Username and Password Exposed

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Love_Daddy
Forum Commoner
Posts: 61
Joined: Wed Jul 10, 2002 6:55 am
Location: South Africa
Contact:

Username and Password Exposed

Post by Love_Daddy »

Hi Guys,

I have written a script to authenticate the username and password using forms.
So my problem is, when everything is okay, my username and password are displayed on the location
bar. that it'll give something like this:

http://localhost/login.php?username=Rom ... word=xxxxx

So how do I hide that?
User avatar
AVATAr
Forum Regular
Posts: 524
Joined: Tue Jul 16, 2002 4:19 pm
Location: Uruguay -- Montevideo
Contact:

Sessions

Post by AVATAr »

Why dont you use sessions?
lc
Forum Contributor
Posts: 188
Joined: Tue Apr 23, 2002 6:45 pm
Location: Netherlands

Post by lc »

What I did with 1 of my scripts is to give every user a randomly generated code, and put that in the url along with other data... so you'd get. index.php?U=58DB9g Or something similar. If you use lots of letters and number the ammount of possible combos is such that it becomes... well not 100% secure, but hard enough to crack imho
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

or switch to 'POST'-method. Those values aren't transmitted within the url
User avatar
Love_Daddy
Forum Commoner
Posts: 61
Joined: Wed Jul 10, 2002 6:55 am
Location: South Africa
Contact:

Post by Love_Daddy »

I'm using the Post-Method, so I'm reading about sessions at the moment.
And I'll let you know as soon as I'm finished.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

POST isn't the best way to do it since you have to use form to go to do the next page.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

User avatar
gite_ashish
Forum Contributor
Posts: 118
Joined: Sat Aug 31, 2002 11:38 am
Location: India

Post by gite_ashish »

hi,
I'm using the Post-Method,
The FORM variaables are NOT displayed in the Query String (location bar) while using the POST method !

Either there is some problem with FORM submittion
-OR-
the URL http://localhost/login.php?username=Rom ... word=xxxxx is not the result of what we are talking about.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

I think "lc"'s idea is good becuase you can store the number in the mysql db or something and match it but the only problem is that you have to re-write all the links in the page...
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

But the url refers to the login page. One way or another the real login data has to be transmitted.
From there on sessions or other mystical ( ;) ) mechanisms are ok.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

[quote="volka"]But the url refers to the login page.[quote] How do you mean by that?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

http://localhost/login.php?username=Rom ... word=xxxxx
login.php and a login/password-pair made me think it concerns a login procedure ;)
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

I don't think sending user's passord through POST or URL are good idea since it's easy to get these hased or whatevered sting.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

what other ways are there for a login?
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Many.

~Check authentication by a cookie (username).
~Basic grab match of user/pass from database.
~Grab match of user/pass from database w/ session and cookie.

I bet there is more but these are the ones im familiar with.
Post Reply