Implementing secure login with Swift and a PHP API

  • Thread starter Thread starter ergospherical
  • Start date Start date
  • Tags Tags
    Php
Click For Summary

Discussion Overview

The discussion revolves around implementing secure login functionality using Swift and a PHP API, focusing on the security implications of data transmission and user authentication methods. Participants explore various approaches to enhance security, including the use of HTTPS and libraries for better implementation.

Discussion Character

  • Technical explanation
  • Debate/contested
  • Exploratory

Main Points Raised

  • One participant describes their current implementation of a PHP API for user authentication and expresses concerns about the security of HTTP post requests.
  • Several participants suggest switching to HTTPS to secure data transmission.
  • Some participants recommend using libraries like Laravel or Symfony for a more secure and structured approach to handling requests.
  • There is a discussion about the importance of salting and hashing passwords, with one participant mentioning their confidence in this aspect due to external help.
  • Concerns are raised about the security of logging practices, particularly regarding the handling of sensitive data in logs.
  • One participant emphasizes the need to ensure that incoming requests are indeed HTTPS, suggesting methods to enforce this.
  • Another participant warns about the risks of injection attacks and the importance of properly quoting user input.

Areas of Agreement / Disagreement

Participants generally agree on the necessity of using HTTPS for secure data transmission, but there are varying opinions on the best practices for implementing security measures and handling user authentication. The discussion remains unresolved regarding the sufficiency of the proposed methods and the potential vulnerabilities involved.

Contextual Notes

Participants note that while HTTPS is a secure method for data transfer, there are still concerns about logging practices and the overall security of the implementation, which may depend on various factors including server configuration and coding practices.

ergospherical
Science Advisor
Homework Helper
Education Advisor
Insights Author
Messages
1,100
Reaction score
1,387
I'm hosting a database containing usernames and password hashes, and have written a little PHP API which accepts HTTP post requests (sent from an iOS application via Alamofire for Swift) containing two parameters, username & password, checks against the database & returns some JSON data containing a truth value signifying whether to validate the login, plus some accompanying information.

This method worked, but I cannot use it because HTTP post requests are not encrypted and the approach is pretty much totally unsecure. I am trying to figure out how best to reprogram the login - or use an existing library? In either case I would be interested to hear if you have experience with this sort of thing. Thanks!
 
Technology news on Phys.org
Try using https instead.
 
  • Like
Likes   Reactions: ergospherical
jedishrfu said:
Try using https instead.
...but still use a library. I recommend either Laravel if you want a completely pre-packed solution, or roll your own using the Symfony Request object (and then you will also want to add routing using e.g. FastRoute).
 
  • Informative
Likes   Reactions: ergospherical
jedishrfu said:
Try using https instead.
How would I do this with Alamofire? The relevant portion of my code is currently :
Swift: 
 @IBAction func loginPressed(_ sender: Any) {
        let username = usernameField.text!
        let password = passwordField.text!
      
        let parameters: Parameters=[
            "username":username,
            "password":password
        ]
    
        Alamofire.request(URL_USER_REGISTER, method: .post, parameters: parameters).responseJSON
            {
                response in
                if let result = response.result.value {
                    let jsonData = result as! NSDictionary
                    if(!(jsonData.value(forKey: "error") as! Bool)){
                        let validated = jsonData.value(forKey: "validated") as! Int
                        if(validated==1){
                            //Irrelevant stuff omitted for brevity
                        }
                    }else{
                        //error message in case of invalid credential
                    }
                }
        }
    }
 
URL_USER_REGISTER needs to start with https:// instead of http://
 
  • Like
Likes   Reactions: ergospherical
PHP's $_POST global is populated identically whether the request is HTTP or HTTPS.
 
  • Like
Likes   Reactions: ergospherical
Oh right, is it that simple of a change? And there's no glaring security vulnerabilities of using this approach to user authentication? Thanks for the speedy replies by the way.
 
Well the passwords should be salted and hashed appropriately and access to that database restricted (bearing in mind any automated backups). If you can't manage the security properly then you are better off using OAUTH 2 authentication via e.g. a Google login.
 
  • Like
Likes   Reactions: Filip Larsen, jedishrfu and ergospherical
But 99% of PHP-driven web sites (including I wouldn't mind betting this one) just use PHP's default 10 rounds of bcrypt stored in a SQL table backed up by a web host along with the rest of the database.
 
  • Like
Likes   Reactions: jedishrfu and ergospherical
  • #10
pbuk said:
Well the passwords should be salted and hashed appropriately and access to that database restricted (bearing in mind any automated backups). If you can't manage the security properly then you are better off using OAUTH 2 authentication via e.g. a Google login.
The salting and hashing I'm pretty confident about (well, I solicited some help from one of my friend's siblings who dabbles in cybersecurity :oldbiggrin:). I just need to be sure that I'm not doing anything stupid transferring data between the app and the API, but I'm reassured now that it's probably fine.
 
  • Like
Likes   Reactions: jedishrfu
  • #11
The transfer is the one thing you don't have to worry about - https is implemented very securely by the client and the server. The other thing you need to watch is logging: web servers don't store plain text logs of request bodies (i.e. $_POST variables) by default (they DO store plain text logs of query strings i.e. $_GET variables), but be careful about implementing e.g. crash dumps of unsanitised $_POST variables.
 
  • Informative
Likes   Reactions: ergospherical
  • #12
Oh and you will want to make sure that the incoming request IS actually HTTPS, either by enforcing a 301 redirect in an .htaccess file (assuming Apache) or by checking $_SERVER (again preferably indirectly e.g. with a Symfony $request->isSecure()). Or both.
 
  • Informative
Likes   Reactions: ergospherical
  • #14
Make sure you properly quote any user input so as to prevent an injection attack. PHP may do that already But it’s good to do your due diligence and check it out.

The recent log4j crisis is predicated on the possibility that someone tries an injection attack and the web app logs it starting the disastrous chain of events.
 
  • Like
Likes   Reactions: ergospherical

Similar threads

Do you want to build a website?
  • · Replies 15 ·
Replies
15
Views
3K
PHP Secure Members Area: PHP Solution for No SQL Hosting
  • · Replies 1 ·
Replies
1
Views
3K