Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
if(isset($_SESSION['user']) && isset($_SESSION['pass']))
{
user is logged in
}
Are the above codes sufficiently secure and other suggestions or corrections?
Another thing is session cache expire used in the correct way? I am using 10 minutes cache time expire
The sessions aren't really the part where we have a lot of security problems... You shouldn't have too much concern. The security comes in the authentication, which you haven't shared. Why save the username and password if you aren't checking it against the database in each request?
superdezign wrote:The security comes in the authentication, which you haven't shared. Why save the username and password if you aren't checking it against the database in each request?
I am using all the measures i am aware of mysql_real_escape_string , validating , data filtering etc. but i am currently concerned regarding clearing the sessions after 10 mins
In this version of accesscontrol i am not showing you the mysql_real escape and others... but in final version i will be using it. if you are concerned about sql injection
<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';
session_cache_expire(10);
session_start();
$user = isset($_POST['user']) ? $_POST['user'] : $_SESSION['user'];
$pass = isset($_POST['pass']) ? $_POST['pass'] : $_SESSION['pass'];
if(!isset($user)) {
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Please Log In for Access </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href="signup.php">click here</a>
to sign up for instant access!</p>
<p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
User ID: <input type="text" name="user" size="8" /><br />
Password: <input type="password" name="pass" SIZE="8" /><br />
<input type="submit" value="Log in" />
</form></p>
</body>
</html>
<?php
exit;
}
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
dbConnect("mysql");
$sql = "SELECT * FROM member WHERE
userid = '$user' AND password = sha1('$pass')";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details');
}
if (mysql_num_rows($result) == 0) {
unset($_SESSION['user']);
unset($_SESSION['pass']);
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Access Denied </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Access Denied </h1>
<p>Your user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
<a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
access, click <a href="signup.php">here</a>.</p>
</body>
</html>
<?php
exit;
}
$username = mysql_result($result,0,'fullname');
?>
In the signup process i take the user name and check if it exists and if it doesn't i continue with validation