Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

User Auth

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

User Auth

Postby yotsa » Sat Aug 24, 2002 7:57 am

I developed backend application with MySql database with usernames and passwords. You can enter, modify or delete users. That's working fine with cookies but only on login page where I check validation of users. I need the way to avoid direct access to the another pages which are in the members area. If the username and password are valid the access is granted. I have to check cookies set or session on the begining on every page in members section, right? How?
yotsa
New php-forum User
New php-forum User
 
Posts: 4
Joined: Sat Aug 24, 2002 7:42 am

Postby Jay » Sat Aug 24, 2002 10:27 am

Easiest way is to develop a small script to check the password, and 'include' it at the beginning of every page. Regardless what page is accessed, the script will be run and should only do something if there's a problem. If you're using Apache you can also use it to invoke a password feature, an example and explanation is here
Jay
 

Postby yotsa » Sun Aug 25, 2002 2:22 am

Yes, I use Apache but I want to avoid WWW-Authenticate Header form. I use cookie and check it on every page, but if the intruder get the contents of the cookie he can parse cookie variable through the URL and get the page. If I use combination of cookie and session variable then I make a mess. I have problem with open session and cookie. Can you give me another link or advice or script?
yotsa
New php-forum User
New php-forum User
 
Posts: 4
Joined: Sat Aug 24, 2002 7:42 am

Postby Jay » Sun Aug 25, 2002 2:31 am

Use the Super Global Arrays to prevent him using the cookie value in the url. On the first access, (when the session is started) validate the cookie with your online database or something, so the session is validated. Then you don't need the cookie!
Jay
 

Postby DoppyNL » Sun Aug 25, 2002 2:43 am

For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan
DoppyNL
 

Postby yotsa » Sun Aug 25, 2002 7:30 am

Yes dvdbinternet, that's it! I try to do session register with cookie but now I will try with username and password. I still have problem, I do not now why. Can you send me piece of programm code of registering and cheching the session?
Thank you.
yotsa
New php-forum User
New php-forum User
 
Posts: 4
Joined: Sat Aug 24, 2002 7:42 am

Postby DoppyNL » Sun Aug 25, 2002 9:46 am

first make a "normal" page with a form to get username and password (use type=password for password field).
when form is posted:
Code: Select all
if (verify_logon($_POST['username'], $_POST['password']);
{
   $username = $_POST['username'];
   $password = $_POST['password'];
    session_register($username, $password);
    print('login succesfull');
}
else
{
   print('Login failed');
}

now you can acces the username and password on each following page.
remember to use $_SESSION['username'] and $_SESSION['password'] and you have to use session_start()
also keep in mind that those variables are not set initially (before login).

this is a semi-copy from my code, verify_login checks if username and password are correct and returns a boolean.

I think you can fill in the rest of the gaps.

Greetz Daan
DoppyNL
 

Postby Jay » Sun Aug 25, 2002 3:40 pm

dvdbinternet wrote:For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

You realise that's more or less exactly what I said :wink:
Jay
 

Postby DoppyNL » Sun Aug 25, 2002 11:26 pm

Jay wrote:You realise that's more or less exactly what I said :wink:

yep :lol:
DoppyNL
 

Postby yotsa » Tue Aug 27, 2002 1:08 pm

It works now with session, thanks.
yotsa
New php-forum User
New php-forum User
 
Posts: 4
Joined: Sat Aug 24, 2002 7:42 am

Postby tranquillo » Wed Jun 04, 2003 3:49 am

Hey guys.

I'm new to this login and security stuff, but I want to learn..
this all looks verry interesting. could someone help me out with a sample code for the session thing?
do I need to store anything else in the database than password and username?

thanks
tranquillo
New php-forum User
New php-forum User
 
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Postby tranquillo » Wed Jun 04, 2003 4:36 am

hehe...
so I guess there's not a lot of action here...
tranquillo
New php-forum User
New php-forum User
 
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Postby Redcircle » Wed Jun 04, 2003 6:22 am

here's a good tutorial that might help

http://www.devshed.com/Server_Side/PHP/ ... page1.html
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

Postby tranquillo » Wed Jun 04, 2003 2:00 pm

thanks alot for that.. I think I'm on my way now.. ;)

I'm trying to do something like the one in that link you gave me but I'm having trouble with links...

in the code on that page there's a logout funktion. it's just a link to a logout php page but the link don't work...
the link is <a href="/index.php>Goodbye</a> but the browser tries to get http://localhost/public/admin/inner.san ... /index.php

why does it automaticly add the current page adress in front of the link adress?
tranquillo
New php-forum User
New php-forum User
 
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Postby Redcircle » Fri Jun 06, 2003 6:28 am

you do not have an ending " after /index.php
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

Postby tranquillo » Fri Jun 06, 2003 8:01 am

sorry.. that was just a typo here. I have a closing " in the code..
tranquillo
New php-forum User
New php-forum User
 
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Postby Redcircle » Fri Jun 06, 2003 11:14 am

try using the FULL url
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

Postby tranquillo » Fri Jun 06, 2003 12:13 pm

tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?
tranquillo
New php-forum User
New php-forum User
 
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Postby WiZARD » Sun Jun 08, 2003 3:36 am

tranquillo wrote:tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

destroy
User avatar
WiZARD
Moderator
Moderator
 
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol

Postby DyoWeL » Sat May 22, 2004 4:24 pm

is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?
DyoWeL
New php-forum User
New php-forum User
 
Posts: 5
Joined: Thu Mar 18, 2004 6:10 pm

Postby WiZARD » Mon May 24, 2004 9:27 am

DyoWeL wrote:is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

You mean that you want protect youre site?
User avatar
WiZARD
Moderator
Moderator
 
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.