Search the Community

Hey, everyone Coding a small application with user authentication. Never done this before as I've not been secure enough regarding my abilities to create something secure. Regarding password security: My passwords are saved using double hashing. First, the users's email is hashed with the sha256 algorithm together with a site-wide salt using the function below. I then use the same hashing function to hash the user's password together with the unique salt. That means that password will differ for each user even if they use the same password. Don't mind the functionality of $mysqli->query(), etc. I use my own class. public function login( $email, $password ) { // Get DB connection $mysqli = new Database(); $mysqli->escape($email); $user = $mysqli->query("SELECT * FROM bet_users WHERE email = '$email' LIMIT 1"); // Get user from DB // Make sure we found a user ( An array ) if ( is_array($user) ) { // Get special hash $hash = $this->hash($email, HASH_SALT); // Site wide salt // Check hashed passwords if ( $user['password'] == $this->hash($password, $hash) ) // Hash $password with unique salt { // Prevent session hijack Util::validate_session($email); // Set user details $this->set_user_details($user); // User is logged in return true; } // Wrong password return false; } } private function hash( $input, $salt ) { // Initialize an incremental hashing context $hashed = hash_init('sha256', HASH_HMAC, $salt); // Set active hashing context hash_update($hashed, $input); // Return hashed password return hash_final($hashed); } Regarding login checks: I only add $_SESSION['admin'] to the session array if the queried user has admin status in the DB. My checks looks like this and uses the session hijacking check below. I use these function like Util::is_logged_in() and Util::is_admin(). public static function is_logged_in() { return isset($_SESSION['user_id']) && self::validate_session($_SESSION['email']); } public static function is_admin() { return self::is_logged_in() && isset($_SESSION['admin']) && $_SESSION['admin'] == true; } Here's the function to prevent session hijack: public static function validate_session( $email = null ) { // Set hashed http user agent $agent = md5($_SERVER['HTTP_USER_AGENT'].$email); // Check for instance if ( isset($_SESSION['initiated']) == false || isset($_SESSION['HTTP_USER_AGENT']) == false ) { // Create new id session_regenerate_id(TRUE); $_SESSION = array(); $_SESSION['initiated'] = true; // Set hashed http user agent $_SESSION['HTTP_USER_AGENT'] = $agent; } if ( isset($_SESSION['initiated']) && isset($_SESSION['HTTP_USER_AGENT']) ) { // Validate the agent and initiated if ( ($_SESSION['HTTP_USER_AGENT'] == $agent) && $_SESSION['initiated'] ) { return true; } else { // Destroy session session_destroy(); return false; } } return false; } How would you say the security is here? Is the security good? Any improvements I can make? Thanks for any answers.