Simple implementation of admin/staff panel?

Question

A new project requires a simple panel (page) for admin and staff members that:

• Preferably will not use SSL or any digital ceritification stuff, a simple login from via http will just be fine.
• has basic authentication which allows only admin to login as admin, and any staff member as of the group "staff". Ideally, the "credentials(username-hashedpassword pair)" will be stored in MySQL.
• is simple to configure if there is a package, or the strategy is simple to code.
• somewhere (PHP session?) somehow (include a script at the beginning of each page to check user group before doing anything?), it will detect any invalid user attempt to access protected page and redirect him/her to the login form.
• while still keeps high quality in security, something I worry about the most.

Frankly I have little knowledge about Internet security, and how modern CMS such as WordPress/Joomla handle this.

I only have one thing in my mind: that I need to use a salt to hash the password (SHA1?) to make sure any hacker who gets the username and password pair across the net cannot use that to log into the system. And that is what the client wants to make sure.

But I am really not sure where to start, any ideas?

Answer 1

This has been much discussed on SO already, here are some of the useful links:

• Developing a secure PHP login and authentication strategy
• Login without HTTPS, how to secure?
• Secure Login in PHP

Answer 2

Not using SSL would leave a pretty substantial hole in the whole system as it is pretty easy to sniff network traffic

Answer 3

The use of HTTPS is an absolute requirement, and must be used for the entire life of the session. Keep in mind that session id's are used to authenticate browsers and if an attacker can obtain one (sniffing or xss), then he doesn't need a username/password. This is laid out by The OWASP Top 10 2010 A3 Broken Authentication and Session Management. If you want to implement secure session you must read that link.

md4,md5 sh0 and sha1 are all a broken message digest functions and can never be used for passwords. Any member of the sha-2 family is a good choice, sha256 is very large and is a great choice for passwords.

You should absolutely never transfer a password hash across the network or spill it to a user/attacker. If you are sending a hash to the server to authenticate then you have introduced a very serious vulnerability into your system. Using sql injeciton the password hash can be obtained from the database, then this hash can be simply replayed to authenticate, bypassing the need to crack the password hash. This is as if you are storing passwords in clear text.

Use the $_SESSION superglobal and session_start() to maintain your session state, never re-invent the wheal. The default PHP session handler is secure and will do what you need.

session_start();
if(!$_SESSION['logged_in']){
   die("Authentication required!");
}

Also make sure to implement CSRF protection into your system. Using CSRF an attacker can access the administrative panel by forcing your browser to send requests. Make sure to test your application for XSS this is a good free xss scanner, again xss can be used to hijack an authenticated session by using XHR or by obtaining the value of document.cookie. It is also a good idea to test for SQL Injection and other vulnerabilities, wapiti will do the trick.