[PHP] Login and Security help

daveclose

I have made a posting script (a kind of shout box system)
I need to have a way to make sure that whatever script is being processed is coming from the same server (i know there is a way to do this) but how?
and also i need a login system.. if i was to implement a system such as this...

session_start();
if (isset($_POST['user']) && isset($_POST['pass']))
{
	if ($_POST['user'] === 'user' && $_POST['pass'] === 'pass')
	{
		$_SESSION['aloud '] = true;
			header('Location: protectedish.php');
			exit;
	}
		else 
		{
		$wrong = 'Wrong User/Password';
		}
}

and then this on each "protected" page...

session_start();
if (!isset($_SESSION['aloud']) or $_SESSION['aloud'] !== true)
	{
		header('Location: login.php');
		exit;
	}

I am assuming this is not very secure, and it is also inconvenient, for instance if i need to use another "header('location:')" somewhere else it won't work.

bearing in mind that i only need one user, and i would like a system where the user can easy change the password, what would be a good system? and what are other methods to keep my scripts secure?

sorry for all those questions :p

bpat1434

For the posting script you could add a hidden field with say the md5 hash of your domain name. Then in the receiving script check that (a) the hidden field was sent and (b) the hash of it matches the hash of your domain again. Now, to be sneaky you could use two hidden fields, one which is the timestamp (in hashed form) and the other which is the domain + timestamp in hashed form. Something like:

<?php
$time = time();
$domain = 'http://www.mydomain.com"

echo '<form action="somescript.php" method="post">
<!-- 
    Whatever HTML form elements you want...
-->
    <input type="hidden" name="o" value="<?php md5($domain . md5($time)); ?>" />
    <input type="hidden" name="t" value="<?php md5($time); ?>" />
</form>';
?>

That's more security through obscurity though since really anyone could "hack" that and create a form somewhere and post to yours. There's really no full-proof way of securing a form so it can only originate from one site. You could check the $_SERVER['HTTP_REFERER'] header; however, not all servers/browsers send them. So they're not 100% guaranteed.

As for securing a section of a site. Using sessions is the right way to go (for simple things). As for storing the username and password, you could use an XML file that is above the web root of your website ( i.e. not accessible via http://www.mydomain.com/my_auth_file.xml ) to store the username and password combination, or it could be a text file. Either way, same theory applies, just make sure you store the correct data.

You could also use a database to store the username and password, although that seems like overkill right now if you only will ever have one user.

As for securing the membership area, you've got it down right. Some people like to store a special "key" inside a database or text file so that each page has a "unique" key to validate whether the session is from the same person or not. Not necessary, but it's just an additive some people include.

The only real way to seriously secure your member area is to use SSL. Then your communication is encrypted, and you can even put your login stuff in the SSL section so your login and admin functions are all under SSL but your main site is under regular HTTP requests. But this costs money, so it does have its downside.

Also I'm pretty sure you meant $_SESSION['allowed'] since aloud more-or-less means something spoken or sounded so as to be heard by someone or something.

daveclose

Thanks very much for that 😃😃 very good post

I am going to be distributing my script, so it would not be very user friendly if I where to put the passwords in a file above the web folder. Would putting it in to a PHP file and then including it be ok? and if not what should i do?

Also I'm pretty sure you meant $_SESSION['allowed'] since aloud more-or-less means something spoken or sounded so as to be heard by someone or something.

whoops, dyslexic moment. Well it would of worked anyway :p

bpat1434

Like I said earlier, you could utilize a database to store the password as well. You could also use an include file. So long as your extension is .php and not .inc or some other "unknown" extension to the server, you should be fine. Unknown extensions usually end up having the contents spewed out to the browser. So just be careful.