Log in code... Do you see gaps
Posted: Sat Aug 22, 2009 4:24 pm
I am working on a small web app for our company and I think the login area is our biggest threat for the out side world. What changes would your recommend on the following code:
First the login page:
I am setting the token into the session to keep from having to pass it in the form in a hidden field. Is that the best approach? The whole reason I did this was to knock down the cross domain attacks.
The rest of the login page is just a normal form but I do have an AJAX validation script that checks that the username and password are alphanumeric. If they are not then the user is notified and they are not allowed to submit.
The checklogin page (with some notes):
Then inside all of my pages I call this to check to see if they are logged in:
Have I approached this in the right way? Any tweaks?
I am still learning so let me have it!
First the login page:
Code: Select all
session_start();
$time = microtime() + (3467851);
$token = md5($time);
session_start("token"); $HTTP_SESSION_VARS["token"]=$token;
$sessionID = session_id();
$expire = time() + (300);
include "../includes/connect.php";
mysql_query("INSERT INTO token (sessID, token, expire) VALUES ('$sessionID', '$token', '$expire')") or die(mysql_error());The rest of the login page is just a normal form but I do have an AJAX validation script that checks that the username and password are alphanumeric. If they are not then the user is notified and they are not allowed to submit.
The checklogin page (with some notes):
Code: Select all
session_start();
include ("../includes/connect.php");
$sessID = session_ID();
$sql1="SELECT * FROM token WHERE sessID='$sessID' and token='$token'";
$result1=mysql_query($sql1);
$current=mysql_num_rows($result1);
$expire = time();
//I delete the tokens to stop multiple submits from someone from having more than one shot at getting in without going to my login screen everytime.
mysql_query("DELETE FROM token WHERE sessID = '$sessID'");
//this is to clean up a token from someone who got to the login screen but closed their browser.
mysql_query("DELETE FROM token WHERE expire < '$expire'");
if($current!=1){session_destroy(); die("<meta http-equiv='REFRESH' content='0;url=login.php'>");}
else{}
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM user WHERE userName='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
$stamp = date("m-d-Y - g:i a");
$row = mysql_fetch_array($result);
$userID = $row['ID'];
$name = $row['fName'];
$admin = $row['admin'];
session_register("userID");
session_register("name");
session_register("admin");
mysql_query("UPDATE user SET lastLogin='$stamp' WHERE ID='$userID'");
echo "<meta http-equiv='REFRESH' content='0;url=../index.php'>";
}
else {
echo "<meta HTTP-EQUIV='REFRESH' content='0; url=login.php?error=1'>";
} Code: Select all
session_start();
if(!session_is_registered(name)){
header("location:http://www.fwbgo.net/smart/login/login.php");
} I am still learning so let me have it!