User Auth

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Post Reply
Jay

Post by Jay » Sat Aug 24, 2002 10:27 am

Easiest way is to develop a small script to check the password, and 'include' it at the beginning of every page. Regardless what page is accessed, the script will be run and should only do something if there's a problem. If you're using Apache you can also use it to invoke a password feature, an example and explanation is here

Jay

Post by Jay » Sun Aug 25, 2002 2:31 am

Use the Super Global Arrays to prevent him using the cookie value in the url. On the first access, (when the session is started) validate the cookie with your online database or something, so the session is validated. Then you don't need the cookie!

DoppyNL

Post by DoppyNL » Sun Aug 25, 2002 2:43 am

For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

DoppyNL

Post by DoppyNL » Sun Aug 25, 2002 9:46 am

first make a "normal" page with a form to get username and password (use type=password for password field).
when form is posted:

Code: Select all

if (verify_logon($_POST['username'], $_POST['password']);
{
   $username = $_POST['username'];
   $password = $_POST['password'];
    session_register($username, $password);
    print('login succesfull');
}
else
{
   print('Login failed');
}

now you can acces the username and password on each following page.
remember to use $_SESSION['username'] and $_SESSION['password'] and you have to use session_start()
also keep in mind that those variables are not set initially (before login).

this is a semi-copy from my code, verify_login checks if username and password are correct and returns a boolean.

I think you can fill in the rest of the gaps.

Greetz Daan

Jay

Post by Jay » Sun Aug 25, 2002 3:40 pm

dvdbinternet wrote:For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

You realise that's more or less exactly what I said :wink:

DoppyNL

Post by DoppyNL » Sun Aug 25, 2002 11:26 pm

Jay wrote:You realise that's more or less exactly what I said :wink:

yep :lol:

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Post by tranquillo » Wed Jun 04, 2003 3:49 am

Hey guys.

I'm new to this login and security stuff, but I want to learn..
this all looks verry interesting. could someone help me out with a sample code for the session thing?
do I need to store anything else in the database than password and username?

thanks

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Post by tranquillo » Wed Jun 04, 2003 4:36 am

hehe...
so I guess there's not a lot of action here...

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Post by Redcircle » Wed Jun 04, 2003 6:22 am

here's a good tutorial that might help

http://www.devshed.com/Server_Side/PHP/ ... page1.html

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Post by tranquillo » Wed Jun 04, 2003 2:00 pm

thanks alot for that.. I think I'm on my way now.. ;)

I'm trying to do something like the one in that link you gave me but I'm having trouble with links...

in the code on that page there's a logout funktion. it's just a link to a logout php page but the link don't work...
the link is <a href="/index.php>Goodbye</a> but the browser tries to get http://localhost/public/admin/inner.san ... /index.php

why does it automaticly add the current page adress in front of the link adress?

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Post by Redcircle » Fri Jun 06, 2003 6:28 am

you do not have an ending " after /index.php

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Post by tranquillo » Fri Jun 06, 2003 8:01 am

sorry.. that was just a typo here. I have a closing " in the code..

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Post by Redcircle » Fri Jun 06, 2003 11:14 am

try using the FULL url

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm

Post by tranquillo » Fri Jun 06, 2003 12:13 pm

tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

User avatar
WiZARD
Moderator
Moderator
Posts: 1256
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Post by WiZARD » Sun Jun 08, 2003 3:36 am

tranquillo wrote:tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

destroy

DyoWeL

Post by DyoWeL » Sat May 22, 2004 4:24 pm

is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

User avatar
WiZARD
Moderator
Moderator
Posts: 1256
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Post by WiZARD » Mon May 24, 2004 9:27 am

DyoWeL wrote:is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

You mean that you want protect youre site?

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest