I am developing a web application for my university project this summer and I am looking for some advice, The web application is to be deployed in to a windows environment that has around 500 users. The users will need to login before they can access the web application, this is where my first problem appears.
Do I need a way to export the users from active directory with their passwords on a daily basis. However I know that passwords are stored as a hash not clear text so id have to mimic the hashing in my web app. So do I use LDAP to authenticate the users for me? I would appreciate some advice of maybe a link to a resource that anyone knows that would be worth me reading.
Note.
The web application will be made in PHP with a sql database running on a windows server inside the same domain.
Thanks
PHP has an LDAP module that allows you to interface the Active Directory without exporting it.
Here is an example of implementing an LDAP authentication through php:
http://code.activestate.com/recipes/101525-ldap-authentication/
Since PHP has libraries to assist you with interacting with LDAP already then that might be the way to go. Exporting and managing users yourself sounds like reinventing the wheel.
Just contact the auth server using PHP::LDAP. This blog post shows a good example.
Related
I am trying to secure a PHP web application which runs out of a WAMP-style local installation.
Currently, passwords for the app's database are just in the .php files. I thought about encrypting them, but any person can just step through the code to decrypt them pretty easily.
This does not run on a web server, it runs on the user's PC. Has anyone here attempted to secure this type of application, and perhaps shipped a compiled program to return the passwords, or perhaps used an external keystore somehow?
Your thoughts are appreciated.
Clarification: The database is also on the local PC.
There are a LOT of very robust external authentication providers out there. Firebase and OAuth to name a few. Technically speaking, no system is 100% hack-proof, but Firebase and OAuth provide would-be hackers a tough road to success
You can use ENV variable in that case make .env file and store password in that and call the same in application.
You can create environment variable in Apache config file and call from there in your application this is more secure.
There is no way to protect a database connection credentials if you are giving the client / user the source code. Basically if your app can access it and the source code is there for them to use, read, parse then they have the same access as the software does.
I am trying to build a web CMS application using php and SQL. I haven't fully learned Laravel yet and I may need more time to complete my course. My question is, does Laravel come in with built-in extra security or is it the same as coding in our php. No one told me this, I have a feeling, I would have to do a lot of manual coding to secure my app using pure php.
Please fill me in with your expert suggestions.
Moen
Using a framework does not secure your code magically. You still have to protect it.
you can see your web app as a house with many doors. with pure PHP, you will have to build your doors before using them. On the other side, Laravel (or any framework) comes with built-in doors but if you don't use them, your app will not be secured.
Example of protections simplified with Laravel
CSRF protection https://laravel.com/docs/5.3/csrf
SQL injections using Eloquent https://laravel.com/docs/5.3/eloquent
Form validation https://laravel.com/docs/5.3/validation
All protections listed above can be done with pure PHP but you will have to write a lot of code.
I know this is several years too late but figured I would add in, locking down your laravel project once in production does not take too much effort. If you utilize #csrf and form validation as stated above that will cover your "doors" there. On top of using something like fail2ban on the server and pointing everything to the public folder within your laravel application will reduce Brute forcing and deter a lot of the common PHP web scans that come in daily from malicious IP addresses. On my servers I typically see certain IP addresses scanning for common php, phpmyadmin, and mysql.php files that do not turn up any 200 http responses. In addition, having the final product/compiled version of the site in it's own directory and implementing all your 3rd party creds within the .env (which is required to link your laravel project to a db) file, make it hard for malicious actors to find system files and credentials.
In addition, the authentication out of the box does all the hashing for you "secure Bcrypt and Argon2 hashing". In addition to hashing, it has been noted that the Hash::make function creates and uses a 22-length random string as a salt to generate the password, from question Where are laravel password salts stored?. Which references a Wordpress article on laravel hashing and salting Laravel Hash::make() explained. Hopefully that helps anyone reading this.
If you are deploying a laravel site to a VPS or whatever, then I would highly recommend daily or at least every two days coming the access logs and deny ##IP address##; anything that is trying to access URIs they are not suppose to access (since you built it you will know what they should and shouldn't be accessing), and implementing fail2ban to greatly reduce ssh brute force. If anyone needs more info or has more questions about maintaining a laravel website in the wild/linux server, I am always here. Coming from someone in the Cyber Sec industry , that freelances web development
I've been working on a site (for my company) to allow selected data center users to remotely access a scheduling calendar and some pages offering information on the various servers they are coming to the site to access--on a separate site. Initially, I was under the impression that I'd be creating a database and registration page to add, authorize or track end users. My initial project coding has been a combination of HTML, PHP, CSS, and MySQL and Apache for the database side. Now I've been told that we will be using AD, tied into our company's official Active Directory, so that users can use the same IDs and passwords that they've already had approved by our company.
My question is (hopefully) simple. Is there a certain web programming language that I should use in creating the pages that works better with Active Directory than others?
If you are comfortable with PHP, you should be able to achieve the above no problem!
The beauty of PHP is that someone somewhere along the line had the same problem as you so chances are, there's an established solution already.
adLdap seems to be a good solution, a library that already does most of the hard work for you and all you'd need to do would be integrate it into your script!
See: http://adldap.sourceforge.net/wiki/doku.php?id=documentation_user_functions
Hopefully this can make it a little easier for you so you can concentrate on the other things like the actual functionality of the website itself.
This might be a stupid question but I need to explore every option and can't gleam much from google on this one. Hope this is not too conversational.
I'm considering options to secure my php/mysql based admin system. One thing i've thought about is ip whitelisting with .htacess and only allowing my client access:
allow from xx.xx.xx.xxx
But I'm wondering if another method might be to not have the admin system installed online at all. Would it be possible to run the admin php locally (using wamp) and then have it connect to a live database?
Is this crazy?
Can I assume that your application is not hosted at your client's? Because if it is, then you can simply put the real application in a DMZ facing the internet and the admin application in the intranet without access from the internet.
If the application is not hosted at your client's, then your IP-based approach looks good. But you should not rely solely on the IP protection as an authentication mechanism, you should also secure the admin application with a login form asking for username and password. If you want to be super carefull, you could consider using two-factor authentication (token or Google Authenticator).
As jraede already pointed out, a local install with a remote database would be a pain in the butt to maintain. Also (and foremostly) a remote database would imply that you need the database to be accessible from the internet. That should be a security no-go if you can avoid it.
Our company is looking at moving authentication from our web app which is PHP running on Apache in Windows, and would like to authenticate using Active Directory. I have a way to simply pull your username that you're already authenticated with, but I have no experience with actually authenticating.
Reading up it looks like LDAP would be the way to go. My question is as follows:
Is LDAP the best way to authenticate in a PHP web app using Active Directory credentials?
Is there a different setup I should go to perhaps using PHP and IIS?
http://www.davidschultz.org/2008/04/10/how-to-authenticate-against-active-directory-using-php/
^ this will show you how to authenticate against AD with PHP.
I don't know that this is better or worse than LDAP, but it seems pretty easy. Though, read through the comments first--it's probably not a good idea to hit AD on each page load but rather store a value somewhere to check against as one of the comments suggests.