Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Articles Tagged ‘security’

Learn about OAUTH

Thursday, July 20th, 2017 by Servage
oauthOAuth is an authorization standard that can be found on websites, APIs, web applications built with React or AngularJS and more. OAuth is often used to let other websites access user information on another website. OAuth can be used for various types of authorization, so let’s see how it works in more detail. Why OAuth? As mentioned previously, OAuth gives a website access to a user’s profile information on another website. When you sign up on a website, you have likely seen the option to sign up using your Google, Facebook or other account. In these cases, the signup process is handled by OAuth and your personal information, such as your name and ...

CORS explained

Sunday, July 9th, 2017 by Servage
cors-hackerCross-origin resource sharing (CORS) is a feature that allows website content, such as external font files, to be requested between different domains. Although it doesn’t sound very obvious, CORS is used on a majority of websites. Let’s have a look into what CORS is all about and when it is used. Same-Origin Policy Before talking about CORS itself, let’s talk about a security feature related to it called the same-origin policy. It is a security feature built into web browser that prevents websites from sending certain types of requests to other websites. For example, www.example.com cannot send a POST request to www.example2.com using AJAX. The reason why this is blocked is because this ...

Protecting users with Two-Factor Authentication

Thursday, May 11th, 2017 by Servage
two-factorTwo-factor authentication (2FA) is considered the most secure way to protect online accounts. It protects user accounts with one-time codes that are usually delivered to the user with a 2FA application or text message. Big companies, such as Google, Facebook and Microsoft, already support 2FA, and it continues to gain more support on smaller websites too. This time we will see what it takes to implement two-factor authentication on a website using PHP. Installing pragmarx/googlef2a To set up two-factor authentication, we will be using a popular Composer package called pragmarx/google2fa. To get started, install the package using Composer: “composer require pragmarx/google2fa”. This requires you to have composer installed globally as described on www.getcomposer.org. Updating ...

Protecting your application from cross-site attacks

Sunday, April 9th, 2017 by Servage
xss-shieldCross-site scripting (XSS) is an attack where a user embeds malicious code as part of a website. This can be done for instance by submitting a comment on a blog website. If the comment contains a malicious script, it will be executed by all visitors who read the blog article. These attacks are quite common, and there are many varieties of XSS scripting. Let’s find out what methods are available to protect web applications from these vulnerabilities. Escaping User Input This is arguably the most important thing to do to prevent XSS attacks. On many websites, users are allowed to freely fill out forms that save the input in a database. Let’s consider ...

Securing you website with CSRF protection

Thursday, March 2nd, 2017 by Servage
secureCross-site request forgery (CSRF) is an exploit that allows a malicious user to send requests on behalf of another user in a web application. Even though protecting applications from CSRF attacks is not very difficult, these vulnerabilities are still fairly common. Now is a perfect moment to learn how to protect your application from such exploits. How CSRF Works A cross-site request forgery attack can happen when a user clicks a malicious link on a website or email message. State-changing operations, such as changing a user’s password should be implemented using POST requests. However, this is not always the case and applications sometimes use GET requests for this type of actions. This is ...

Secure authentication and password-hashing in PHP

Tuesday, June 7th, 2016 by Servage
securityMany PHP frameworks come with built-in helper functions for dealing with passwords in a secure fashion. However, sometimes you may have to manually hash and verify passwords. In either case, it is a good idea to know how everything works behind the scenes and what are the latest and greatest ways of storing passwords securely in PHP 5.6 and 7. Hashing a password PHP 5.5 introduced a new password hashing API that uses a secure bcrypt key function. The bcrypt method is deemed safe and often considered among the best ways to hash passwords in 2016. PHP 5.5 and newer versions include a built-in function called password_hash() that you can use to hash passwords. To ...

Web site authentication with Laravel

Friday, July 3rd, 2015 by Servage
authenticationThe ability to register and login is the basis for many features on most websites. Therefore authentication is an issue which developers are confronted with in almost every single project. Thankfully the Laravel developers have realized this, and therefore made it very easy to implement authentication. Actually default Laravel installations ship with the required pieces already available. You just need to move a few things into place to make it work for your project. Laravel provides the required controllers for the authentication procedure, but there are no routes active for this purpose by default. This is to avoid opening your web site to authentication unless you want it. Therefore simply add the following ...

Ending a session properly in PHP

Tuesday, December 2nd, 2014 by Servage
securitySessions last until a user closes the browser window. If the user navigates to another page and returns to your site again without having closed the browser, then the session will still exist . This behavior is usually desirable for your web application. You can even make the session last beyond closing the browser window, which enables you to remember users and their data over longer periods of time. This is the underlying functionality that enables "Remember me" login functions for example. Use PHP's built-in session handler You may just as well take advantage of the built-in functionality in PHP - as long as you remember that default settings may not always be what you want, and they may not always ...

Prevent session fixation and hijacking

Friday, November 21st, 2014 by Servage
phpsec_0403Session fixation is similar to session hijacking. The fixation method means the attacker obtains a valid session ID from the application whereafter the attacker gets the victim to use the same session ID. The hijacking method means the attacker gets to know the identifier for an existing user session. Either way the session will thereafter be known to the attacker who can present himself as the user to the application. This is dangerous because if an attacker can make the application believe to be the user, the attacker can essentially do whatever the user would be able to do. It is like having forgotten to logout whereafter someone takes over the computer and continues as that previously logged-in user. Understanding ...

Setting a session after authentication

Sunday, November 9th, 2014 by Servage
2The following post is shedding a little light on some good session and authentication principles. Often, it's normal procedure to create a session on every request where the requesting client does not have a session already. However, I  like to assign sessions only after login - or create a new session after login. This is because I will eventually be doing login over HTTPS and would like to prevent hackers from hijacking the sessions from users that have authenticated. Consider the below code script for setting up a new session after successful authentication. <?php //authenticate2.php require_once 'login.php'; $db_server = mysql_connect($db_hostname, $db_username, $db_password); if (!$db_server) die("Unable to connect to MySQL: " . mysql_error()); ...