Extremely Secure Authentication System

Today, I was thinking of experementing with Authentication tricks in PHP. I just came up with this thing.Firstly, Validating the username and password in the database. Once that is done, In order to track the user (the main place where most hackers get successful)We can set 2 cookies. 1> Member ID2> MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT )Any hacker who tries to obtain session ID or even tries to setup a fake cookie with ID, will have to take additional pain to determine the IP address of the target. Not only that, he will have to even fake User-agent which has details of OS and Browser. SALT can be anything, Its just there for added security. So that a member who comes to know bout this trick, Should not be able to generate his own MD5 Key.FOR ADDED SECURITY, We can make use of SESSION ID and use it to validate the cookie. Then the data in the Cookie would be,MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT and SESSION-ID )and the SESSION can contain the member information bit.What do you think?[This concept can be used with PHP / JSP / ASP or any other scripting language]

[offtopic]Guess what.... I use almost the same thing for authentication on my site, but i use GET variables instead of cookies, but that's only because of my laziness. [/offtopic]but arent' you forgetting about passwords?MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT )Do you mean this anyway?MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT and PASSWORD)I think it's quite hackable though. Ip's are easy, just look at this forum or emailing would do too, username is also quite guessable or is displayed somewhere else on the site, and user-agents are also not really unique or untraceable. So basically all you need to bruteforce is a salt and password. I doubt if this is secure enough for real important stuff, but I do think it's good enough for scripts that don't require top-notch security (like my site )note. You could also store the md5 of the password instead of just the pass. Since a lot of people use the same passwords for a lot of things at least if they get hacked on one site, they won't risk being hacked on everything . So you would get thisMD5( REMOTE_IP and USER-AGENT and USERNAME and SALT and MD5(PASSWORD))

This is going to make me sound like a neb, but what do you mean by

In order to track the user (the main place where most hackers get successful)

Does this mean that most hackers get in by simply creating a cookie on their home computer so that they don't have to spoof the login script?
And I thought cookies and sesions were two different things? So jip, could you please explain what exactly a Session ID is there, would it be creating a PHP session and cookies?

Also, as far as MD5ing the password, it would be better to store the password in the database in an MD5 hash, otherwise, all some has to do to find out the password is get viewing priveleges of the database.

~Viz

Thats sort of like the new SMF 1.1 login system, apart from its using SHA-1.Basically, hashes the password using lowercase letters, and then mixes it with the salt,. which changes daily IIRC, and the password hash looks different every day, so even if you broke the hash once, the salt would change and the password in the DB would be updated to use the new salt. And it comes with a really big and weird script to do all that.

You guys are not understanding my point here.If you use password, then every access to the script will require one more additional Query to the database. Here the question is about speed too.The password thing is verfied at the time of login. Once logged in, in order to track him and keep him logged, we use this. If we had to use password, then every check would require another extra Query.Here, We got "REMOTE_IP and USER-AGENT and Member ID, Session ID and SALT "Now, Remote IP takes time. I mean, he has to work on it to spoof it.2nd, User-agents, the hacker has to guess what user-agent the orginal person is using. Again, thats difficult.Member ID can be obtained from the other Cookie or session Data.Session ID is unique again.Salt can be a very long MD5 string. or may be MD5(md5(salt)).Then you combine all these things and you create the MD5(all the above). This value is going to be stored in the cookie which will be returned. everytime the user surfs your site, here and there. You can check whether its him or not by using all those parameters.I don't understand how putting in the password is going to make it secure any further. Because Member-ID is unique there. The rest of the things belong only to the user. If a hacker wants to hack, the only way he can get quite successful is if he uses the same computer. Even in that case, The PHPsession ID should be same, which will be another tough thing to break. Hacker cannot get the data (member-id) in the session variable as it is stored on the server and not on the client pc.Comments and Ideas Welcome.I just want to think of any other possibilities for validating members and keeping them logged securely.

So let me amke sure I understand correctly:Step 1: The user logs in as usualStep 2: Two cookies are placed on the users computer2a) A cookie containing only the member ID which identifies the user to the server2b) A cookie containing an MD5 of the users IP address, Web browser, username, a salt, and the session IDClarification: The session ID will change every time the user logs in, correct?3) Every time the user accesses a page, the second cookie identifies whether or not the user is truly the logged in user and not a hacker who managed to create a cookie with a valid member IDDo I have all of that correctly, what I'm not really clear on is what you mean by tracking the member. If it means what I think it means then I see some issues.~Viz

Clarification: The session ID will change every time the user logs in, correct?YES.The Second cookie identifies the user.The first cookie verfies if it is genuine.

So when the server recieves the cookie containing a weird md5 it goes, ahah, this is user whatever. Then it checks to see if the member ID matches that user?What if I log in from home with firefox, then want to login from school where I have to use IE?~Viz

Everytime you change your location, obviously your ENVOIRNMENT VARIABLES will change and you will be asked to login again. And that time, new values will be set in the cookie.

So what would a hacker do otherwise that this cookie prevents?~Viz