Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
1. Cleartext transmission of password is insecure. Use client-side hashing.
2. SHA1 has weaknesses. Technically, it probably isn't a sufficient break to impact hash/login checks, but for an ideal 'secure' solution, might as well use sha256.
3. Presumes security of file (passwd.txt) potentially on shared host - be very certain that filesystem security is strong.
4. Assumes register_globals is off. If they aren't, the user can override $_GET['admin'] = 1, which will set $_SESSION['admin'] =1, which isn't set to a default value. Same for several other variables in the script.
5. Session should be regenerated upon login
6. The method for generating the salt isn't specified - it may be predictable
adamduren wrote:Can you rewrite the code because i really dont get what your messages apout client side and stuff mean.
Sorry, no.
I'll answer the questions however.
Client side means use javascript to change the password to a hash before sending them to the server (to the php page). If you use a password field, and don't use javascript to hash them before sending, you are sending the password in cleartext. This means that an attacker can "Sniff" the network, and see the password go by.
stukov wrote:About clientside scripting: what if the client disabled javascript?
Depends on the site. If security is important enough, disallow the login.
If security isn't as important, then allow them to login, but inform them that their login was insecure, and that they should enable javascript to protect themselves.
switch ($_SESSION['errorlevel']) {
case 1:
print("Invalid Username. Please try again.");
break;
case 2:
print("Invalid Password. Please try again.");
break;
default:
print("Please type a username and a password.");
break;
}
-- cut --
BTW: Best security practices say you should not inform the unauthenticated user the exact reason for the failure as this would inform an attacker they have a valid username and just need to discover a valid password.