Security of my login script ...

Anon

Hi,

I was wondering if someone can tell me something about how secure the 'login script' below is. I mean, how easy is it for people who don't know the username and password to view the protected parts?

Simplified Code snippet:

if ($username == "myname" && $password == "mypassword")
{
echo("Succesfull Login");
}

else
{
echo("Incorrect Login");

}

Thanx for your replies, Michiel

ayzee01

The question is, how are you sending your $username and $password variables to the php engine?

i.e form post, get, cookie. what?

Leon

Anon

I'm using a form with a post method and the action of the form is the php-page where the login check is in.

Michiel

Anon

There is a problem is you are using variables in both (i.e. multiple users) you would need to do:

if (($username == $user && $password == $pass) AND ($pass != "")) {}

Anon

What I want to do is simply protect pages of my website, in a way that only I am able to view them. Therefore I've created a form with to inputs ($username and $password). Now I want the php-script to check whether the value of $username is 'myusername' and the value of $password is 'password'. I'm just wondering whether other people can find out easily what my username and password are or whether its easy to go around the login.

ayzee01

there are security implications here if you're not careful.

You must take care that your code is ULTRA safe in that no one can exploit the form post function when you submit the form and get the site data. But to be honest, unless the site is a huge really important top secret one, i doubt if anyone would attempt to do that.

Also, every page thereafter, you will have to check a login variable to make sure the user viewing the page has first gone through the login screen.

My suggestion is once the user has succesfully completed the form submit function and logged in, you set a $loggedin session variable that is then checked by a generic function on each page thereafter.

I would put the checking function within a general include and include it within each page so you are not replicating code.

Just check for the loggedin var, if it exists then fine, carry on and load the page else redirect to a noaccess page of some description informing the user of their status and offering them the chance to login.

Any more help, just let me know.

Cheers,

Leon