I have been reading alot into $_SESSION variables and their uses. I have used them in the admin section of the website I am working on for a sorority but now that I am almost done, I want to know that I have given them a secure website that will not be easily broken into and vandilized. My basic strategy has been that when someone logs into the admin section, I issue them a session ID. THis id is stored as a session variable along with their usename and also stored in the database next to their user name. When ever they access a new page in the admin section, the webpage will check the session variables of username and SID against those stored in the database. This is pretty much the extent of my security. Is this a pretty secure concept?
As far as improvements go, I have thought about including their IP and checking that everytime. I have thought about making a time out where if they dont access a new page with in XX amount of time then they will have to long in again. All suggestions are welcome.
THanks in advance,
Tehquickness
How secure is my user authentification concept
Moderator: General Moderators
-
Tehquickness
- Forum Commoner
- Posts: 32
- Joined: Mon Oct 24, 2005 11:31 pm
I'm sure there are other and better ways to do this, but I usually use a
variation of the following basic authentication code:
The login page script:
The logout page script:
Then, for any page with content that you want to protect (or customize), simply
include an "auth.php" the top of the script.
The authentication script: (auth.php)
variation of the following basic authentication code:
The login page script:
Code: Select all
<?
session_start();
header("Cache-control: private"); // IE 6 Fix
// DB LINK CODE
include "db.php";
$bad = 0; // used for bad login prompting
// FORM SUBMITTED?
if (isset($_POST['username']) && isset($_POST['password']))
{
$user = $_POST['username'];
$pass = $_POST['password'];
$query = "SELECT fullname FROM users WHERE username='$user' AND password='$pass'";
$result = mysql_query($query);
$numrows = mysql_num_rows($result);
if($numrows != 1) { $bad++; }
else
{
$row = mysql_fetch_array($result);
$name = $row["fullname"];
//Start Session And Register Variables
$_SESSION['user'] = $user;
$_SESSION['name'] = $name;
}
}
//PUT LOGIN FORM BELOW
?>The logout page script:
Code: Select all
<?
session_start();
header("Cache-control: private"); // IE 6 Fix
$_SESSION = array();
session_destroy();
$goto = header('Location:somewhere.php');
exit;
?>Then, for any page with content that you want to protect (or customize), simply
include an "auth.php" the top of the script.
The authentication script: (auth.php)
Code: Select all
<?
session_start();
header("Cache-control: private"); // IE 6 Fix
if (session_is_registered('user'))
{
$user = $_SESSION['user'];
$name = $_SESSION['name'];
}
else
{
$_SESSION = array();
session_destroy();
$goto = header('Location:unauthorized.php');
exit;
}
?>-
programmermatt
- Forum Commoner
- Posts: 65
- Joined: Tue Mar 15, 2005 5:03 pm
- Contact:
The basics will work, but they won't do much to keep someone who really wants to get in from getting in. Personally I think that IP and timeout functionality are a must for any authentication design (though it is a nice touch to add a 'remeber me' option that they can use when they are on a computer they would deem secure). You can take it further with a challenge-response mechanism, SSL and many other things, but even after you implement those you still have your bigest problem: your users, you can't trust them to be safe, to log out when they are done on a public computer, to not share their password, to have a alpha-numeric+special character 12 letter password, etc.
- R4000
- Forum Contributor
- Posts: 168
- Joined: Wed Mar 08, 2006 12:50 pm
- Location: Cambridge, United Kingdom
I normaly use something along the lines of:
Code: Select all
// THIS CODE MAY NOT WORK, IT IS NOT TESTED AND IS MAINLY A CONCEPT \\
session_start();
function isLoggedIn($un){
$uid = $_SESSION['uniq_id'];
$uid = explode("|",$uid);
if(md5($un) == $uid[1] && time() <= $uid[2] + 3600 && md5($_SERVER['REMOTE_ADDR']) == $uid[3]){
return true;
}
return false;
}
function setSession($username) {
$_SESSION['uniq_id'] = base64_encode(md5($username) . "|" . time() . "|" . md5($_SERVER['REMOTE_ADDR']));
}
if(!isLoggedIn("demo")){
setSession("demo");
echo "You wasn't logged in, but now are.";
} else {
echo "You are logged in...";
}
-
Tehquickness
- Forum Commoner
- Posts: 32
- Joined: Mon Oct 24, 2005 11:31 pm
I understand themurph's code except for the $bad variable, what is that for? I assume it is some kind of variable to detect to many failed attempts. Now I am a little less clear about R4000's coding. First off, what does $un represent? Username maybe? Second, why do you explode $uid? I am guess that maybe in the login script your join together USERNAME | TIMESTAMP | REMOTE_ADDRESS in to one string with is stored as $_SESSION['uniq_id']? And then bottom function is the actually session creation then. In the second function what is the if statement for?
Thanks for the help.
Thanks for the help.