Code: Select all
if($login){
$_SESSION['username']=$username;
$_SESSION['level']=$level;
}
Moderator: General Moderators
Code: Select all
if($login){
$_SESSION['username']=$username;
$_SESSION['level']=$level;
}
Code: Select all
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
...
$query="SELECT id from login where username = '$username' and password = '$password' ";
$query=mysql_query($query)
$row_query=mysql_fetch_assoc($query);
$num_query=mysql_num_rows($query);
if($num_query_row == '1'){
$_SESSION['username']=$username;
$_SESSION['level']=$row_query['level'];
}else{
$error="Login faild";
}This is exactly why you should not store anything other than navigational data within a cookie, you cannot trust the contents. Usernames are better stored within a session, and a password should never be stored in either a cookie or a session.egg82 wrote:how about both? Store the username and an ENCRYPTED password in two cookies. sanitize the cookies (some people like to mess with cookies)
This is because sessions are maintained by the use of a cookie. When you start a session, the session handler sends a cookie with a session id to the client. On each subsequent page request, the client sends the session id back to the web server as a cookie var and that is how your session is perpetuated. Thus, if you clear your cookies, you will lose your session. *Note* this only holds true when session ids are sent through cookies (the most common method). Session ids can also be sent through GET or POST vars.egg82 wrote:And remember to set a cookie's expiration date. Without one it acts like a session and is destroyed when the browser is closed
This topic seems to get covered quite often. Let me direct you to a thread that I posted in, scroll down the thread until you find my username and compare the login script that I posted, with the one you are working on.amirbwb wrote:Is this the correct way to create a login ?
Look at that, I learned something today!flying_circus wrote:This is exactly why you should not store anything other than navigational data within a cookie, you cannot trust the contents. Usernames are better stored within a session, and a password should never be stored in either a cookie or a session.egg82 wrote:how about both? Store the username and an ENCRYPTED password in two cookies. sanitize the cookies (some people like to mess with cookies)
This is because sessions are maintained by the use of a cookie. When you start a session, the session handler sends a cookie with a session id to the client. On each subsequent page request, the client sends the session id back to the web server as a cookie var and that is how your session is perpetuated. Thus, if you clear your cookies, you will lose your session. *Note* this only holds true when session ids are sent through cookies (the most common method). Session ids can also be sent through GET or POST vars.egg82 wrote:And remember to set a cookie's expiration date. Without one it acts like a session and is destroyed when the browser is closed
Code: Select all
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
$username = strip_tags($username);
$password = strip_tags($password);
...
$result = mysql_query("SELECT `id` from `login` where `username`='".$username."' and `password`='".$password."';");
if(mysql_num_rows($result) == 1){
$row = mysql_fetch_array($result);
$_SESSION['username']=$row["username"];
$_SESSION['level']=$row["level"];
}else{
$error="Login failed";
}
Code: Select all
<?php
# Always test a variables existance before referencing it!!!
$username = isset($_POST['username']) ? strip_tags($_POST['username']) : '';
$password = isset($_POST['password']) ? strip_tags($_POST['password']) : '';
/* ... */
# Escaping is the final operation performed on a piece of data prior to use in a database query
$result = mysql_query(sprintf("SELECT `id` FROM `login` WHERE `username`='%s' AND `password`='%s';",
mysql_real_escape_string($username),
mysql_real_escape_string($password)));
if(mysql_num_rows($result) == 1) {
$row = mysql_fetch_array($result);
# Rather than store a username (part of login credentials) in a session, store the user id instead
//$_SESSION['username'] = $row["username"];
$_SESSION['id'] = $row["id"];
$_SESSION['level'] = $row["level"];
} else {
$error = "Login failed";
}
?>session_regenerate_id() does not secure the session or prevent session jacking, especially when called with the false parameter. You can secure the transmission of the session id by using a secure protocol (https), but simply changing the id will gain you nothing.egg82 wrote:as long as you secure a session (prevent session jacking with session_regenerate_id(false)) it should be fine to store a username in a session.
Every project has its own design goals, in this case it's a matter of convenience (marginal at best) VS a matter of security. It's your call.egg82 wrote:Especially when you use that a lot. Easier to get $_SESSION["user"] than to mysql_query() on every page.
This part is correct. If the session id is compromised, the compromiser assumes that identity for the duration of the session.egg82 wrote:my understanding of session IDs was if the attacker could get the session ID of, say, an administrator, the attacker then becomes the administrator and takes over the session.
What you're actually doing is creating a copy of the current session, to a new session with a different identifier, without deleting the old session.egg82 wrote:Simply regenerating the session ID (depending on how the code was implemented) would be rid of this, and the variables stay the same (in the case of a non-attacker).