Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Is the following function enough for secure login:
function checkUser(){
if ((!isset($_SESSION['validUser'])) || ($_SESSION['validUser'] != true)){
header('Location: login.php');// if user not logged they are redirected to the login page
}
}
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
So basically all they have to have is a spoofed session var of 'validUser' with a valid of TRUE and they're in.
I can only speak for myself of course, but I would check the user via session data -> database every page request. Once they're logged in, use a second table (let's call it `logins`) and record their login time, IP, user ID value, (whatever else you find useful) and a unique token that identifies this session (not the SID). Check on these values and update the time. If you want to store a 'remember me' cookie, check for this data in the cookie first, then the session, then redirect to login page.
Your login script seems to check a clear text password? Don't you store the password as a hashed value? Use at least SHA1 and a salt.
bdlang wrote:
I can only speak for myself of course, but I would check the user via session data -> database every page request. Once they're logged in, use a second table (let's call it `logins`) and record their login time, IP, user ID value, (whatever else you find useful) and a unique token that identifies this session (not the SID). Check on these values and update the time. If you want to store a 'remember me' cookie, check for this data in the cookie first, then the session, then redirect to login page.
Your login script seems to check a clear text password? Don't you store the password as a hashed value? Use at least SHA1 and a salt.
I think you gone a little overboard checking IP: it can change especially if the user is in a DHCP network or where it logged from (country, city). Some may think as invasion of privacy.
Use the user ID value from the table, the time when he logged in (to use expiration session) and put the things you settle on in the privacy agreement so don' t have any problems later.
is great for development, but not great when the site is live. People can learn from that where your classes live and all sorts of details that should be no-ones business.
Once the site is live, have the error logged in a log-file (and if you want to be extremely thorough) email the admin with the error & session details) and redirect the visitor to a generic page a la "database problem, please try again".
Rovas wrote:I think you gone a little overboard checking IP: it can change especially if the user is in a DHCP network or where it logged from (country, city). Some may think as invasion of privacy.
Use the user ID value from the table, the time when he logged in (to use expiration session) and put the things you settle on in the privacy agreement so don' t have any problems later.
You're right of course. I don't check the IP, I just store it with the user's login data, out of habit I suppose.