Page 1 of 1

Password Security

Posted: Sun Dec 14, 2003 4:37 pm
by Alexia
I was wondering if this is at all secure,

<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}

if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>



oh 1 more thing,

whats the diff between
print $text
and
print($test)

thanks

Posted: Sun Dec 14, 2003 9:06 pm
by DuFF
No, that is actually very unsecure. First of all is $logged_in a global variable? One reason that global variables are now off by default is because in the URL of the first page you could put something like:

http://www.example.com/login.php?logged_in=1

And the script would log you in because of that. Also, a couple small errors:

Code: Select all

if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
should be

Code: Select all

if ( $logged_in == 0 ) {
<redirect code to login page>
} elseif ( $logged_in == 1 ) {
Take a look at a tutorial on these forums for more help with sessions:
viewtopic.php?t=6521

Posted: Sun Dec 14, 2003 9:22 pm
by Paddy
Not sure about the security but why not just do this instead of your code?

Code: Select all

<?php 
session_start(); 
if ( ! session_is_registered( "logged_in" )) &#123; 
session_register( "logged_in" ); 
<redirect code to login page> 
&#125; 
?> 
<code>

Posted: Sun Dec 14, 2003 9:40 pm
by Alexia
thx, i was wondering if Session variables could be controled by the url, oh well. ill figure out a diff way, thx!

and paddy,

lol i dont know why i didnt do that lol

[EDIT]

Would it be safer to use Cookies?

i had trouble using them so i used sessions, but if its more secure i will, i have to protect RCON access so its important

Posted: Mon Dec 15, 2003 3:54 am
by twigletmac
A more current version of:

Code: Select all

<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}

if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>
would be

Code: Select all

<?php
session_start();

if (!isset($_SESSION['logged_in'])) {
	$_SESSION['logged_in'] = false;
}

if (!$_SESSION['logged_in']) {
	// <redirect code to login page>
	exit();
} else {
	// <code>
}
?>
which is a bit more secure as the logged_in variable could only have come from a session, it could not be overwritten by a variable in the query string.
Alexia wrote:whats the diff between
print $text
and
print($test)
There's no difference between the two, execpt that the first is quicker to type. Basically, you can put parenthesis around a print statement but they are not necessary at all and are generally omitted.

Mac

Posted: Mon Dec 15, 2003 3:56 am
by malcolmboston
works with globals turned off

more secure and more future proof

if i had been working with them off it would of saved me months, but you've got to think of your clients/sites security and the fact that you may wake up one morning and your site no longer works

just my 2 cents

Posted: Mon Dec 15, 2003 4:15 am
by Nay
If you're on a Apache host, drop an .htaccess file with this:

Code: Select all

php_flag register_globals off
It'll turn of the register_globals for any file accessed in the directory or subdirectories of it.

-Nay

Posted: Mon Dec 15, 2003 10:06 am
by Alexia
Thanks guys!

this is guna help a lot

Posted: Mon Dec 15, 2003 10:48 am
by aquila125
This method still allows ppl to hijack the Session from a logged in user..

on your login page save the IP of the user into your Session, and instead of just checking $_SESSION['is_logged']also check if the IP is still the same.. if both are correct, the user can continue.. else redirect to login page...

Posted: Mon Dec 15, 2003 1:14 pm
by McGruff
Some people (AOL) can have different IPs during the same session.