Password Security
Moderator: General Moderators
Password Security
I was wondering if this is at all secure,
<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}
if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>
oh 1 more thing,
whats the diff between
print $text
and
print($test)
thanks
<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}
if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>
oh 1 more thing,
whats the diff between
print $text
and
print($test)
thanks
No, that is actually very unsecure. First of all is $logged_in a global variable? One reason that global variables are now off by default is because in the URL of the first page you could put something like:
http://www.example.com/login.php?logged_in=1
And the script would log you in because of that. Also, a couple small errors:
should be
Take a look at a tutorial on these forums for more help with sessions:
viewtopic.php?t=6521
http://www.example.com/login.php?logged_in=1
And the script would log you in because of that. Also, a couple small errors:
Code: Select all
if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {Code: Select all
if ( $logged_in == 0 ) {
<redirect code to login page>
} elseif ( $logged_in == 1 ) {viewtopic.php?t=6521
-
Paddy
- Forum Contributor
- Posts: 244
- Joined: Wed Jun 11, 2003 8:16 pm
- Location: Hobart, Tas, Aussie
- Contact:
Not sure about the security but why not just do this instead of your code?
Code: Select all
<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
<redirect code to login page>
}
?>
<code>thx, i was wondering if Session variables could be controled by the url, oh well. ill figure out a diff way, thx!
and paddy,
lol i dont know why i didnt do that lol
[EDIT]
Would it be safer to use Cookies?
i had trouble using them so i used sessions, but if its more secure i will, i have to protect RCON access so its important
and paddy,
lol i dont know why i didnt do that lol
[EDIT]
Would it be safer to use Cookies?
i had trouble using them so i used sessions, but if its more secure i will, i have to protect RCON access so its important
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
A more current version of:
would be
which is a bit more secure as the logged_in variable could only have come from a session, it could not be overwritten by a variable in the query string.
Mac
Code: Select all
<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}
if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>Code: Select all
<?php
session_start();
if (!isset($_SESSION['logged_in'])) {
$_SESSION['logged_in'] = false;
}
if (!$_SESSION['logged_in']) {
// <redirect code to login page>
exit();
} else {
// <code>
}
?>There's no difference between the two, execpt that the first is quicker to type. Basically, you can put parenthesis around a print statement but they are not necessary at all and are generally omitted.Alexia wrote:whats the diff between
print $text
and
print($test)
Mac
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
If you're on a Apache host, drop an .htaccess file with this:
It'll turn of the register_globals for any file accessed in the directory or subdirectories of it.
-Nay
Code: Select all
php_flag register_globals off-Nay
This method still allows ppl to hijack the Session from a logged in user..
on your login page save the IP of the user into your Session, and instead of just checking $_SESSION['is_logged']also check if the IP is still the same.. if both are correct, the user can continue.. else redirect to login page...
on your login page save the IP of the user into your Session, and instead of just checking $_SESSION['is_logged']also check if the IP is still the same.. if both are correct, the user can continue.. else redirect to login page...