MySQL login credentials are re-encrypted using a temporary key, which is stored only in a browser cookie. Sessions can be locked to a single browser IP, and expired after a set time, or on logout (at which time credentials are completely forgotten).
Account Setup Behavior
- Administrator requests account setup form
- Server sends javascript setup form to client
- Server generates random enc_salt and auth_salt, sends to client
- Administrator enters:
- MySQL Username & Password (mysql_user, mysql_pass)
- New FiForms Admin Username: (user_name)
- New FiForms Admin Password (pass_text)
- Javascript:
- Password rules checked:
- At least 8 characters with characters from 3 of 4 categories: Uppercase, lowercase, digit, symbol
- enc_key = sha256(enc_salt+pass_text)
- auth_hash = sha256(auth_salt+pass_text)
- pass_text is reset, so is not transmitted to server
- user_name set to server
- Server Encrypts MySQL Credentials with enc_key
- $enc_data = encrypt(compress($data),$enc_key);
- $enc_hash = sha256($enc_data.$enc_key);
- Server stores:
- $user_name
- $enc_data
- $auth_hash
- $enc_hash
Login System Behavoir
- FiForms initiates a session
- FiForms sends user login form, asking for username
- User submits username
- FiForms Generates password form
- Queries username in user database
- Retrieves enc_salt, auth_salt
- If user is not found, generates enc_salt and auth_salt based on username, some secret server value
- Generates random auth_challenge
- Stores auth_challenge in session
- Sends username, enc_salt, auth_salt, auth_challenge in password request form
- User Enters Password pass_text
- Javascript:
- enc_key = sha256(enc_salt+pass_text)
- auth_response = sha256(sha256(auth_salt+pass_text)+auth_challenge)
- pass_text is cleared, not sent to server
- Server Side:
- FiForms compares auth_response with calculated_auth_response
- FiForms reads enc_data from database
- Uses enc_key as key to decrypt MySQL Credentials
- FiForms creates two session variable: a session ID and a session encryption key. Both variables are sent to the client as cookie(s)
- The server encrypts the MySQL credentials using the session encryption key, and stores them along with non-sensitive session information
- The server forgets the session encryption key between page requests.
