Need help with creating a secure log in.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
chris-ramsey
Forum Newbie
Posts: 5
Joined: Fri Feb 20, 2009 8:35 am

Need help with creating a secure log in.

Post by chris-ramsey »

Hi all, I am new to PHP and here so go easy! :)

For my college assignment, we have been asked to create a fake MI6 website in which we have to create a user log in. So index.php is where the user logs in. And main.php is where the user will end up when the log in is succesful. I managed to do this with little problem.

However, if you type the location or main.php into the URL bar of the browser, the page is shown because there is no security checking on the actual page itself. Its only a simple project for college but I really dont want to hand in a website in which you can get into the site by typing in the location! I have searched google and have come up with nothing.

Currently, I have some code which makes sense in my head but obviously isnt working. When the log in script is run (LogCheck.php), if the username and password is correct, the following code is run:

Code: Select all

session_start();
  $_SESSION["logged"] = true;
  $_SESSION["username"] =$username;
  $_SESSION["password"] =$password;
  header("location:main.php");
When it goes to main.php, the following php script is run:

Code: Select all

<?php 
session_start(); 
if($_SESSION["logged"] == false)
{
header('Location: index.php');
}
?>
 
<html>
 
...
 
</html>
Now, in my head this makes sense. When the login was succesful, I expected the
$SESSION["logged"] to be true. If it was true, the If statement should NOT be run and the html code beneath it should be run. This is not happening, when I enter the correct login details, the if statment is being ran anyway and taking me back to index.php. So this is where my lack of PHP comes in as I cant work out any alternatives! I've only be doing PHP for about a week properly.

Any help would be greatly appreciated and if I have missed anything out, I will put it here.
Thanks in advance. Chris.
Last edited by chris-ramsey on Fri Feb 20, 2009 9:01 am, edited 1 time in total.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Need help with creating a secure log in.

Post by kaisellgren »

Do not store the username and the password in the session.

The code in main.php is not entirely safe. The header() will not stop the execution of the script so the rest of the content is being submitted.
chris-ramsey
Forum Newbie
Posts: 5
Joined: Fri Feb 20, 2009 8:35 am

Re: Need help with creating a secure log in.

Post by chris-ramsey »

The reason I have stored the username in the session is because I have to echo out the username on the page when the user has logged in. I will not be storing the password anymore, I had a reason for doing it but not any more!

I just tried the following code in main.php

Code: Select all

<?php 
 
session_start(); 
$logged=$_SESSION["logged"];
 
if($logged == 0)
{
header('Location: index.php');
}
?>
 
<html>
...
</html>
and this now works! However, I need to set $_SESSION["logged"] to false when the user logs out. For this I have the following code run when the user logs out:

Code: Select all

<?php
 
unset($_SESSION["username"]);
$_SESSION['logged'] = false;
header ('location: index.php');
 
?>
However, this doesnt seem to be working. I can access main.php after the user has logged in and back out again. The only way to stop this is by stopping services in WAMP and starting up again.

sorry, these questions must seem reallly pointless to you but Im really struggling with it!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Need help with creating a secure log in.

Post by kaisellgren »

The main.php code seems to work, but it will display all content regardless are you logged in or not. You have to stop the execution after the header() call.

Why don't you destroy the whole session after logged out? There is no point of leaving the invalid session alive.
chris-ramsey
Forum Newbie
Posts: 5
Joined: Fri Feb 20, 2009 8:35 am

Re: Need help with creating a secure log in.

Post by chris-ramsey »

I dont understand what you mean about it displaying the content anyway. In my mind the header re-directs the user back to index.php. Or am I missing the point here?! :oops:

Okay, I altered the code once again in main.php:

Code: Select all

<?php 
 
session_start(); 
$logged=$_SESSION["logged"];
session_destroy();
 
if($logged == 0)
{
header('Location: index.php');
}
?>
 
<html>
...
</html>
This seems to work well but main.php is linked to three other pages. when the user clicks these pages and wants to go back, they cannot access main.php again without logging in. I just wanted to be able to destroy the session when logging out which i cant seem to do. :cry:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Need help with creating a secure log in.

Post by kaisellgren »

chris-ramsey wrote:I dont understand what you mean about it displaying the content anyway. In my mind the header re-directs the user back to index.php. Or am I missing the point here?! :oops:
Yes. Normally you won't see anything, because you are using Firefox/IE/Opera/Chrome, but an attacker will not forward that redirection call and will instead read the contents of the page.
chris-ramsey wrote:

Code: Select all

<?php 
 
session_start(); 
$logged=$_SESSION["logged"];
session_destroy();
 
if($logged == 0)
{
header('Location: index.php');
}
?>
 
<html>
...
</html>
This seems to work well but main.php is linked to three other pages. when the user clicks these pages and wants to go back, they cannot access main.php again without logging in. I just wanted to be able to destroy the session when logging out which i cant seem to do. :cry:
Okay let me put this simple: type exit() after header() or the rest of the code will be run.

session_destroy() will kill the session... run that only in the logout...
chris-ramsey
Forum Newbie
Posts: 5
Joined: Fri Feb 20, 2009 8:35 am

Re: Need help with creating a secure log in.

Post by chris-ramsey »

Okay, thankyou for your help.

I put "exit();" in and I managed to fiddle about with the code some more to get the exact result I wanted :D
Post Reply