User Auth

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

yotsa
New php-forum User
New php-forum User
Posts: 4
Joined: Sat Aug 24, 2002 7:42 am

User Auth

Postby yotsa » Sat Aug 24, 2002 7:57 am

I developed backend application with MySql database with usernames and passwords. You can enter, modify or delete users. That's working fine with cookies but only on login page where I check validation of users. I need the way to avoid direct access to the another pages which are in the members area. If the username and password are valid the access is granted. I have to check cookies set or session on the begining on every page in members section, right? How?

Jay

Postby Jay » Sat Aug 24, 2002 10:27 am

Easiest way is to develop a small script to check the password, and 'include' it at the beginning of every page. Regardless what page is accessed, the script will be run and should only do something if there's a problem. If you're using Apache you can also use it to invoke a password feature, an example and explanation is here

yotsa
New php-forum User
New php-forum User
Posts: 4
Joined: Sat Aug 24, 2002 7:42 am

Postby yotsa » Sun Aug 25, 2002 2:22 am

Yes, I use Apache but I want to avoid WWW-Authenticate Header form. I use cookie and check it on every page, but if the intruder get the contents of the cookie he can parse cookie variable through the URL and get the page. If I use combination of cookie and session variable then I make a mess. I have problem with open session and cookie. Can you give me another link or advice or script?

Jay

Postby Jay » Sun Aug 25, 2002 2:31 am

Use the Super Global Arrays to prevent him using the cookie value in the url. On the first access, (when the session is started) validate the cookie with your online database or something, so the session is validated. Then you don't need the cookie!

DoppyNL

Postby DoppyNL » Sun Aug 25, 2002 2:43 am

For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

yotsa
New php-forum User
New php-forum User
Posts: 4
Joined: Sat Aug 24, 2002 7:42 am

Postby yotsa » Sun Aug 25, 2002 7:30 am

Yes dvdbinternet, that's it! I try to do session register with cookie but now I will try with username and password. I still have problem, I do not now why. Can you send me piece of programm code of registering and cheching the session?
Thank you.

DoppyNL

Postby DoppyNL » Sun Aug 25, 2002 9:46 am

first make a "normal" page with a form to get username and password (use type=password for password field).
when form is posted:

Code: Select all

if (verify_logon($_POST['username'], $_POST['password']);
{
   $username = $_POST['username'];
   $password = $_POST['password'];
    session_register($username, $password);
    print('login succesfull');
}
else
{
   print('Login failed');
}

now you can acces the username and password on each following page.
remember to use $_SESSION['username'] and $_SESSION['password'] and you have to use session_start()
also keep in mind that those variables are not set initially (before login).

this is a semi-copy from my code, verify_login checks if username and password are correct and returns a boolean.

I think you can fill in the rest of the gaps.

Greetz Daan

Jay

Postby Jay » Sun Aug 25, 2002 3:40 pm

dvdbinternet wrote:For a user that wants to do damage it is also possible to make the cookie himself.

I let the user login in on a page and the remember his username and password in the session variables. in other words, I place the username and password in a variable and use "session_register();" with that variable. each time a page is called these variables are available.

you can then check that variable each time if the user has enough acces-rights.
You won't have to check that each time with you're database because you allready did that once (but still, you could check).

When I'm not completely clear, let me know.

Greetz Daan

You realise that's more or less exactly what I said :wink:

DoppyNL

Postby DoppyNL » Sun Aug 25, 2002 11:26 pm

Jay wrote:You realise that's more or less exactly what I said :wink:

yep :lol:

yotsa
New php-forum User
New php-forum User
Posts: 4
Joined: Sat Aug 24, 2002 7:42 am

Postby yotsa » Tue Aug 27, 2002 1:08 pm

It works now with session, thanks.

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm
Contact:

Postby tranquillo » Wed Jun 04, 2003 3:49 am

Hey guys.

I'm new to this login and security stuff, but I want to learn..
this all looks verry interesting. could someone help me out with a sample code for the session thing?
do I need to store anything else in the database than password and username?

thanks

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm
Contact:

Postby tranquillo » Wed Jun 04, 2003 4:36 am

hehe...
so I guess there's not a lot of action here...

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Postby Redcircle » Wed Jun 04, 2003 6:22 am

here's a good tutorial that might help

http://www.devshed.com/Server_Side/PHP/ ... page1.html

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm
Contact:

Postby tranquillo » Wed Jun 04, 2003 2:00 pm

thanks alot for that.. I think I'm on my way now.. ;)

I'm trying to do something like the one in that link you gave me but I'm having trouble with links...

in the code on that page there's a logout funktion. it's just a link to a logout php page but the link don't work...
the link is <a href="/index.php>Goodbye</a> but the browser tries to get http://localhost/public/admin/inner.san ... /index.php

why does it automaticly add the current page adress in front of the link adress?

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Postby Redcircle » Fri Jun 06, 2003 6:28 am

you do not have an ending " after /index.php

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm
Contact:

Postby tranquillo » Fri Jun 06, 2003 8:01 am

sorry.. that was just a typo here. I have a closing " in the code..

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Postby Redcircle » Fri Jun 06, 2003 11:14 am

try using the FULL url

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm
Contact:

Postby tranquillo » Fri Jun 06, 2003 12:13 pm

tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

User avatar
WiZARD
Moderator
Moderator
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Postby WiZARD » Sun Jun 08, 2003 3:36 am

tranquillo wrote:tried that and it's the same.. the url becomes the url of the page the link is on and the real url after...

can it have something to do with the session?

destroy

DyoWeL
New php-forum User
New php-forum User
Posts: 5
Joined: Thu Mar 18, 2004 6:10 pm

Postby DyoWeL » Sat May 22, 2004 4:24 pm

is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

User avatar
WiZARD
Moderator
Moderator
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Postby WiZARD » Mon May 24, 2004 9:27 am

DyoWeL wrote:is there a way that hackers or sniffers can sweep this username and passwords? If yes is there any alternative to secureour authentication script?

You mean that you want protect youre site?


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 0 guests