Implementing secure login with Swift and a PHP API

  • Thread starter Thread starter ergospherical
  • Start date Start date
  • Tags Tags
    Php
AI Thread Summary
The discussion centers on enhancing the security of a PHP API used for user authentication, specifically addressing the risks associated with HTTP post requests. The primary recommendation is to switch from HTTP to HTTPS to encrypt data during transmission, which significantly improves security. Participants suggest using established libraries like Laravel for a comprehensive solution or Symfony for a more customized approach. The conversation includes code snippets demonstrating how to implement HTTPS with Alamofire in an iOS application, emphasizing that changing the URL to start with "https://" is a straightforward yet crucial adjustment. There is reassurance regarding the security of HTTPS, with additional advice on ensuring proper salting and hashing of passwords, as well as restricting database access. The importance of secure logging practices is highlighted, cautioning against storing sensitive information in plain text logs. Recommendations include enforcing HTTPS through server configurations and ensuring user input is properly sanitized to prevent injection attacks. Overall, the thread underscores the necessity of implementing robust security measures in web applications to protect user credentials effectively.
ergospherical
Science Advisor
Homework Helper
Education Advisor
Insights Author
Messages
1,097
Reaction score
1,384
I'm hosting a database containing usernames and password hashes, and have written a little PHP API which accepts HTTP post requests (sent from an iOS application via Alamofire for Swift) containing two parameters, username & password, checks against the database & returns some JSON data containing a truth value signifying whether to validate the login, plus some accompanying information.

This method worked, but I cannot use it because HTTP post requests are not encrypted and the approach is pretty much totally unsecure. I am trying to figure out how best to reprogram the login - or use an existing library? In either case I would be interested to hear if you have experience with this sort of thing. Thanks!
 
Technology news on Phys.org
Try using https instead.
 
  • Like
Likes ergospherical
jedishrfu said:
Try using https instead.
...but still use a library. I recommend either Laravel if you want a completely pre-packed solution, or roll your own using the Symfony Request object (and then you will also want to add routing using e.g. FastRoute).
 
  • Informative
Likes ergospherical
jedishrfu said:
Try using https instead.
How would I do this with Alamofire? The relevant portion of my code is currently :
Swift: 
 @IBAction func loginPressed(_ sender: Any) {
        let username = usernameField.text!
        let password = passwordField.text!
      
        let parameters: Parameters=[
            "username":username,
            "password":password
        ]
    
        Alamofire.request(URL_USER_REGISTER, method: .post, parameters: parameters).responseJSON
            {
                response in
                if let result = response.result.value {
                    let jsonData = result as! NSDictionary
                    if(!(jsonData.value(forKey: "error") as! Bool)){
                        let validated = jsonData.value(forKey: "validated") as! Int
                        if(validated==1){
                            //Irrelevant stuff omitted for brevity
                        }
                    }else{
                        //error message in case of invalid credential
                    }
                }
        }
    }
 
URL_USER_REGISTER needs to start with https:// instead of http://
 
  • Like
Likes ergospherical
PHP's $_POST global is populated identically whether the request is HTTP or HTTPS.
 
  • Like
Likes ergospherical
Oh right, is it that simple of a change? And there's no glaring security vulnerabilities of using this approach to user authentication? Thanks for the speedy replies by the way.
 
Well the passwords should be salted and hashed appropriately and access to that database restricted (bearing in mind any automated backups). If you can't manage the security properly then you are better off using OAUTH 2 authentication via e.g. a Google login.
 
  • Like
Likes Filip Larsen, jedishrfu and ergospherical
But 99% of PHP-driven web sites (including I wouldn't mind betting this one) just use PHP's default 10 rounds of bcrypt stored in a SQL table backed up by a web host along with the rest of the database.
 
  • Like
Likes jedishrfu and ergospherical
  • #10
pbuk said:
Well the passwords should be salted and hashed appropriately and access to that database restricted (bearing in mind any automated backups). If you can't manage the security properly then you are better off using OAUTH 2 authentication via e.g. a Google login.
The salting and hashing I'm pretty confident about (well, I solicited some help from one of my friend's siblings who dabbles in cybersecurity :oldbiggrin:). I just need to be sure that I'm not doing anything stupid transferring data between the app and the API, but I'm reassured now that it's probably fine.
 
  • Like
Likes jedishrfu
  • #11
The transfer is the one thing you don't have to worry about - https is implemented very securely by the client and the server. The other thing you need to watch is logging: web servers don't store plain text logs of request bodies (i.e. $_POST variables) by default (they DO store plain text logs of query strings i.e. $_GET variables), but be careful about implementing e.g. crash dumps of unsanitised $_POST variables.
 
  • Informative
Likes ergospherical
  • #12
Oh and you will want to make sure that the incoming request IS actually HTTPS, either by enforcing a 301 redirect in an .htaccess file (assuming Apache) or by checking $_SERVER (again preferably indirectly e.g. with a Symfony $request->isSecure()). Or both.
 
  • Informative
Likes ergospherical
  • #14
Make sure you properly quote any user input so as to prevent an injection attack. PHP may do that already But it’s good to do your due diligence and check it out.

The recent log4j crisis is predicated on the possibility that someone tries an injection attack and the web app logs it starting the disastrous chain of events.
 
  • Like
Likes ergospherical

Similar threads

Do you want to build a website?
Replies
15
Views
3K
PHP Secure Members Area: PHP Solution for No SQL Hosting
Replies
1
Views
2K

Hot Threads

Recent Insights

Back
Top