Implementing secure login with Swift and a PHP API

  • Thread starter Thread starter ergospherical
  • Start date Start date
  • Tags Tags
    Php
Join the discussion
Ask a follow-up here, or get your own question answered by working scientists, mathematicians and engineers — people, not an autocomplete.
Real named experts · corrections over time · the nuance an AI answer skips
13 replies · 2K views
I'm hosting a database containing usernames and password hashes, and have written a little PHP API which accepts HTTP post requests (sent from an iOS application via Alamofire for Swift) containing two parameters, username & password, checks against the database & returns some JSON data containing a truth value signifying whether to validate the login, plus some accompanying information.

This method worked, but I cannot use it because HTTP post requests are not encrypted and the approach is pretty much totally unsecure. I am trying to figure out how best to reprogram the login - or use an existing library? In either case I would be interested to hear if you have experience with this sort of thing. Thanks!
 
Physics news on Phys.org
jedishrfu said:
Try using https instead.
...but still use a library. I recommend either Laravel if you want a completely pre-packed solution, or roll your own using the Symfony Request object (and then you will also want to add routing using e.g. FastRoute).
 
  • Informative
Likes   Reactions: ergospherical
jedishrfu said:
Try using https instead.
How would I do this with Alamofire? The relevant portion of my code is currently :
Swift:
 @IBAction func loginPressed(_ sender: Any) {
        let username = usernameField.text!
        let password = passwordField.text!
      
        let parameters: Parameters=[
            "username":username,
            "password":password
        ]
    
        Alamofire.request(URL_USER_REGISTER, method: .post, parameters: parameters).responseJSON
            {
                response in
                if let result = response.result.value {
                    let jsonData = result as! NSDictionary
                    if(!(jsonData.value(forKey: "error") as! Bool)){
                        let validated = jsonData.value(forKey: "validated") as! Int
                        if(validated==1){
                            //Irrelevant stuff omitted for brevity
                        }
                    }else{
                        //error message in case of invalid credential
                    }
                }
        }
    }
 
Well the passwords should be salted and hashed appropriately and access to that database restricted (bearing in mind any automated backups). If you can't manage the security properly then you are better off using OAUTH 2 authentication via e.g. a Google login.
 
  • Like
Likes   Reactions: Filip Larsen, jedishrfu and ergospherical
But 99% of PHP-driven web sites (including I wouldn't mind betting this one) just use PHP's default 10 rounds of bcrypt stored in a SQL table backed up by a web host along with the rest of the database.
 
  • Like
Likes   Reactions: jedishrfu and ergospherical
pbuk said:
Well the passwords should be salted and hashed appropriately and access to that database restricted (bearing in mind any automated backups). If you can't manage the security properly then you are better off using OAUTH 2 authentication via e.g. a Google login.
The salting and hashing I'm pretty confident about (well, I solicited some help from one of my friend's siblings who dabbles in cybersecurity :oldbiggrin:). I just need to be sure that I'm not doing anything stupid transferring data between the app and the API, but I'm reassured now that it's probably fine.
 
  • Like
Likes   Reactions: jedishrfu
The transfer is the one thing you don't have to worry about - https is implemented very securely by the client and the server. The other thing you need to watch is logging: web servers don't store plain text logs of request bodies (i.e. $_POST variables) by default (they DO store plain text logs of query strings i.e. $_GET variables), but be careful about implementing e.g. crash dumps of unsanitised $_POST variables.
 
  • Informative
Likes   Reactions: ergospherical
Oh and you will want to make sure that the incoming request IS actually HTTPS, either by enforcing a 301 redirect in an .htaccess file (assuming Apache) or by checking $_SERVER (again preferably indirectly e.g. with a Symfony $request->isSecure()). Or both.
 
  • Informative
Likes   Reactions: ergospherical
Make sure you properly quote any user input so as to prevent an injection attack. PHP may do that already But it’s good to do your due diligence and check it out.

The recent log4j crisis is predicated on the possibility that someone tries an injection attack and the web app logs it starting the disastrous chain of events.
 
  • Like
Likes   Reactions: ergospherical