user logins: secure? somewhat secure? ...

yahyac

Once a user submits a shopping cart, I use phpmailer to email myself a link to "pick up" and view the cart. This link looks something like this:
http://www.mydomain.com/products/cartlogin.php?cartnum=BLAH.

I'm trying to make a login for someone from the company to go to, for example, cartlogin.php?cartnum=BLAH, and then it will require a username and password to login. I was unsure how to properly do this, and searched these forums. Here was one such reply:

devinemke wrote:
a common approach is to start a [man]session[/man] when the user logs in and set a boolean session var that simply stores the users valid login state (true or false) then at the top of each page run a quick check for that var and if it's false spit out an error and [man]exit[/man] out of the script.

Is this a secure method of checking logins?

Here's my implementation:

<?php
session_start();
?>
<?php
	if (isset($_POST['submit'])) {
		$cartnum = $_POST['cartnum'];
		include('../global/dbinfo.php');
		$conn = mysql_connect($dbhost, $dbuser, $dbpass);
		mysql_select_db($dbname, $conn);

	$user = strip_tags(substr($_POST['username'],0,32));
	$pw = strip_tags(substr($_POST['password'],0,32));
	$cleanpw = crypt(md5($pw), md5($user));

	$sql = "SELECT username, password FROM users 
	           WHERE username = '". mysql_real_escape_string($user)."' AND 
	                 password='". mysql_real_escape_string($cleanpw)."' 
	           LIMIT 1";
	$result = mysql_query($sql);

	if (mysql_num_rows($result)){
		//we have a match!
		$_SESSION['login'] = true;
		$location = "location: cartpickup.php?cartnum=" . $cartnum;
		header("$location");
	}
	else{
		//no match
		echo 'Invalid username/password combination.<br><br>';
	}
}
if (isset($_GET['cartnum'])) {
	$cartnum = $_GET['cartnum'];
	echo "Get cartnum is set.  Cart number is " . $cartnum . ".";
}
?>
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Cart Login</title>
<link rel="stylesheet" type="text/css" href="../global/pp.css">
</head>

<body>
<div align="center">
	<h2Cart Login</h2>
</div>
<table width="40%" align="center">
	<tr>
		<td>
			<form action="cartlogin.php" method="post">
				<input type="hidden" name="cartnum" value="<?php echo $cartnum; ?>">
				<p class="content10"><label for='username'>Username:&nbsp;&nbsp;</label>
				<input type='text' name='username' id='username'/>
				</p>

			<p class="content10"><label for='password'>Password:&nbsp;&nbsp;</label>
			<input type='password' name='password' id='password'/>
			</p>
			<p><input type="submit" name="submit" value="log in"/>
			</p>
		</form>
	</td>
</tr>
</table>
</body>

</html>

And then on the next page, I simply have an if statement surrounding the entire page, and this statement simply checks

<?php
	if ($_SESSION['login'] == TRUE) {
?>

It does work. I'm just wanting to make sure it is "secure enough". I mean, a serious hacker can almost always find a way. I just want to make sure there are not major holes in this method.

Thanks.

yahyac

And just to clarify, is there any obvious ways someone can access the data?

Bottom line, the data is enclosed within a php if statement which tests for login == true. That seems pretty black and white. It will NOT show data if login is anything other than true. So the only possible area of insecurity would be in the password entry/validation page. I'm using md5, so I think that should be good...right?

Thanks.
Jonathan

mjax

It looks secure enough. The only think you have to worry about is session hijacking. Read up on this subject for ways to prevent this.