Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
The user can only get the $_SESSION['User_ID'] variable stored if has logged in. I check that on every page. How can he get that variable stored if he doesn't login?
If the ip address changes I'll probably have to take it away. I had it there just because I read that SESSION id:s could possibly be accessed...
I have tested this type of protection on my site and it appears to work quite nicely. If you try to access a page without logging in it will display the login form.
I asked this question because I don't know how secure this kind of protection. As I said it works nicely on my page, but I don't know how hacker safe it is...
trobale wrote:The user can only get the $_SESSION['User_ID'] variable stored if has logged in. I check that on every page. How can he get that variable stored if he doesn't login?
There is no password protection in the code snippets you posted, only variable testing. Perhaps show the code that deals with inputted password, such as input filtering and database querying.
trobale wrote:If the ip address changes I'll probably have to take it away. I had it there just because I read that SESSION id:s could possibly be accessed...
As feyd said, AOL users in particular access a server farm whereby they might be assigned a different machine.
trobale wrote:I have tested this type of protection on my site and it appears to work quite nicely. If you try to access a page without logging in it will display the login form.
Yes, it will work. How secure is it? Well, not very
An evil-user would only need to grab a valid session ID and he could appear to be logged in as someone else.
I don't see you using mysql_real_escape_string anywhere in that code. You just have the user input put into a local variable and then stright into the query.
There are SQL injection vulnerabilities in your code, which feyd has already mentioned. Therefore, it makes little sense to offer up a demo sans query for people to prove to you that it is vulnerable. It's also worth considering that other people's time is valuable, and asking them to prove themselves is not being very respectful. Answers here are offered for free. It makes sense to verify them, but that's your job.
Regarding your inspection of $_SESSION['User_ID'], this technique is worth very little, because you're setting this value whenever someone logs in. If an attacker is going to try to hijack a session, it's probably not going to be an anonymous user's session.
You require $_SERVER['IP'] to be the origin of the current request, and although I assume you mean $_SESSION['IP'], requiring this to be static is going to cause many legitimate users trouble.
Thanks for the answers. I forgot to write the mysql_real_escape string() function to my sample code but I am using that (and I hope that it is enough)!
I'm quite a beginner at php coding and therefore I don't understand all your arguments against my 'password protection'.
I had that ip check there just because I read that hackers can hijack sessions. If the ip address isn't the same as the ip address with which the session was registered the user can't access the site (and therefore hijacking is impossible?).
if(!isset($_SESSION['User_ID']) || $_SERVER['REMOTE_ADDR']!=$_SERVER['IP']){
// DISPLAY LOGIN SCREEN OR SOMETHING SIMILAR
}
else {
// DISPLAY PAGE CONTENT
}
Someone wrote that especially AOL users change their ip address during browsing. This doesn't make the script more vulnerable (I think ) since the user check will then fail and login screen is shown. Of course this makes that AOL users have to login several times which is too bad .
trobale wrote:Someone wrote that especially AOL users change their ip address during browsing. This doesn't make the script more vulnerable (I think ) since the user check will then fail and login screen is shown. Of course this makes that AOL users have to login several times which is too bad .
I am sure the millions upon millions of AOL users, and other ISP's, will love you for that.
You know, BEFORE we, as web developers, learned about security techniques, we typically learned about usability and accessibility. Otherwise, the internet would be a hassle.
I understand that no one likes to be told that they are wrong, but you need to rethink your security and protection methods, especially if your website isn't one that most experienced hackers would even care to access. If you REALLY want to learn about security though, become a hacker. It'll make sense then.
You can control a lot more on the client-side than you'd think.
if(!isset($_SESSION['User_ID']) || $_SERVER['REMOTE_ADDR']!=$_SERVER['IP']){
// DISPLAY LOGIN SCREEN OR SOMETHING SIMILAR
}
else {
// DISPLAY PAGE CONTENT
}
This does not do anything. $_SERVER does not have an index with the key 'IP', unless it is a depreciated value. Still this code does nothing security wise...
Last edited by Z3RO21 on Mon Apr 30, 2007 5:39 pm, edited 1 time in total.
May not seem like much to you now, but you realize that your query suggests that you are storing passwords in plain text in your database. That is insecure in and of itself. At least try to thwart someones attempt and getting your users information.
Everah wrote:May not seem like much to you now, but you realize that your query suggests that you are storing passwords in plain text in your database. That is insecure in and of itself. At least try to thwart someones attempt and getting your users information.
Some useful functions pertaining to Everah's post are md5(), sha1(), and hash().