Secure login & sessions, how secure?
Posted: Tue Aug 19, 2008 9:19 am
Im trying to make a secure login for my site, so that only members can access the data. The data in question is my geographic position on a map - so I would like for it to be as secure as possible. I want to expand this so that other people can put their own positions on and then use their login details to see their update history.
So I have spent a while looking up PHP secure login examples/texts/discussions, and come up with some code. I would appreciate it if someone could scan it over and look for any obvious vulnerabilities in it. As well as that, I now have the problem of keeping the user logged in. I have read that it is possible for an attacker to spoof a session id, so I am not sure on what is the most secure way to do this. I thought that after login I could set some session variable isAuthed to 1 and then check this on subsequent pages. But if the session can be hijacked then wont this be useless? Storing the username and password in the session would be similarly useless in such a case too wouldnt it? As if someone steals a session id, then as far as the server is concerned then it is the correct user, and as sessions are on the server everything would authenticate fine. That is my assumption/conclusion anyway, I could be wrong. Is there a good article I can read that will clarify these?
My login code currently looks like this:
uchk.php only does the following:
The sql user I am getting the details with can only SELECT, so the database should be safe at least during login. It is also above the web accessible area of the server and has a .htaccess file, plus an index.php to stop the directory listing being shown. As far as I know, and as far as I have read, this should be secure. To be honest my main concern now is the sessions, as I dont know what the most secure way to use them is going to be. If anyone could provide some help I would be extremely grateful.
Thanks,
Tomas
So I have spent a while looking up PHP secure login examples/texts/discussions, and come up with some code. I would appreciate it if someone could scan it over and look for any obvious vulnerabilities in it. As well as that, I now have the problem of keeping the user logged in. I have read that it is possible for an attacker to spoof a session id, so I am not sure on what is the most secure way to do this. I thought that after login I could set some session variable isAuthed to 1 and then check this on subsequent pages. But if the session can be hijacked then wont this be useless? Storing the username and password in the session would be similarly useless in such a case too wouldnt it? As if someone steals a session id, then as far as the server is concerned then it is the correct user, and as sessions are on the server everything would authenticate fine. That is my assumption/conclusion anyway, I could be wrong. Is there a good article I can read that will clarify these?
My login code currently looks like this:
Code: Select all
<?PHP
$u=$_POST['uname'];
$p=$_POST['pword'];
if($_SERVER['HTTP_REFERER'].'=='.'http://'.$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\').'/login.php')
{
if($u&&$p)
{
$u=strip_tags(stripslashes($u));
include("../../func/uchk.php");
$u=mysql_real_escape_string(htmlentities($u));
$q = mysql_query('SELECT regtime, uname, pword FROM rdusers WHERE uname=\''.$u.'\' LIMIT 1');
$r = mysql_fetch_row($q);
mysql_close($c);
$q = NULL;
$c = NULL;
$p = crypt(md5(crypt(sha1($p),$r[0])),$r[0]);
if($u==$r[1]&&$p==$r[2])
{
$u=NULL;
$p=NULL;
$r=NULL;
//init session
header('Location: http://'.$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\').'/main.php');
exit;
}
}
}
header('Location: http://'.$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\').'/login.php');
?>
Code: Select all
<?php
$c = mysql_pconnect('<host name here>','<username here>','<pword here>') or trigger_error(mysql_error(),E_USER_ERROR);
mysql_select_db('<db here>',$c);
?>Thanks,
Tomas