Cookie problem i think...?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sn202
Forum Commoner
Posts: 36
Joined: Thu Dec 16, 2004 7:30 pm

Cookie problem i think...?

Post by sn202 »

Hi,

right I’m having a bit of an annoying bug here. Basically I’m using cookies to restrict access to my site (code shown below) when I first uploaded the files it all worked fine, then I went to test it again later and I couldn't access the site, kept redirecting to the login page (siteaccess.php), so I played around with it and ended up uploading it again exactly as it was before and it worked. then once I logged off and tried again I got the same bug... Its obviously something to do with the cookie but I can't c the problem, any help will be much appreciated as I really need to get this sorted!!!

Cheers Simon.

authenticate.php

PHP Code:

Code: Select all

<?php
        $username = $_POST['username']; 
        $password = $_POST['password']; 
        $self =         $_SERVER['PHP_SELF']; 
        $referer =     $_SERVER['HTTP_REFERER']; 

#if either form field is empty return to the login page 
if( ( !$username ) or ( !$password )) 
{ 
#connect to MYSQL 
$conn = @mysql_connect( "linuxproj", "sn202", "e1420518" ) 
                or die( mysql_error()  ); 
#select the specified database 
$rs = @mysql_select_db ( "db_sn202", $conn ) 
            or die( mysql_error()  ); 
#create the sql query 
$sql="select * from siteaccess where username='$username' 
      and password = '$password'"; 
#exercute the query 
$rs = mysql_query( $sql, $conn ) 
      or die( mysql_error()  ); 

#get number of rows that match username and password 
$num = mysql_numrows( $rs ); 
#if there is a match the login is authenticated 
if( $num > 0 ) 
{ 
setcookie( "auth", "ok" ); 
header( "Location:roles.php" ); exit(); 
} 
else #or return to login page 
{header("Location: $referer") ; exit () ;} 
} 
?>

code on all other pages

PHP Code:

Code: Select all

<?php
          $auth = $_COOKIE['auth']; 
          header( "Cache-Control:no-cache" ); 
          if( ! $auth == "ok" ) 
          { header( "location:siteaccess.htm" ); exit(); } 
?>
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

alllthough your "security" has some serious flaws, you could try playing with the expiration date

Code: Select all

setcookie("partnercode", $partnercode, strtotime("+30 days"));
also be aware that if you redirect to a different domain, the cookie doesn't exist anymore...

and that people can send their home-made "auth=ok" cookie to get entrance to your "protected pages"
Appletalk
Forum Newbie
Posts: 6
Joined: Sun Dec 19, 2004 7:23 pm
Location: Argentina
Contact:

Hi

Post by Appletalk »

The security flaws mentioned are related to the database query.
As you know, most common security problems reside in trusting the user input. In this example, the sql query could be manipulated.

Code: Select all

$sql="select * from siteaccess where username='$username' and password = '$password'";
If $password contains ' OR '1'='1 the query would be

Code: Select all

$sql = "select * from siteaccess where username=bla and password = '' OR '1'='1';
This SQL Injection could be easyly fixed with the command provided by your database, in this case, mysql_real_escape_string.

Please check
http://www.php.net/manual/en/function.m ... string.php

In addition, i would recommend to use a md5 hash for the password field. See http://www.php.net/md5. If you don't like using the $_POST[] array and want separated variables, instead you could have a look to the extract function, http://www.php.net/extract.

In your case, you could have replaced
$username = $_POST['username'];
$password = $_POST['password'];
for
extract($_POST);

Beware that sometimes the use of extract() could be dangerous, so it's good, i think, to get used to add EXTR_SKIP option as the second parameter.

Happy coding.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

actually the biggest flaw (the one i was trying to make clear) is that you shouldn't trust user input (cookies included)

for example:

i put a "auth=ok" in a file, and then let curl retrieve all the pages with that file as cookie... the system will be fooled because it recieves a cookie with auth=ok
sn202
Forum Commoner
Posts: 36
Joined: Thu Dec 16, 2004 7:30 pm

Post by sn202 »

Hi yeah i noticed that particular flaw "auth=ok" and have since changed it to check the username and password. As for the experation dates, I will have a play with that and see if that helps,

Thanks

Si.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

most of the times, you don't want to save username and password in a cookie either... simply start a session... perhaps that sessionid in the cookie... so sessions can be continued at a later time...
Post Reply