Are these two methods of Authentication, persay, secure?

FoxhoundX

I have currently used two different methods of user login.. I would like to know if they are secure (As in, normal everyday people cannot view the logins, or gain unauthorized access).

This is for my news panel, so only a few people need access. Embedded in the script itself is something like -

if (($user != "Firebird") && ($user != "Bladesinger") && ($user != "Rebelion")) {
die("Error: Invalid Username/Password");
}

if ($user == "Firebird") {
if ($pass != "pass1") {
die("Error: Invalid Username/Password");
}
}
if ($user == "Bladesinger") {
if ($pass != "pass2") {
die("Error: Invalid Username/Password");
}
}
if ($user == "Rebelion") {
if ($pass != "pass3") {
die("Error: Invalid Username/Password");
}
}

if ($user == "Firebird") {
$email = "email@email1.com";
}
if ($user == "Bladesinger") {
$email = "email@email2.com";
}
if ($user == "Rebelion") {
$email = "email@email2.com";
}

This is for my 'bigger' website, currently ~150 members. I have a txt file OUTSIDE of my webserver (called using ../../../../users.txt), and I store the login info in there, then explode, and compare the user/pass to the user/pass in there.

Thanks for the help 🙂

sachindesarda

Instead of these two methods you can use database authentication which i think is more safe.....

laserlight

If the textfile is in your non-web space, as you said, it probably is quite safe.

As for comparison by using data in the script itself, that should be ok as long as the parse is always parsed as PHP.
I'd probably use an array instead though.

Xoid

hmmm... you may want to be careful when storing username / password details in a text file as it's playing with fire.

what if a malicious user tried to browse all the files? if the server allows this they can browse all text files within your directory, if this happens your login details will be exposed!

as stated by sachindesarda, I would also use a database to store your username / password and possibly use Mcrypt methods to encrypt your username / password,

possible solution?

HTH

FoxhoundX

Xoid - The txt file storing the login information is outside of my web directory, meaning it is only accessed locally.

Example - C:\Webserver\page\login.php would be the login, while C:\users\login.txt might be the login.

Xoid

oki, I'll use a data packet sniffer to grab your login details 😃

Xoid

You could still use a textfile for authentication, i.e. for extra security you could store your details in a database and perhaps store a particular code in your text file, so when you enter your username / password = if the details are correct the textfile is read if the code matches what is in the database then allow access.

its still risky using a textfile purely for authentication purposes.

HTH

laserlight

well Xoid, intercepting packets would still reveal the login info, it would then be a matter of secure transmission rather than secure storage, as is the issue here.

The thing is, there is no point using a database to support the textfile in authentication. The textfile in this case is serving as a database.

Xoid

well... I disagree, there is a good reason for using a textfile for extra authentication, for example:

a user somehow finds out the password of the user and gains access changes all the news reports or whatever, if there was a textfile for authentication, if the user enters the correct username and password and they do not have the appropriate file and code (such as md5 hash or whatever) stored on their system they won't be able to access the system by conventional means.

still, it's worth considering.