Great write-up about catcha's when implementing user authentication/management for PHP/web applications, especially because he explains why things should be done a certain way. The only aspect I am missing is why it is important to construct (especially) the credential verification logic as a combination of application logic and database query instead of just combining everything into a SQL query. I have seen constructs like

SELECT uid FROM users WHERE username='foo' AND password='bar'

(or any derivative that includes the hashed and/orstretched password value). The application logic would than only use the returned record for obtaining the uid of the (assumed to be correctly authenticated user). The core problem is that this approach combines both user record loading and user authentication into one operation (and also off-loads this task to the database). By separating the credential verification into two parts, one handled by the SQL layer and the other handled by the application logic, it becomes harder for an attacker to mount an attack on the authentication logic by exploiting a vulnerability in the SQL layer (assuming that whatever target the attacker is after can not be accomplished by exploiting such an SQL layer vulnerability itself).

My submission for the Month of PHP Security was published today. I implemented a new feature for Suhosin which allows configuration values (any data actually) to be encrypted using an encryption key specified in the php.ini configuration file. In addition to the patch I've written an article explaining the necessity for encrypting passwords in confguration files - especially in enterprise environments.

You, my loyal blog readers, are the first to learn about my newest creation: CSS history hack based user tracking . Everyone else will have to wait until my presentation at SIGINT tomorrow (sorry, it'll be in german by request of the organizers).

I had to reset my pentabarf password for the CCC, here's the confirmation E-Mail I received:

Dear ***,

Someone (probably you, from IP address 127.0.0.11)
requested a password reset.

To reset your password just follow the link where you can define a new
password:

<--snip-->

That's funny because 127.0.0.11 is a loopback IP address (originating from their own system).

By the way: http://events.ccc.de/sigint/2010/wiki/Fahrplan/events/3785.de.html (in german)