Page 1 of 1

Need help with creating a secure log in.

Posted: Fri Feb 20, 2009 8:50 am
by chris-ramsey
Hi all, I am new to PHP and here so go easy! :)

For my college assignment, we have been asked to create a fake MI6 website in which we have to create a user log in. So index.php is where the user logs in. And main.php is where the user will end up when the log in is succesful. I managed to do this with little problem.

However, if you type the location or main.php into the URL bar of the browser, the page is shown because there is no security checking on the actual page itself. Its only a simple project for college but I really dont want to hand in a website in which you can get into the site by typing in the location! I have searched google and have come up with nothing.

Currently, I have some code which makes sense in my head but obviously isnt working. When the log in script is run (LogCheck.php), if the username and password is correct, the following code is run:

Code: Select all

session_start();
  $_SESSION["logged"] = true;
  $_SESSION["username"] =$username;
  $_SESSION["password"] =$password;
  header("location:main.php");
When it goes to main.php, the following php script is run:

Code: Select all

<?php 
session_start(); 
if($_SESSION["logged"] == false)
{
header('Location: index.php');
}
?>
 
<html>
 
...
 
</html>
Now, in my head this makes sense. When the login was succesful, I expected the
$SESSION["logged"] to be true. If it was true, the If statement should NOT be run and the html code beneath it should be run. This is not happening, when I enter the correct login details, the if statment is being ran anyway and taking me back to index.php. So this is where my lack of PHP comes in as I cant work out any alternatives! I've only be doing PHP for about a week properly.

Any help would be greatly appreciated and if I have missed anything out, I will put it here.
Thanks in advance. Chris.

Re: Need help with creating a secure log in.

Posted: Fri Feb 20, 2009 9:00 am
by kaisellgren
Do not store the username and the password in the session.

The code in main.php is not entirely safe. The header() will not stop the execution of the script so the rest of the content is being submitted.

Re: Need help with creating a secure log in.

Posted: Fri Feb 20, 2009 9:06 am
by chris-ramsey
The reason I have stored the username in the session is because I have to echo out the username on the page when the user has logged in. I will not be storing the password anymore, I had a reason for doing it but not any more!

I just tried the following code in main.php

Code: Select all

<?php 
 
session_start(); 
$logged=$_SESSION["logged"];
 
if($logged == 0)
{
header('Location: index.php');
}
?>
 
<html>
...
</html>
and this now works! However, I need to set $_SESSION["logged"] to false when the user logs out. For this I have the following code run when the user logs out:

Code: Select all

<?php
 
unset($_SESSION["username"]);
$_SESSION['logged'] = false;
header ('location: index.php');
 
?>
However, this doesnt seem to be working. I can access main.php after the user has logged in and back out again. The only way to stop this is by stopping services in WAMP and starting up again.

sorry, these questions must seem reallly pointless to you but Im really struggling with it!

Re: Need help with creating a secure log in.

Posted: Fri Feb 20, 2009 9:12 am
by kaisellgren
The main.php code seems to work, but it will display all content regardless are you logged in or not. You have to stop the execution after the header() call.

Why don't you destroy the whole session after logged out? There is no point of leaving the invalid session alive.

Re: Need help with creating a secure log in.

Posted: Fri Feb 20, 2009 9:22 am
by chris-ramsey
I dont understand what you mean about it displaying the content anyway. In my mind the header re-directs the user back to index.php. Or am I missing the point here?! :oops:

Okay, I altered the code once again in main.php:

Code: Select all

<?php 
 
session_start(); 
$logged=$_SESSION["logged"];
session_destroy();
 
if($logged == 0)
{
header('Location: index.php');
}
?>
 
<html>
...
</html>
This seems to work well but main.php is linked to three other pages. when the user clicks these pages and wants to go back, they cannot access main.php again without logging in. I just wanted to be able to destroy the session when logging out which i cant seem to do. :cry:

Re: Need help with creating a secure log in.

Posted: Fri Feb 20, 2009 9:28 am
by kaisellgren
chris-ramsey wrote:I dont understand what you mean about it displaying the content anyway. In my mind the header re-directs the user back to index.php. Or am I missing the point here?! :oops:
Yes. Normally you won't see anything, because you are using Firefox/IE/Opera/Chrome, but an attacker will not forward that redirection call and will instead read the contents of the page.
chris-ramsey wrote:

Code: Select all

<?php 
 
session_start(); 
$logged=$_SESSION["logged"];
session_destroy();
 
if($logged == 0)
{
header('Location: index.php');
}
?>
 
<html>
...
</html>
This seems to work well but main.php is linked to three other pages. when the user clicks these pages and wants to go back, they cannot access main.php again without logging in. I just wanted to be able to destroy the session when logging out which i cant seem to do. :cry:
Okay let me put this simple: type exit() after header() or the rest of the code will be run.

session_destroy() will kill the session... run that only in the logout...

Re: Need help with creating a secure log in.

Posted: Sun Feb 22, 2009 1:08 pm
by chris-ramsey
Okay, thankyou for your help.

I put "exit();" in and I managed to fiddle about with the code some more to get the exact result I wanted :D