So I have no code at the current time but I haven't quite started because of the following issue.
I want to have a website (written in PHP) that allows users to upload files but I'd also like to have a C# app that runs on a Windows desktop and can automatically upload the files. My question has to do with security.
Firstly, from the PHP perspective is simply hashing and salting with MD5 or something similar really safe for accounts on a website?
Furthermore, how can I safely STORE and preserve the credentials of the user LOCALLY within my C# application? Almost like cookies except I'd be managing it myself. I'm looking for a high level answer as well as what specific tools I should use (or what I should read about before fully pursuing this).
Thank you in advance for your time. :)
To answer both questions...
Firstly, hashing and salting with MD5 is no longer 100% secure as people can use a rainbow table to quickly hack the hashing. You might want to look into something that generates a longer hash to prevent rainbow tables attack.
If you want to safely store a authentication token on the client end (like a "remember me" check box), you can have a table in your server that stores a random string every time the user accesses the php page. To make it more secure, you can hash in a unique value of that PC, like the network card's MAC address.
What this does is...
1) When the user first logs in from the c# app, you will create a record that stores the user id, the MAC address, and a long random string in that table. You then return this random string to the c# app to store in the local file.
2) When the c# app access the web page again, it will pass to your PHP app, the MAC address and the random string stored there. If it matches a record, then we know the user id of the c# app.
3) The php side should then re-generate another random string and send it back to the c# app to overwrite the existing locally stored authentication token. This will ensure the token changes a lot and people cannot simply make a copy of the file storing the token, and be able to access the server.
Hope this is clear enough.
A salted sha256 hash will be fine. Salt it with something that isn't stored in the database. Having the data come from two different sources will make it even harder to brute force.
It depends on the C# app. If it's only going to have one user then transfer the files over SSH using your public key. If something goes awry you can always revoke the key.