Page 1 of 1

Sessions Security

Posted: Thu Mar 16, 2006 12:52 pm
by icesolid
I currently use sessions for users logging on to a client's web site. I know that the method I use is not secure. I was wondering how I could make the login.php script more secure (md5, different session settings, naming the session), the somepage.php more secure and if the logout.php script is adequate. I really don't think I need to save the session_id() because all I am using the session for is to gain access, after they log out I don't want any thing saved as far as sessions go, I want them all erased on logout, even the session_id if possible? The code I currently use is listed below:

login.php

Code: Select all

<?php
include("connect.php");

$username = strtolower(trim($_POST["username"]));
$password = strtolower(trim($_POST["password"]));

$result = mysql_query("SELECT * FROM users WHERE username='$username' && password='$password'");
$row = mysql_fetch_array($result);

if(!$_POST["username"]) {
    header("Location: index.php");
} elseif(!$_POST["password"]) {
    header("Location: index.php");
} elseif($username == $row["username"] && $password == $row["password"]) {
    $result = mysql_query("SELECT username,user_code,account_type FROM users WHERE username='$username'");
    $row = mysql_fetch_array($result);

    session_start();
    $_SESSION["user"] = $row["username"];
    $_SESSION["user_code"] = $row["user_code"];
    $_SESSION["account_type"] = $row["account_type"];    

    header("Location: index.php");
} else {
    header("Location: index.php");
}
?>
somepage.php

Code: Select all

<?php
session_start();

if($_SESSION["account_type"] !== "Customer") {
    // Do not allow access
    header("Location: logout.php");
}

if($_SESSION["account_type"] == "Customer") {
    // Allow access
}
?>
logout.php

Code: Select all

<?php
session_start();
session_unset();
$_SESSION = array();
session_destroy();

header("Location: index.php");
?>
P.S. Sorry about the duplicate options on the poll, when I came back in to edit them they were not available for edit.

feyd | I've rebuilt your poll.

Posted: Mon Mar 20, 2006 2:40 pm
by icesolid
Any one with suggestions?

Posted: Mon Mar 20, 2006 3:51 pm
by Christopher
Here are a couple of quick things about the code, ignoring the broader security issues of using sessions.

- Use preg_replace to clean your usernames and passwords.

- Don't force passwords to lowercase because mixed case passwords are harder to guess

- I think the code could be just:

Code: Select all

if(isset($_SESSION["account_type"]) && ($_SESSION["account_type"] != "Customer")) {
    // Do not allow access
    header("Location: logout.php");
} else {
    // Allow access
}

Posted: Mon Mar 20, 2006 4:08 pm
by s.dot
hmm, the poll

Sessions or Cookies
Cookies
Cookies
SSL
Other

haha where's the session choice :P

Posted: Mon Mar 20, 2006 4:12 pm
by shiznatix
i use sessions because I never want to turn a user away from my website for any reasons (ie, disabling cookies). I only use cookies as a optional feature (auto login) kinda deal. Cookies can be stolen easier than a session.

I did not vote because of the option for a session was not there.

Posted: Mon Mar 20, 2006 6:39 pm
by Buddha443556
shiznatix wrote:Cookies can be stolen easier than a session.
Not sure what you meant by that?

Posted: Tue Mar 21, 2006 9:15 am
by icesolid
The option for sessions was there when I posted the poll, I'm not sure what happened to it?

That's what I would have voted for!

Posted: Tue Mar 21, 2006 9:23 am
by Maugrim_The_Reaper
I would say sessions normally - no data is sent as clear text across the network, just a session id, and some minor Cookie data you might require for maybe a remember-me feature.
- Use preg_replace to clean your usernames and passwords.
Lets not forget ctype_alpha(), ctype_alnum(), etc.