Login being shared across network

bo0

I have a login script which I use on a large popular website. Just recently a MAJOR security flaw has been detected.

Over a large internal network if a user logs in on one machine, other machines are automatically logged in to that account. So if an admin logs in, every machine on the network can access that account!

Any ideas why?

Piranha

If you submit code that contains the login and code that contains the check for login it would be much easier to see what could be wrong.

bo0

checklogin.php

$ws_user=$_POST['username'];
$ws_pwd=$_POST['password'];

$check = safe_query("SELECT * FROM users WHERE username='$ws_user' ");
$anz = mysql_num_rows($check);

if($anz) {
    $ds=mysql_fetch_array($check);

if(($ds[val]) == '0') {
    $error='ERR3_login';
    }

// checkt passwort
$ws_pwd=md5($ws_pwd);

if($ws_pwd == $ds[password]) {
	setcookie("ws_auth", $ws_user.":".$ws_pwd, time()+(3600*24*365));
	header("Location: index.php");
}
elseif(!($ws_pwd == $ds[password])) {
    $error='ERR2_login';
}
}
else $error='ERR1_login';

contained in _functions.php

$cookie=false;
if (isset($ws_auth)) {
    $authent = explode(":", $ws_auth);
	$ws_user = $authent[0];
	$ws_pwd = $authent[1];
	$cookie=true;
}
$loggedin=false;
if ($cookie) {
    $checklog = safe_query("SELECT userid FROM users WHERE username='$ws_user' AND password='$ws_pwd'");
	while($ds222=mysql_fetch_array($checklog)) {
        $loggedin=true;
		$userID=$ds222[userid];
   }
}

MarkR

bo0 wrote:
I have a login script which I use on a large popular website. Just recently a MAJOR security flaw has been detected.

Over a large internal network if a user logs in on one machine, other machines are automatically logged in to that account. So if an admin logs in, every machine on the network can access that account!

Any ideas why?

Probably those users are using a (maybe transparent) proxy which caches stuff it should not. This makes it appear to them that they're logged on as the same person, and may reveal private info to users who should not see it.

I can't see any problems with your code, besides the large number of SQL injection vulnerabilities that I assume you're aware of.

Mark

bo0

MarkR wrote:
Probably those users are using a (maybe transparent) proxy which caches stuff it should not. This makes it appear to them that they're logged on as the same person, and may reveal private info to users who should not see it.

I can't see any problems with your code, besides the large number of SQL injection vulnerabilities that I assume you're aware of.

Mark

That was what I thought the problem was. Some sort of central cache server.

Any ideas on a fix?