User authentication - is it secure?!?

holahola

I use the following user authentication script I have developed. Do you think it's secure?

// index.php:
// *****************

<?php

if ((isset($_POST['username'])) && (isset($_POST['password']))) {

	// *** Check username and password
	$username = $_POST['username'];
	$password = $_POST['password'];

	// *** Connect to the MySql database (not in public_html)
	require("../../connect.php");

	$sql = "select * from users_table where username='$username' and password=password('$password')";
	$result = mysql_query($sql,$con);

	if (mysql_num_rows($result) == 1) {
		$session_id = md5(uniqid(rand()));
		$timestamp = time();
		setcookie("username","$username",time()+14400,"/","",0);
		setcookie("session_id","$session_id",time()+14400,"/","",0);
		$sql = "update users_table set session_id='$session_id', session_timestamp='$timestamp' where username='$username'";
		$result = mysql_query($sql,$con) or die ("A problem occurred");
		header("Location: secure_site.php");
		exit;
	}
}

?>

<html>
<head>
<title>Log In</title>
</head>
<body>
<form action="<?php echo $PHP_SELF; ?>" method="post">
  <table border="0" bgcolor="#000030" cellspacing="0" cellpadding="1" width="320">
	<tr><td>
	<table border="0" cellpadding="0" cellspacing="0" width="100%" bgcolor="#F9F9F9">
	<tr><td align="center">
		<table border="0" cellpadding="0" cellspacing="3" width="100%" bgcolor="#F9F9F9" align="center">
		<td colspan="2" align="center">
		<br><b>Please enter your username and password:</b>
		</td>
		</tr>
	    <tr>
	    <td colspan="2" align="center">
		<table border="0" cellpadding="0" cellspacing="10" width="200" bgcolor="#F9F9F9">
			<tr>
	    	  <td width="90">Username:</td>
	    	  <td><input type="text" maxlength="20" name="username" size="15"></td>
	    	</tr>
	    	<tr>
	    	  <td width="90">Password:</td>
	    	  <td><input type="password" maxlength="20" name="password" size="15"></td>
	    	</tr>
	    	<tr>
	    	  <td align="right" colspan="2"><input type="submit" value="Log In">
	    	</tr>
	    </table>
	    </td>
	  </table>
	</td></tr>
	</table>
</td></tr>
</table>
</form>
</center>
</body>
</html>

// *** End of index.php



check_user.php is require()d in the beginning of every page to be secured:



// check_user.php:
// *******************

<?php

if ((!isset($_COOKIE['username'])) || (!isset($_COOKIE['session_id']))) {

	header("Location: index.php"); // Redirect to the login page
	exit;
}
else {
	$username = $_COOKIE['username'];
	$session_id = $_COOKIE['session_id'];

	$min_session_timestamp = time() - 14400; // session_id is only valid for 14400 seconds (4 hours), like the cookie

	$sql = "select username from users_table where username='$username' and session_id='$session_id' and session_timestamp>=$min_session_timestamp";
	$result = mysql_query($sql,$con);

	if ((mysql_num_rows($result)) != 1) {
		header("Location: index.php"); // Redirect to the login page
  		exit;
	}
}

?>

// *** End of check_user.php

What do you think? Can this script be hacked and if so, how? Thanks.

intenz

It's easy to make false cookies.
I would use a header(); authentication.
Some script on evilwalrus.com or hotscripts.com

holahola

Originally posted by intenz
It's easy to make false cookies.
I would use a header(); authentication.
Some script on evilwalrus.com or hotscripts.com

But does it matter if someone can make false cookies? Since only the username and session_id is stored in cookies - the session_id is stored to the database on login (example: ac4skn5cxkasn5) and is only valid for 4 hours and is set to null on logout, it doesn't matter if someone can fake cookies? Did you have some particular point in mind??

I have no idea what is header(); authentication, I checked evilwalrus.com and could not find anything... tell me more?

jmcneese

why don't you use the remote_ip as a security measure? either as the seed for the random sessionid, as a comparison for the current user of the sessionid (if remote ip doesn't match ip stored in session, destroy session), or both?

dannys

That would cause dialup users to be logged out when they reconnect, which could be irritating if they were editing an article (for example) when the connection dropped – they reconnect, but don’t bother refreshing the page and then lose their work when the hit the form submit button and get thrown out.

I personally store the sessionId and md5(sessionId+myconstantsalt) – serialised and base64 encoded. When I read the cookie again, the md5 is remade and if it doesn’t match the cookie is destroyed. Admittedly, this doesn’t get around someone stealing your cookie (and therefore the session) but it does stop people tampering with the cookie data (I use this ‘signing’ on all my cookies).