pajamas..
php and javascript advanced md5 authentication system
The connexion between "pajamas", which is an acronym for "php and javascript advanced md5 authentication system" and an actual pair of "Pyjamas" is that when you feel secure, you sleep better. Of course the words sound identical, too.pajamas began as an attempt to create a more secure login using client-side hashing, which is one-way encryption, and as a demonstration, mainly for other web-coders, to two enormous security holes in all-too-common existence..
The first exists when folk use "public" browsers. Often the username and password are stored on the machine, and can be re-used, even by accident, by other members of the public. Clearly this presents a problem, and one which, for some reason, most people like to forget and/or ignore. Probably, like me, they realized it would need to be done with JavaScript, and then ran in the opposite direction.
The second hole is more obvious, and that is the plain text password travelling freely across the wires. This one has received more worldwide attention, but it's still ignored in most php web applications. There are literally hundreds of articles out there describing how to store a user's password using all manner of weird and wonderful algorithms, to protect it from "unauthorised database access", or "unauthorised server access", and yet still expecting the password to arrive in plain text. GUYS!
If your database isn't secure you are in trouble. Same for your filesystem. These are places over which you have control. The place where you certainly don't have control, ever, is the internet. And the moment that packet of data leaves the user's presumably safe environment it's fair game. Its contents could be stored on any one of the many nodes between server and client, dubious proxy "servers" could scan it, on poorly configured servers (most) passwords will show up on other server's referrer logs, etc. There it is, your plain-text password, travelling around the internet in a bundle of other useful plain text information, like the URL of the so-called secure login page, probably your username. No! This is insane!
pajamas takes an entirely different approach. The password is securely hashed before being sent over the wires. Now, not only is interception no longer a problem (it's impossible to retrieve the password from the hash in the given time-frame, even a very much longer time-frame), but public browsers can't save or cache it, either*, being a one-shot mish-mash of your password and some random generated string. Each time you login, it's completely different.
With pajamas, the only places the password ever exists in the clear are in your presumably secure server environment, and the presumably secure user's brain. This password is only protecting access to this server's content; ergo, breaching the web server breaches the user's "protected" data, anyway. To my reckoning, it would be considerably more difficult to compromise a modern web server and get root, than it is to search some log for the phrase "password".
Which strategy is best? You decide.
Since its birth back in 2004, pajamas spent quite a long time lying fairly dormant, yet working away quietly in the background as a highly useful authentication script. More recently, pajamas has grown into a rather neat modular authentication system, and the old "pj" module has essentially become one of its plug-ins. There's also a "plain" plugin that retains many of the good features of pj, but without the client-side hashing, for situations where JavaScript isn't available (On The Moon, maybe!). pj's client-side hashing is made possible with the excellent JavaScript functions provided by Paul Johnston's javascript MD5 code.
You can enjoy my wee "protected" image gallery, and try-out pajamas at the same time, here.
If you'd like to ask questions, give feedback, enlighten me, etc, you can do that at the bottom.
There is also a sha1 pajamas plug-in called "shaggie", which is currently available only inside my other packages (e.g. the distro machine), feel free to download and play around with it; get back to me if you find any issues, thanks.
Here's the current pajamas code..
(of course, most of the good stuff is inside the modules!)
<?php // ۞// text { encoding:utf-8 ; bom:no ; linebreaks:unix ; tabs:4sp ; }
if (realpath ($_SERVER['SCRIPT_FILENAME'] ) == realpath ( __FILE__ )) {
@include $_SERVER['DOCUMENT_ROOT'].'/inc/source-dump.php';
source_dump(__FILE__); }
/*
pajamas
modular authentication system
For full details, usage instructions, etc, see the accomanying readme.
If you you got this without a readme, check out the link below.
If you need help, mail me @ corz.org, or if you think a solution to your
issue would be valuable to others, drop a comment on the pajamas page..
https://corz.org/server/security/pajamas.php
Have fun!
;o)
ps.. Big thanks to PCheese for all the help with the OOP.
d00D! I get it now! And I hope you like where I took it. ;o)
(c) 2004->tomorrow! ~ cor + corz.org ;o)
Please view the license for this free software, here:
https://corz.org/free-scripts-licence.nfo
*/
/*
pajamas authentication..
*/
class pajamas {
/*
version
Currently, we have the bare bones of the thing, and it works great!
There may yet be bugs, and all bug reports are wholeheartedly welcomed.
*/
var $_version = '0.3';
/* public properties.. */
/*
default module
(string) name of module file (minus .php extension)
current choices are 'plain' or 'pj' (the best)
If, for some insane reason, you don't have access to a JavaScript-
capable browser, use 'plain', otherwise, use 'pj'.
the plain module can be configured in exactly the same way as
the pajamas module, and has many of its features, too; sessions, IP
check, time-out, etc., the only difference being that the password is
sent over the wire in plain text.
Though unlike HTTP basic authentication, which send the password with
every single request, with the plain module, the password travels over
the wires one time only.
*/
var $_default_module = 'pj';
/*
password
(string) default: 'password';
a quick and dirty way to store your password..
or you could keep it in a database, or include from another file,.
include '/some/other/place/config.php'; and set it externally..
$auth->_login_password = 'MyPassword';
Passwords are case-sensitive.
*/
var $_login_password = 'password';
/*
IP address check?
boolean (true/false) default: true;
normally, we check the IP address of the authorising browser. However, if the user
is behind a proxy farm (very unusual), this will break his session, as his IP will
change with (possibly) each request. If you have users behind proxy farms, (or you
are) set this to false, or else advise them to use *yet another* proxy (two proxies).
*/
var $_check_ip = true;
/*
do time-out?
boolean default: true;
we can specify a time-out for the session. if you set this to false,
the session is live until the client's browser is quit, or they log out.
*/
var $_do_time_out = true;
/*
time-out
integer (in minutes) default: 60;
an hour is reasonable, anything goes. the demo uses 0.5 (30 seconds)
*/
var $_session_time = 60;
/*
big luser
integer (max failed attempts) default: 10;
they tried and tried, but it just isn't happening. Or else they are taking the p*ss.
A script perhaps, some brute force. Whatever, it would probably be best for everyone
if we halted them in their tracks after how many failed login attempts?
*/
var $_big_luser = 10;
/*
kick bad users?
boolean (true/false) default: false;
optionally we can prevent even correct logins from browsers that repeatedly sent bad logins..
If you set this to true, after($_big_luser) failed login attempts, the property
"$auth->_bad_user" will be set to true. Now, even a correct login will fail to authenticate.
You can check for bad users, and then do what you like with them..
if ($auth->_bad_user) { die('go away!');
If you leave kick_bad_users set to false, a correct login will override all previous bad logins.
The idea is, someone may be attempting to login from your terminal, and fail, so they receive
a message informing them of the futility of it, *hopefully* they will stop now. If the *real*
admin comes along, he should be able to log straight in, and shouldn't have the inconvenience
of restarting the browser just because some twat was fooling around. But you can disable this
behaviour by simply setting this to true.
*/
var $_kick_bad_users = false;
/*
show error messages?
boolean (true/false) default: true;
pj generates some messages for the various error conditions, you can use these however
you like, and latest message is always in "_auth_message"
If you like, you can have pj display these messages just above the login form,
so the user is aware that their password was incorrect, or whatever..
*/
var $_do_messages = true;
/*
create containing forms?
boolean (true/false) default: true;
If you are already inside a form, set this to false to avoid nesting forms,
which will break xhtml valiadation, among other things (including the md5)..
$auth->_createForms = false;
Remember you can also pass "true" to your form input function, to have a
simple, div-less output, like this..
echo $auth->getLoginForm(true);
*/
var $_createForms = true;
/*
autocomplete="off"
boolean (true/false) default: true; (doesn't validate, but hey!)
a good, mostly supported proprietary Internet Explorer property.
This will break strict xhtml validation (which is annoying), but you may feel
that it's worth it. With this set to true, browsers will not annoy you to try
and save the password (which, at least with the 'pj' module, is a one-shot
mish-mash that will become useless the instant you logout).
It will only break your xhtml validation until you login, of course.
Set this to true to add 'autocomplete="off"' to your password field. TADA!
One of the rare occasions where Internet Explorer leads the way! If you are
obsessed with strict xhtml 1.0 validation, screw your users and set this to
false.
btw: if you known an xhtml-friendly way to do this, MAIL ME! ;o)
*/
var $_no_autocomplete = true;
/*
code loaction.
(string) default: '';
Some modules may require included code.
In "pj", this sets the default location of javascript MD5 functions file and
will be used to create the script tag that includes the JavaScript MD5
functions on your page, like this..
echo $auth->getAuthCode();
You can override the location by setting this..
$auth->_code_location = 'inc/md5.js';
*before* you echo the code. relative or absolute paths are fine, just like a
regular javascript include.
*/
var $_code_location = '';
/*
a simple error catcher.
boolean (true/false) default: true;
session errors of level "E_NOTICE" (type 8) will be caught and stored,
rather than spew onto your page. use..
echo $auth->getErrors();
to see them, or pipe that somewhere else. essentially this saves having
your pages all messed up when you are testing your pj implementation on
a server with error level E_ALL set (all development servers, yeah?),
mainly for "session already started" type errors. It was annoying!
we throw errors into a global variable because a) I use this system for
errors anyway, (my debug script throws me a pop-up if it finds anything in
$GLOBALS['errors'], and b) variables inside error handlers are a disaster!
*/
var $_error_catcher = true;
/*
Private properties.
DO NOT CHANGE THESE.
You shouldn't change anything above either;
set it externally like so..
$auth->_do_time_out = false;
*/
var $_auth_message = '';
var $_auth_module = ''; // a pointer to *real* auth class
var $_bad_user = false;
var $_default_uid = 'pajamas';
var $_is_authenticated = null; // start out in unknown (unset) state
var $_module_loaded = false;
var $_modules_path = 'modules/';
var $_interface = 'advanced'; // 'advanced' or 'simple'
// constructor..
function pajamas ($uniqueid='') {
if (!empty($uniqueid) and ctype_alnum($uniqueid)) {
$this->_unique_id = $uniqueid;
} else {
$this->_unique_id = $this->_default_uid;
}
if ($this->_error_catcher) {
$this->startErrorHandler();
}
}
function authModule() {
include $this->_modules_path.$this->_default_module.'.php';
$this->_auth_module = new authModule($this->_unique_id);
// setup its preferences..
// (we could perhaps check module's capabilities and only set those)
if ($this->_interface != 'simple') {
$this->_auth_module->_login_password = $this->_login_password;
$this->_auth_module->_check_ip = $this->_check_ip;
$this->_auth_module->_do_time_out = $this->_do_time_out;
$this->_auth_module->_session_time = $this->_session_time;
$this->_auth_module->_big_luser = $this->_big_luser;
$this->_auth_module->_kick_bad_users = $this->_kick_bad_users;
$this->_auth_module->_do_messages = $this->_do_messages;
$this->_auth_module->_createForms = $this->_createForms;
$this->_auth_module->_no_autocomplete = $this->_no_autocomplete;
}
$this->_module_loaded = true;
}
function auth_user() {
if (!$this->_module_loaded) { $this->authModule(); }
if ($this->_is_authenticated) { return true; }
$auth_status = $this->_auth_module->auth_user();
$this->_auth_message = $this->_auth_module->_auth_message;
if ($auth_status) {
$this->_is_authenticated = true;
return true;
} else {
$this->_is_authenticated = false;
return false;
}
}
function getAuthCode() {
// this will need to load before authentication,
// so we set it here, and now overriding works as expected.
$this->_auth_module->_code_location = $this->_code_location;
$html = $this->_auth_module->getAuthCode();
if (!empty($html)) { return $html; }
else { return ''; }
}
function getLoginForm($simple=false) {
return $this->_auth_module->getLoginForm($simple);
}
function getLogoutButton($simple=false) {
return $this->_auth_module->getLogoutButton($simple);
}
function getSelf() {
return $_SERVER['SCRIPT_NAME'];
}
function getBadUser() {
return $this->_auth_module->_bad_user;
}
function remainingTime() {
if ($this->_do_time_out) {
$now = explode(' ',microtime());
$time = $now[1].substr($now[0],2,2);
settype($time, 'double'); // 100th/second..
return (($this->_session_time * 6000) - ($time - $_SESSION['auth'.$this->_unique_id]['login_at'])) / 100;
} else { return false; }
}
/*
a simple session error catcher..
*/
function getErrors() {
if (!empty($GLOBALS['errors']['pajamas'])) {
return $GLOBALS['errors']['pajamas'];
}
}
function startErrorHandler() {
set_error_handler(array($this, 'handle_error'));
}
function handle_error($type, $string, $file, $line, $vars) {
switch (TRUE) {
case ($type == 8 and stristr($string, 'session')): // doesn't look so clever with only one case!
if (empty($GLOBALS['errors']['pajamas'])) { $GLOBALS['errors']['pajamas'] = ''; }
$GLOBALS['errors']['pajamas'] .= 'NOTICE! session error on line '.$line.' of '.$file.': '.$string;
return true;
break; // *ahem*
default:
return false; // better let php handle this one.
}
}
} // end class pajamas()
class pajamasSimple extends pajamas {
function pajamasSimple($uniqueid='') {
if (!empty($uniqueid) and strstr($uniqueid, '-')) {
$simple_prefs = explode('-', $uniqueid);
$uniqueid = trim($simple_prefs[0]);
if (!empty($simple_prefs[1])) { $my_module = trim($simple_prefs[1]); }
}
parent::pajamas($uniqueid);
$this->_interface = 'simple';
if (!empty($my_module)) { $this->_default_module = $my_module; }
if (!$this->_module_loaded) { $this->authModule(); }
if (!empty($this->_auth_module->_code_location)) {
$this->_code_location = $this->_auth_module->_code_location;
}
echo $this->getAuthCode();
if ($this->_auth_module->auth_user()) {
echo $this->_auth_module->getLogoutButton();
} else {
echo $this->_auth_module->getLoginForm();
}
}
}
/*
version history
0.3
fixed bug, not passing variables through to getLogoutButton() and getLoginForm()
0.2
first public release of pajamas engine
0.1
basic authentication module loader. almost works.
*/
?>
have fun!
;o) corz.org
references:
At least, this is the expected behaviour - currently, as far as I know, Opera saves the *typed* password, rather than the *sent* password, effectively defeating all forms of client-side password hashing strategy, dudes! - I've figured out a way around this, by the way, which will hopefully hit the code stage for my upcoming "shaggie" pajamas module. Take it easy!
Welcome to the comments facility!
You spotted the zip download link at the top of the page, yeah?
And Javascript is a browser thing, so long as your server supports php (>=v4.2) pajamas will run just fine, after that, it's their problem!
;o)
hmm, why don't you use onSubmit instead of onClick handler? It should resolve the click 'log in' issue, atleast to my knowledge
Hmm. sounds good. I'll try that sometime. Thanks.
But then, it's only Internet Explorer users that suffer, and they do that anyway!
;o)
Maybe I missed this, but there's still a bit of a problem with this... that is, how to create the password in the first place. If you already know it, that's wonderful, but is there any way for a user to create a password and send it to the server for the first time without doing it in plain text?
Nope, Dane, this isn't a mechanism for creating passwords, just for authentication. There are possibly other ways to do that, but it's not something I've ever needed, or looked at. Sorree.
;o)
ps.. sami, onsubmit doesn't seem to make any difference in IE. I'll maybe have another fiddle later.
Observant sorts may have noticed that earlier today I uploaded the new "pajamas modular authentication system", which is pajamas taken to the next level.
pajamas.php becomes a module-loader-authentication-engine-thing, and the old "pj" is now effectively a plug-in, works great. Everything is pure xhtml 1.0 strict, and with help from PCheese, 100% OOP! I expect oop-ness to start sneaking into my other php, it's certainly an intuitive way work the code.
Though I have tested it out fairly thoroughly, and am using it right now elsewhere, I expect bugs, and bug reports are most welcome. Feel free to play around with the demos (links at the top) and download the pajamas package, which comes with two plug-in modules "pj" and "plain", as well as the pajamas demos, example code, etc. Check out the readme for more details. You can also view the source right here.
Thanks for all the input so far, here and by mail, hopefully the new system will be all that was hoped for and more.
for now..
;o)
ps.. when I first uploaded the whole lot here to corz.org, the "simple" interface demo didn't work, kept telling me the password was wrong when it wasn't. Then I remembered about the phpsuexec here at my host, added a few local php.ini files (whose only session directive is session.use_trans_sid = 0). All is suddenly well! Hmm. Any thoughts on would be appreciated.
By the way, although there's not an official release, as such; if you grab the latest version of my distro machine, you get a pajamas installation with a SHA-1 module. It also outputs strict XHTML, which I don't think the current release does.
I'll put together a new pajamas distro proper in the near future.
By the way; here at corz.org, apart from the comments, pajamas controls all my authentication, and I pretty much have a site-wide login, which is real nice.
;o)
Corz, I cam here via this page:
http://foruhttp://forums.invisionpower.com/index.php?showtopic=181089&mode=linearplus
It says that pajamas is only "obscuring" the password. Is this true?
Best.
Ryan.
Heh, no.
Either the poster a) didn't look at the code, or b) didn't understand it.
Whether you can see the "random number" is irrelevant. Firstly, pajamas uses many criteria to judge whether a particular user is authenticated or not, and secondly, even if someone had access to some as-yet-uninvented computer that could find a collision within a reasonable time-frame, it would be ABSOLUTELY NO USE TO THEM. It became out-of-date the instant it was received. Which is kind of the whole point.
Also, there's a SHA1 plugin, so even our theoretical computer wouldn't help!
;o)
ps. I've been using pajamas on-site, for all my admin authentication, ever since it was first created, and with 100% success.
What stops someone reverse-engineering your system by looking at the source code of the page?
"The only "weakness" with the current pajamas implementation is that your password is visible to someone if they have access to your raw filesystem, and if they have that, no amount of authentication will stop them getting your goodies, will it? pajamas isn't designed to protect you from unscrupulous hosting admins!"
And what happens when a cracker accesses your raw filesystem via URL injection?
What stops someone reverse-engineering your system by looking at the source code of the page?
You can even look at the source code for the pajamas package itself; it won't help you reverse engineer anything; there's nothing to reverse-engineer, MD5/SHA1/etc. are one-way cryptographic functions. The code is already well-known.
And what happens when a cracker accesses your raw filesystem via URL injection?
My first response to this is.. stop talking nonsense! However, you may know something I don't; so if you tell me exactly how this attack is crafted, and how you could access my raw file system with it, I may amend my response.
;o)
ps. I've uploaded a file /inc/db/.ht_secrets - please use your attack and tell me the password contained in that file. Cheers!