Basic secure php login without cookies

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
brendanh
Forum Newbie
Posts: 2
Joined: Thu Mar 22, 2007 1:19 pm

Basic secure php login without cookies

Post by brendanh »

Hi,

This is my first post, and I'm a php noob, so please forgive my undoubted incompetence :)

I'm trying to write a basic secure php login script using session variables only, it's only required for customers to log in to our site and download the full version of our game once purchased, and I don't mind making them login every time so decided against using cookies. I realise I'm not using encryption for the user passwords yet but obviously will do, with salt. Basically I'm trying to put in checks for user_agent and user_ip every page to ensure session hijacking alone is not enough..

If anyone could take the time to look over the code below and give me any comments or tips I would appreciate it.

process.php:

Code: Select all

<?php
$username=$_POST['user'];
$password=$_POST['pass'];
$browser=$_SERVER['HTTP_USER_AGENT'];
$ip=$_SERVER['REMOTE_ADDR'];
$link=mysql_connect("127.0.0.1", $username, $password) or die(mysql_error());
mysql_select_db("main", $link);
$query1=mysql_query("SELECT username, password FROM login WHERE username = '$username' AND password = '$password'")or die(mysql_error());
$query2=mysql_query("UPDATE login SET user_agent = '$browser' WHERE username = '$username' AND password = '$password'")or die(mysql_error());;
$query3=mysql_query("UPDATE login SET user_ip = '$ip' WHERE username = '$username' AND password = '$password'")or die(mysql_error());;
$result=mysql_num_rows($query1);
if ($result != 0) {
session_start();
$_SESSION ["logged_in"] = TRUE;
$_SESSION ["check_pw"] = "secret";
}
else {}
require('home_test.php');
?>
Main page, which runs process.php on login:

Code: Select all

<?php
session_start();
if (isset($_SESSION['logged_in']) == TRUE) {
$browser=$_SERVER['HTTP_USER_AGENT'];
$ip=$_SERVER['REMOTE_ADDR'];
$linkpw=$_SESSION["check_pw"];
$link=mysql_connect("127.0.0.1", "check", $linkpw) or die(mysql_error());
mysql_select_db("main", $link);
$query=mysql_query("SELECT user_agent, user_ip FROM login WHERE user_agent = '$browser' AND user_ip = '$ip'")or die(mysql_error());
$result=mysql_num_rows($query);
if ($result != 0) require('welcome.php');
}
else {
require('login.php');
session_destroy();
}
?>
I will also do similar checks to the main page on other pages, and it all seems to work but I'm sure there's got to be something wrong with it!!

Thanks in advance,
Brendan
Last edited by brendanh on Thu Mar 22, 2007 2:14 pm, edited 1 time in total.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

Without proper highlighting (a mod should fix it) I didn't read your code all that deeply.

That said... I did find sql injection problems...

Code: Select all

$username=$_POST['user'];
$password=$_POST['pass'];
/* ... */
$query1=mysql_query("SELECT username, password FROM login WHERE username = '$username' AND password = '$password'")or die(mysql_error());

Fix with mysql_real_escape_string()
brendanh
Forum Newbie
Posts: 2
Joined: Thu Mar 22, 2007 1:19 pm

Post by brendanh »

Apologies for the improper formatting, now corrected.

Thanks for the advice, will be sure to correct the code to have filtered input :)
Post Reply