glorbi

Starting on the Messages app

Just dived in to the messages, and we’re pretty much done with the PHP side of the sender, I’m going to need that theme to apply some styling to the array we’re going to call out in to the inbox, as well as the conversation. So we aren’t going to worry about that for a while. :)

So far, the sender, database, empty files, are all ready - and interfacelessly (:P) we’re currently able to send messages. :)

We’ll also port the messages to have an API with encrypted data, tokens, keys, etc, so we can later grow glorbi in to a sole messaging platform as well (spoileralert) :D

We’ve made one last adjustment to login

Login will no longer need to check for your permanent session id, as that causes too many hassles when running multiple queries, and it doesn’t make that much of a difference when we’re already validating for major changes such as the IP address and User Agent to prevent from XSS. 

Now on to messages! We’ll leave the core platform for later :)

Rewriting the Login Backend

We’ve been experiencing some problems with cookies, and they’re a bit unreliable and vunreble to XSS attacks, so we’ve switched over to a full session based system. Sadly, the small downside to sessions, is we won’t be able to remember you! :( You’ll have to login after every time you re-open your browser. 

The security of the sessions are around about the same, aside from the fact that we aren’t running as many checks, as they aren’t necessary. But we do validate for some things that could be a possible indication of an XSS hack. We will validate the temporary session id for IP addresses, as well as your user agent. If either one is different in the same session, you’re flagged, and have to login again. 

Although, we’re having some problems getting the login system up and running, our authorization is failing at the moment, and that should be resolved in the next few hours :)

Login System Done!

Logging in on to glorbi is probably one of the safest login scripts I’ve ever written! When you login, it stores a large array of data in our database, and checks this data against even more pre-stored values, and variables running in sessions and cookies all around our site!

So much so, that on every single page, we run about 13 checks to make sure, you’re you, and your data won’t be compromised. In all, we have 3 pages that handle login, login.php, which processes the login, sessions.php which registers the session, and auth.php to make sure everything is working just right. :)

After all that, you’re logged in, and you gain access to home, as you. Once you logout, what we wrote about in the last post, then happens! 

Funny how we’re putting so much effort in to all this! We haven’t even got to the core platform yet! Who knows how long and secure that’s going to be ;)

Logout Structure

Well, so far we’ve done a survey of 6 developers, and 27 people, and we’ve agreed that our logout system will automatically log users out after 1 month, unless you click logout, deleting your sessions. But, to keep you safer, when you close your browser, and reopen it, you will have to type in only your password, because on a money related website. Security versus Convenience, we’re going to have to make it more secure than convenient!

Twitter account setup

I can’t write any code at the moment, and so I just set up our Twitter account on @glorbidotcom Follow Us! We won’t be tweeting much till later!

sessions.php is very very complex.

The session id system we’ve integrated to keep our users safe from any sort of hacks, is looking so be so secure, so complicated, that we have 5 cookies, 7 sessions, and we’re encrypting all our session data with special cryptography tools.

We randomly generate 2 IDs, get the username, IP address, and user agent, save them all in an encrypted cookie, upload those values to our database cross reference those values with our sessions, cookies, database, and an external table value, so as to keep the system flawless.

The sessions system is only half done, and it’s already over 400 lines of PHP. :) we’ll finish it off tomorrow, then move on!

While we’re at it: Logout, done.

I made the login script a while ago, and thought why not make a logout script as well. That’s done! It’s also pretty long! If your session doesn’t exist - it logs you out anyways (well it would have earlier), and creates a blacklist localstore on your computer, which will get the website to record your actions on your next visit.

Here’s the code, with variable names, column names, and cookie names, and session names blanked out! [security measures ;)]

<?

session_start():

session_destroy();

$xx = $_SERVER[‘xxxxx_xxxxxx’];

require_once(“xxxxxx.php”);

$data1 = mysql_query(“SELECT * FROM xxxxxxWHERE xxxxxx=’$xxxxxxx’ AND xxxxxxx=’$xxxxxx’”);

$xxxxxx= mysql_num_rows($xxxxxx);

$xxxxxx = $_COOKIE[‘xxxxxx’];

$xxxxxx = $_COOKIE[‘xxxxxx’];

setcookie(“xxxxxx”,$xxxxxx,time()-3600,”/”);

setcookie(“xxxxxx”,$xxxxxxx,time()-3600, “/”);

if($xxxxxx==1) 

{

mysql_query(“DELETE FROM xxxxxx WHERE xxxxxx=’$xxxxxx’ AND xxxxxx=’$xxxxxxx’”);

}

else 

{

setcookie(“xxxxx”,”xxxxxx”.$xx,time()+xxxx*xxx,”/”);

 echo ‘

 <head>

<meta http-equiv=”Refresh” content=”0;url=../index?louterr=x” />

</head>’; 

}

if($_COOKIE[‘xxxxxx’]==”” && $_COOKIE[‘xxxxxx’] ==”” && $_SESSION[‘xxxxxx’]==”” && $_SESSION[‘xxxxxx’]==”“) 

{

echo ‘

<head>

<meta http-equiv=”Refresh” content=”0;url=../index?logout=x” />

</head>’; 

}

?>

[Done]: Uber Complex Login Script

Well, that’s one script re-written! The login script for glorbi, is so complex, that I can hardly comprehend it without writing it all down in a web of scribbles. Well, I think it’s safe to say, that unless you can hack multiple encrypted cookies and sessions, whilst altering the encrypted data values from the database checks, all that occur in about 0.3 seconds, glorbi is safe from hackers. Just the login script is about 50 lines of PHP!

Right now, we’re going to move on to the sessions.php file, which will verify a session, check the cookies and sessions, and run a session id script, which will generate a unique code for every person that logs in, and verify that once more, on every page a user visits, with a session, a cookie, and a database check.

Let’s get Started

Well, our template is being taken care of by an awesome web designer, Irving! (Follow him on Twitter: @IrvingTeng) and so that won’t be discussed for a while. For now, we’ll begin with the PHP, we’ll include some source code, excluding sensitive data, and variable names, database names, etc. 

So, we’ll start by coding up the queries for the home page, the login page, the register page, session registration, and +Glorb page (add new job), as well as the basics for the requests system. We’ll post again later with our progress, bye! :)