Page 1 of 1
Password Security
Posted: Sun Dec 14, 2003 4:37 pm
by Alexia
I was wondering if this is at all secure,
<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}
if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>
oh 1 more thing,
whats the diff between
print $text
and
print($test)
thanks
Posted: Sun Dec 14, 2003 9:06 pm
by DuFF
No, that is actually very unsecure. First of all is $logged_in a global variable? One reason that global variables are now off by default is because in the URL of the first page you could put something like:
http://www.example.com/login.php?logged_in=1
And the script would log you in because of that. Also, a couple small errors:
Code: Select all
if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
should be
Code: Select all
if ( $logged_in == 0 ) {
<redirect code to login page>
} elseif ( $logged_in == 1 ) {
Take a look at a tutorial on these forums for more help with sessions:
viewtopic.php?t=6521
Posted: Sun Dec 14, 2003 9:22 pm
by Paddy
Not sure about the security but why not just do this instead of your code?
Code: Select all
<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
<redirect code to login page>
}
?>
<code>
Posted: Sun Dec 14, 2003 9:40 pm
by Alexia
thx, i was wondering if Session variables could be controled by the url, oh well. ill figure out a diff way, thx!
and paddy,
lol i dont know why i didnt do that lol
[EDIT]
Would it be safer to use Cookies?
i had trouble using them so i used sessions, but if its more secure i will, i have to protect RCON access so its important
Posted: Mon Dec 15, 2003 3:54 am
by twigletmac
A more current version of:
Code: Select all
<?php
session_start();
if ( ! session_is_registered( "logged_in" )) {
session_register( "logged_in" );
$logged_in = 0;
}
if ( $logged_in = 0 ) {
<redirect code to login page>
} elseif ( $logged_in = 1 ) {
?>
<code>
<?php
}
?>
would be
Code: Select all
<?php
session_start();
if (!isset($_SESSION['logged_in'])) {
$_SESSION['logged_in'] = false;
}
if (!$_SESSION['logged_in']) {
// <redirect code to login page>
exit();
} else {
// <code>
}
?>
which is a bit more secure as the logged_in variable could only have come from a session, it could not be overwritten by a variable in the query string.
Alexia wrote:whats the diff between
print $text
and
print($test)
There's no difference between the two, execpt that the first is quicker to type. Basically, you can put parenthesis around a print statement but they are not necessary at all and are generally omitted.
Mac
Posted: Mon Dec 15, 2003 3:56 am
by malcolmboston
works with globals turned off
more secure and more future proof
if i had been working with them off it would of saved me months, but you've got to think of your clients/sites security and the fact that you may wake up one morning and your site no longer works
just my 2 cents
Posted: Mon Dec 15, 2003 4:15 am
by Nay
If you're on a Apache host, drop an .htaccess file with this:
It'll turn of the register_globals for any file accessed in the directory or subdirectories of it.
-Nay
Posted: Mon Dec 15, 2003 10:06 am
by Alexia
Thanks guys!
this is guna help a lot
Posted: Mon Dec 15, 2003 10:48 am
by aquila125
This method still allows ppl to hijack the Session from a logged in user..
on your login page save the IP of the user into your Session, and instead of just checking $_SESSION['is_logged']also check if the IP is still the same.. if both are correct, the user can continue.. else redirect to login page...
Posted: Mon Dec 15, 2003 1:14 pm
by McGruff
Some people (AOL) can have different IPs during the same session.