So I have spent a while looking up PHP secure login examples/texts/discussions, and come up with some code. I would appreciate it if someone could scan it over and look for any obvious vulnerabilities in it. As well as that, I now have the problem of keeping the user logged in. I have read that it is possible for an attacker to spoof a session id, so I am not sure on what is the most secure way to do this. I thought that after login I could set some session variable isAuthed to 1 and then check this on subsequent pages. But if the session can be hijacked then wont this be useless? Storing the username and password in the session would be similarly useless in such a case too wouldnt it? As if someone steals a session id, then as far as the server is concerned then it is the correct user, and as sessions are on the server everything would authenticate fine. That is my assumption/conclusion anyway, I could be wrong. Is there a good article I can read that will clarify these?
My login code currently looks like this:
Code: Select all
<?PHP
$u=$_POST['uname'];
$p=$_POST['pword'];
if($_SERVER['HTTP_REFERER'].'=='.'http://'.$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\').'/login.php')
{
if($u&&$p)
{
$u=strip_tags(stripslashes($u));
include("../../func/uchk.php");
$u=mysql_real_escape_string(htmlentities($u));
$q = mysql_query('SELECT regtime, uname, pword FROM rdusers WHERE uname=\''.$u.'\' LIMIT 1');
$r = mysql_fetch_row($q);
mysql_close($c);
$q = NULL;
$c = NULL;
$p = crypt(md5(crypt(sha1($p),$r[0])),$r[0]);
if($u==$r[1]&&$p==$r[2])
{
$u=NULL;
$p=NULL;
$r=NULL;
//init session
header('Location: http://'.$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\').'/main.php');
exit;
}
}
}
header('Location: http://'.$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\').'/login.php');
?>
Code: Select all
<?php
$c = mysql_pconnect('<host name here>','<username here>','<pword here>') or trigger_error(mysql_error(),E_USER_ERROR);
mysql_select_db('<db here>',$c);
?>Thanks,
Tomas