Page 1 of 1

secure login

Posted: Wed Jul 28, 2010 6:23 am
by stow
Hi all,

I've created a basic login script using sessions. However I've come up against a few obstacles. What happens is when the username is displayed a number comes up and if one user is logged on they can navigate to another users page. I've been thinking for a while now of how to stop this flaw but I've got nowhere. Here's the code:

Code at the top of the user's page to start the session or if not logged in to relocate:

Code: Select all

<?php
session_start();
if (!isset($_SESSION[username]))
{
	header("location: login.html");
}
else
{
	
	if($username = $_SESSION[username] && $password = $_SESSION[password])
	{
		echo "Hi ".$username;
	}
}
?>
For some reason $username ends up being a number

The php for logging on:

Code: Select all

<?php

if($_POST['submit'])
{
	$username = $_POST['u'];
	$password = $_POST['p'];
	$connect=mysql_connect("server","user","pass");
	$db=mysql_select_db("db");
	if(!username || !$password)
	{
		header("location: relogin.html");
	}
	else
	{
		$check= "SELECT * FROM table WHERE u ='".$username."' AND p = '".$password."'";
		$result = mysql_query($check) or die ("error: ".mysql_error());
		if(mysql_num_rows($result) == 0)
		{
			echo "The Username and the Password do not match";
		}
		else
		{
			$row=mysql_fetch_row($result);
			if ($password == $row[3])
			{
				session_start();
				$_SESSION['username'] = $username;
				$_SESSION['password'] = $password;
				header("location: $username.php") or die(mysql_error());
			}
		}
	}
}

?>
Any help would be appreciated

Thanks

stow

Re: secure login

Posted: Wed Jul 28, 2010 6:33 am
by s.dot
In the first portion of code, place exit(); after your header() call..
Also in the first part, are those ='s supposed to be =='s?

EDIT| This login is nowhere near secure. usage of mysql_real_escape_string() on input would be a good start, checking if username and password are even posted would be good, along with hashing the password and checking the hash against the stored hash (perhaps with a salt and pepper, too)

And, you should develop with error reporting turned on.. "username" is missing a $ in front of it in the second part of the script along with a few other things

use:

Code: Select all

ini_set('error_reporting', 'On');
error_reporting(E_ALL); 
at the top of your script

Re: secure login

Posted: Wed Jul 28, 2010 7:28 am
by internet-solution
s.dot wrote:
And, you should develop with error reporting turned on.. "username" is missing a $ in front of it in the second part of the script along with a few other things

use:

Code: Select all

ini_set('error_reporting', 'On');
error_reporting(E_ALL); 
at the top of your script
and don't forget to turn error_reporting off before you release it to the wild. Error messages can reveal information about your code, db structure etc. and can make your script less secure.

Re: secure login

Posted: Wed Jul 28, 2010 9:29 am
by stow
Thanks for the tips. Sorry this is my first big PHP/SQL project.
@s.dot I tried your suggestions but i still have to problems I mentioned
Just to make it a bit clearer... if there are 3 users registered to the site: John, Sam, and Andy and if I was logged in as John, I can still access Sam and Andy's pages just by typing in their URL

Stow