Password Security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Alexia
Forum Newbie
Posts: 18
Joined: Fri Dec 05, 2003 6:25 pm

Password Security

Post by Alexia »

I was wondering if this is at all secure,

<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}

if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>



oh 1 more thing,

whats the diff between
print $text
and
print($test)

thanks
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

No, that is actually very unsecure. First of all is $logged_in a global variable? One reason that global variables are now off by default is because in the URL of the first page you could put something like:

http://www.example.com/login.php?logged_in=1

And the script would log you in because of that. Also, a couple small errors:

Code: Select all

if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
should be

Code: Select all

if ( $logged_in == 0 ) {
<redirect code to login page>
} elseif ( $logged_in == 1 ) {
Take a look at a tutorial on these forums for more help with sessions:
viewtopic.php?t=6521
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

Not sure about the security but why not just do this instead of your code?

Code: Select all

<?php 
session_start(); 
if ( ! session_is_registered( "logged_in" )) &#123; 
session_register( "logged_in" ); 
<redirect code to login page> 
&#125; 
?> 
<code>
Alexia
Forum Newbie
Posts: 18
Joined: Fri Dec 05, 2003 6:25 pm

Post by Alexia »

thx, i was wondering if Session variables could be controled by the url, oh well. ill figure out a diff way, thx!

and paddy,

lol i dont know why i didnt do that lol

[EDIT]

Would it be safer to use Cookies?

i had trouble using them so i used sessions, but if its more secure i will, i have to protect RCON access so its important
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

A more current version of:

Code: Select all

<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}

if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>
would be

Code: Select all

<?php
session_start();

if (!isset($_SESSION['logged_in'])) {
	$_SESSION['logged_in'] = false;
}

if (!$_SESSION['logged_in']) {
	// <redirect code to login page>
	exit();
} else {
	// <code>
}
?>
which is a bit more secure as the logged_in variable could only have come from a session, it could not be overwritten by a variable in the query string.
Alexia wrote:whats the diff between
print $text
and
print($test)
There's no difference between the two, execpt that the first is quicker to type. Basically, you can put parenthesis around a print statement but they are not necessary at all and are generally omitted.

Mac
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

works with globals turned off

more secure and more future proof

if i had been working with them off it would of saved me months, but you've got to think of your clients/sites security and the fact that you may wake up one morning and your site no longer works

just my 2 cents
Nay
Forum Regular
Posts: 951
Joined: Fri Jun 20, 2003 11:03 am
Location: Brisbane, Australia

Post by Nay »

If you're on a Apache host, drop an .htaccess file with this:

Code: Select all

php_flag register_globals off
It'll turn of the register_globals for any file accessed in the directory or subdirectories of it.

-Nay
Alexia
Forum Newbie
Posts: 18
Joined: Fri Dec 05, 2003 6:25 pm

Post by Alexia »

Thanks guys!

this is guna help a lot
User avatar
aquila125
Forum Commoner
Posts: 96
Joined: Tue Dec 09, 2003 10:39 am
Location: Belgium

Post by aquila125 »

This method still allows ppl to hijack the Session from a logged in user..

on your login page save the IP of the user into your Session, and instead of just checking $_SESSION['is_logged']also check if the IP is still the same.. if both are correct, the user can continue.. else redirect to login page...
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Some people (AOL) can have different IPs during the same session.
Post Reply