Need expert advice about production environment, security, a

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
leulae
Forum Newbie
Posts: 14
Joined: Fri Jan 01, 2010 2:48 am

Need expert advice about production environment, security, a

Post by leulae »

Need expert advice about production environment, security, and session

New to PHP and I am building Login system, this is the way I think, database handling part not integrate yet,

HTML form calls login.php, by using userMan.php I decided to Authenticate the user and manage the session. To logout I use endUserSession() function, to go ahead from this point, need some comments to carry on the work. Thanks in advance


Login.php
<?php
require_once("userManage.php");

$userID=$_POST['userID'];
$password=$_POST['password'];

$a=new userMan();

if ($a->auth($userID,$password)) {
$a->startUserSession($userID);
header("location:loginsuccess.php");
} else {
print "Invalid";
}

?>

userManage.php
class UserMan {

function auth($pUserID,$pPassword) {

if ($pUserID==$pPassword) {
// database part here / As test purpose when user id and password are equal allow logging
return true;
} else {
return false;
}
} // auth()


function isSession () {
if(isset($_SESSION['userID'])) {
return true;
} else {
return false;
}
} // isSession ()

function startUserSession ($pUserID) {
session_start();
$_SESSION["userID"]=$pUserID;
} //startUserSession


function endUserSession() {
session_start();
if(isset($_SESSION['userID']))unset($_SESSION['userID']);
session_destroy();
header("location:loggedOut.html");
} // endUserSession()

} //class UserMan
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Need expert advice about production environment, security, a

Post by flying_circus »

Is this supposed to be psuedo code?

In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?

Never store usernames or passwords in a session variable. Store a user index from the database.

Always terminate your script after calling a redirect.

Why dont you start your session at the start of each page?
leulae
Forum Newbie
Posts: 14
Joined: Fri Jan 01, 2010 2:48 am

Re: Need expert advice about production environment, security, a

Post by leulae »

flying_circus wrote:Is this supposed to be psuedo code?

In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?

Never store usernames or passwords in a session variable. Store a user index from the database.

Always terminate your script after calling a redirect.

Why dont you start your session at the start of each page?

Need expert advice about production environment, security, and session

Is this supposed to be psuedo code?
Yes this is like pseudo code.

In your auth function, you only allow the user to proceed with the login routine if the username and password match each other?
As a test purpose I wrote to allow logging when the username and password match each other



Never store usernames or passwords in a session variable. Store a user index from the database.
Ok thanks, I will not store username and password in session,

Always terminate your script after calling a redirect.
Couldn’t get the idea what you mentioned “Always terminate your script after calling a redirect.”

Why dont you start your session at the start of each page?
I hope to start session in every page, and in the function startUserSession ($pUserID) also starts the session,
welcome your guidance
viewtopic.php?f=34&t=111364
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Need expert advice about production environment, security, a

Post by kaisellgren »

Wouldn't it be wiser to show us your production code rather than the "test" code?
leulae wrote:Couldn’t get the idea what you mentioned “Always terminate your script after calling a redirect.”
The header() call will do nothing more than just send an HTTP header. It will not stop your script from executing. Your script will still continue its execution and sometimes this can be a bad thing.

Usually, when you send the location header, it's clever to terminate the execution:

Code: Select all

header('Location: index.php');
exit();
Post Reply