Is the logic of this login script correct ? and is secure ?

quecoder

Hello ,

I've coded my first log in script for registered members as follows:


<?php
session_start();
if(isset($_POST) && $_POST['submit'] == 'submit'){
    include('sql.php');
    $username = trim(mysql_real_escape_string($_POST['username']));
    $password = mysql_real_escape_string($_POST['password']);
    $query = 'select * from users where username=\''.$username.'\' AND password = \''.$password.'\'';
    $result = mysql_query($query);
    if(mysql_num_rows($result) == 1){

    $_SESSION['loggedin'] = true;
    $_SESSION['type'] = 'user';
    $_SESSION['username'] = $username;

    if($_POST['rememberme']){
        setcookie('log_',$username."//".md5($username.$password),time()+129600);   
    }

}

}
 else{
    header('Location: index.php');
}


?>

is it secure !? what about it's logic !? do I miss something that may cause me headaches at future ?

dagon

shouldn't be storing the password as plain text, should be hashed and salted.

quecoder

Ah , I will consider that
thanks

sohguanh

quecoder;10949589 wrote:
Ah , I will consider that
thanks

Hi I don't know about banking sites in US or European countries but here in Singapore, almost all local banks internet banking login page is done using Java Applet.

Is it more secure to use Java Applet over the traditional HTML page tags ? Hmmm... care to share what your countries banking sites login page is using which technology ?

It is so ironic such an old technology called Java Applet is still very prevalent here in Singapore 🙂

Just to refresh everyone memory, Java came onto the world precisely of Java Applet before we have our familiar Java Servlet, JSP etc etc.

laserlight

quecoder wrote:
is it secure !? what about it's logic !? do I miss something that may cause me headaches at future ?

I suggest using session_start() only after the login is successful. You should avoid handing out valid session identifiers to non-users.

To avoid potential notices, I suggest that you change:

if(isset($_POST) && $_POST['submit'] == 'submit')

to:

if(isset($_POST['submit'], $_POST['username'], $_POST['password']) && $_POST['submit'] == 'submit')

After you have added a column for the salt as dagon suggested, select the hashed password and the salt where the username matches, rather than all (you may also want to add LIMIT 1 to the SQL statement). You would then compute the hashed password using the given password and the salt, and then compare the result with the hashed password retrieved.

For the hash function, you can use [man]sha1/man or one of those in the SHA-2 family of hash functions if the hash extension is available. The use of MD5 is okay, but SHA-1 is better and is also pretty much guaranteed to be available.

Also, after sending a location header, use [man]exit[/man]. Note that the URL of a location header should be an absolute URL, not a relative URL as you have used.

sohguanh wrote:
Is it more secure to use Java Applet over the traditional HTML page tags ?

Having no experience with Java applets, I cannot provide an authoritative opinion. However, my guess is that it will provide you with a greater degree of control, and this can be used to make an exploit more difficult. Nonetheless, either way you can still end up with something secure, or insecure, as the case may be.

sohguanh wrote:
Hmmm... care to share what your countries banking sites login page is using which technology ?

Same as yours :p

bradgrafelman

sohguanh wrote:
almost all local banks internet banking login page is done using Java Applet.

Really? Is that in Singapore or are you talking about the US as well? I haven't seen any US banking sites that use Java applets.

sohguanh

bradgrafelman;10949653 wrote:
Really? Is that in Singapore or are you talking about the US as well? I haven't seen any US banking sites that use Java applets.

Hi bradgrafelman, so most US banking sites uses what technology for their login page ? The traditional HTML tags ?

My gut feel why Singapore local banks decided on the Java applet approach is because it is more "secure" as compared to HTML tags ?

Java applets are binary executable code that travel from the server to the browser and executed within browser in a sand-box model. Also Java applets allow encryption/signing which add one more layer of protection.

Of course when security is concerned, even an encrypted and signed Java applet can be "hacked" but in comparison to HTML tags, I think it is slightly superior as in it makes "hacking" more difficult in comparison to HTML tags.

Laserlight: Since you reside in Singapore same as I, you must have done internet banking and you will know they all uses Java applet for login page. I have a Citibank account and it seems to use Java applet too. Not sure on Citibank in US sites though.

bradgrafelman

sohguanh wrote:
Hi bradgrafelman, so most US banking sites uses what technology for their login page ? The traditional HTML tags ?

Well HTML and Javascript, but yeah.

sohguanh wrote:
My gut feel why Singapore local banks decided on the Java applet approach is because it is more "secure" as compared to HTML tags ?

I don't see how that's true. Both still have to communicate information across a web connection... both can use SSL... etc.

sohguanh wrote:
Also Java applets allow encryption/signing which add one more layer of protection.

Of course when security is concerned, even an encrypted and signed Java applet can be "hacked" but in comparison to HTML tags, I think it is slightly superior as in it makes "hacking" more difficult in comparison to HTML tags.

In what way? You still have to use HTML to insert the applet into the page, so it's not like you're circumventing HTML altogether. If a hacker made a lookalike, they surely wouldn't try to incorporate the bank site's Java applet. And if it's a cookie- or keystroke-stealing attack, that's beyond the browser's scope (regardless of whether you're using pure HTML or a Java applet).

sohguanh wrote:
Not sure on Citibank in US sites though.

No Java that I saw - just some Javascript.