Token based authentication vs CakePHP default PHP session


#1

Hi everyone,

I am a novice when it comes to web application security. I have almost completed a web application and before going public I would like to make sure it is rock solid on security.

I was planning on just using CakePHPs default PHP sessions for authentication along with HTTPS ssl configured.

My questions is this sufficient for modern web applications? Should I be looking to use token based authentication instead or are tokens something I should move to as the site grows in popularity.

Thanks all. I’m feeling a bit out of my depth on how to secure my web application.

Regards,
Craig


#2

When you say

using CakePHPs default PHP sessions for authentication

You should share with us some of your implementation details, as sessions are not an authentication solution. It’s what you’d put in the session which would be more interesting.

Tokens are not an authentication solution. If you’re referring to a JWT or JSON Web Token, then that’s simply a way of making a token. Do bear in mind that tokens are encrypted, and not hashed. They are not inherently secure in any way. So be sure to only store stuff in your token which you’re happy for anyone to read. Have a read about JWT at https://jwt.io/ and perhaps check out ADmad’s plugin, https://github.com/ADmad/cakephp-jwt-auth


#3

Hi Neon,

Thanks for taking the time to respond to me.

In terms of my implementation I want to use Form Based Authentication and store the session information using Cakes default php session setting (Uses settings defined in your php.ini). In terms of what is being put in the session it would be the CakePHP framework default. Eg user details (except password) as seen in the Cake Blog tutorial.

My objective is to ensure my web application is adequately secure and just wanted to know if using the above described Form Based authentication in conjunction with SSL was sufficient security?

Eg using the CakePHP blog tutorial as a very basic example. Would hosting this with SSL make the site sufficiently secure or is the more that I would need to do to prevent common web application attacks such as CSRF.

I came across an article on tokens and it made me wonder if I should be using something like this.

I read that token compared to cookies help to prevent CSRF attacks so thats why I was wondering if Form Based Authentication with SSL was sufficient.

I’m just looking for something simple and secure for my web application.

Thanks for your help.


#4

Great! The stuff that CakePHP provides is reasonably solid for most applications. Great news that you’re on the case with the SSL as well.

If you want an extra layer of security you could implement the SecurityComponent and put in some CSRF protection, as you mentioned, which is always good.

Otherwise general tips would be the OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

There is the opportunity to turn your login session data into a JWT and store that in the session if you want to be really clever!

The only real risk with session is stuff like session poisoning, session stealing and stuff like that, which you can read about online.

Do think about all these points in the context of your application though. They would really be overkill for something like your personal blog, but not for a bank.


#5

Hi Neon,

Thanks again for responding and so quickly. I really appreciate it.

I had already read up on CSRF and using CakePHPs Security Component.

I had also read ‘OWASP Top 10 Application Security Risks - 2013’ which included Injection attacks, XSS etc.

Then I wasn’t sure which of these does CakePHP provide protection against out of the box. My understanding is that if I use CakePHPs query builder then I should be protected against Injection attacks.

With security there doesn’t seem to be a clear single recommended way of securing a web application against all attacks that I could find. I guess that would be the magic bullet!

I am building a SaaS web application with a users table that I want to ensure users details are securely protected. That is the level of security I’m looking for. The other data in the web application is probably of less importance from a security perspective.

Would you think that applying CSRF protection and using SSL with my form based authentication is adequate security to protect the web application and user credentials?

Thanks again,
Craig


#6

Yeah, stuff like that is a great start.

No, there is no silver bullet. It’s something you need to implement and monitor on a regular basis. Checking your logs and such every month to look for oddities and the like. Reading up and keeping on top of the latest security issues is a job in itsself.

Stuff like the recent Cloudflare bug, are things which you’ll have to deal with when they arise. A bit like the Heartbleed SSL bug a few months back.

Code defensively, and keep on top of things. Remember that your users cannot be trusted. Filter your input, and escape your output. So yeah, as you say, using a framework is a step in the right direction, but stuff like proper use of h() and things in your template is a good idea as well.


#7

Hi Neon,

Thanks for all your responses they have been really helpful to me. You have given me confidence in knowing that I’m heading in the right direction with securing my web app.

I have not come across the h() method and how to properly use it. Would you mind explaining this to me and why I would need it?

https://book.cakephp.org/3.0/en/views.html#view-variables

I read the above link but I cannot understand what the security risk is in relation to not escaping user data. Why is it only user data that would need the output escaped?

Regards,
Craig


#8

XSS mostly, https://en.wikipedia.org/wiki/Cross-site_scripting

Plus users are not trustworthy, and they want to break your code!


#10

Neon thanks so much for all your help and responses to my questions.

Craig