Login Security Test

[Jerzxu]

Hello,

 

I am working on my website and I need to know if my login script is secure.

 

session_start();
include("connect.php");
$username = $_POST['username'];
$password = $_POST['password'];
if ($_POST['username'] == "" || $_POST['password'] == ""){
$_SESSION['Login'] = "None";
header("Location: loginfail.php");
} else {
$password = md5($password);
$sql = mysql_query("SELECT * FROM `Accounts` WHERE `Username`='$username' AND `Password`='$password'");
if (mysql_num_rows($sql) == 0){
	$_SESSION['Login'] = "Incorrect";
	header("Location: loginfail.php");
} else {
	$sql2 = mysql_query("SELECT `Activated` FROM `Accounts` WHERE `Username`='$username'");
	$active = mysql_result($sql2,0);
	if ($active == "No") {
		$_SESSION['Login'] = "UnAct";
		header("Location: loginfail.php");
	} else {
		$_SESSION['Login'] = "Successful";
		$_SESSION['username'] = $_POST['username'];
		header("Location: code.php");
	}
}
}

 

$_POST['username'] and $_POST['password'] come from the login form.

 

If this is not secure, might I get a way to make it more secure. (I was looking into SSL but that didn't help much)

[cx323]

You need to sanitize the user input.  You can use something like mysqli or pdo, or if you want to keep it similar to how it already is read about mysql_real_escape_string: http://us.php.net/manual/en/function.mysql-real-escape-string.php

[Jerzxu]

ahh yes. I will be adding that then. THANK YOU!

[Jerzxu]

NEVER MIND

Fixed it, I think.

[Jerzxu]

session_start();
include("connect.php");
$username = $_POST['username'];
$password = $_POST['password'];
if ($_POST['username'] == "" || $_POST['password'] == ""){
$_SESSION['Login'] = "None";
header("Location: loginfail.php");
} else {
$password = md5($password);
$query = sprintf("SELECT * FROM `Accounts` WHERE `Username`='%s' AND `Password`='%s'",
                    mysql_real_escape_string($username),
                    mysql_real_escape_string($password));
$sql = mysql_query($query);
//$sql = mysql_query("SELECT * FROM `Accounts` WHERE `Username`='$username' AND `Password`='$password'");
if (mysql_num_rows($sql) == 0){
	$_SESSION['Login'] = "Incorrect";
	header("Location: loginfail.php");
} else {
	$sql2 = mysql_query("SELECT `Activated` FROM `Accounts` WHERE `Username`='$username'");
	$active = mysql_result($sql2,0);
	if ($active == "No") {
		$_SESSION['Login'] = "UnAct";
		header("Location: loginfail.php");
	} else {
		$_SESSION['Login'] = "Successful";
		$_SESSION['username'] = $_POST['username'];
		header("Location: code.php");
	}
}
}

 

Just reassuring, is that correct?

[947740]

I believe you have to set a variable equal to the mysql_real_escape_string();

 

E.G. $username = mysql_real_escape_string($username);

[Jerzxu]

On the php.net site for the examples they give they don't have that. Anyone confirm this?

[947740]

EDIT: I did not look at your code right.  I did not realize they were in a query.  The way you did it should be fine.

[Jerzxu]

EDIT: I did not look at your code right.  I did not realize they were in a query.  The way you did it should be fine.

Okay thank you!

[[email protected]]

Just be mindful of session hijacking.  I see that you are storing the username in the $_SESSION['username'] variable.    Make sure that you are not providing information based on this value.. As to my knowledge it is easy enough for somebody to substitute this for another username if they have done prior research.  You might be ok, but it is just something to keep in mind

 

http://www.damosworld.com

[Jerzxu]

Just be mindful of session hijacking.  I see that you are storing the username in the $_SESSION['username'] variable.    Make sure that you are not providing information based on this value.. As to my knowledge it is easy enough for somebody to substitute this for another username if they have done prior research.  You might be ok, but it is just something to keep in mind

 

http://www.damosworld.com

How would you stop session hijacking then?

Use cookies?

[947740]

I would say that is even easier to hack.  You can manually edit cookies in a jiffy.

[Jerzxu]

I would say that is even easier to hack.  You can manually edit cookies in a jiffy.

I believe if you use SSL it encodes it tighter so that its harder, except I'm not sure on how to do that exactly.

[947740]

Well, I know nothing about that...  :-\

[cooldude832]

Wow I read this and I'm amazed at how little people know about sessions!!!

 

 

Sessions are stored SERVER SIDE!!!! UNTOUCHABLE EXCEPT BY THE SERVER

 

They are linked to the end user via a cookie storing the sessionid number which is virtually unhackable.

 

You can not alter session data without having the server do it

sure if you wrote this below it would change sessions but thats a stupid example that is never done.

 

<?php
session_start();
if(!empty($_GET['user'])){
$_SESSION['Username'] = $_GET['user'];
}
echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"get\">";
echo "<input type=\"text\" name=\"user\" value=\"\" />";
echo "<input type=\"submit\" />";
echo "</form>";
?>

 

please read about sessions before posting fake "ideas" about em

[Third_Degree]

cooldude832: 2 words: Session fixation.

But I agree, sessions are usually extremely secure.

 

Anyway, fix the XSS! This makes the session problem even more vulnerable. Use htmlentities, but use it right.  So many people don't.

 

print htmlentities( $stuff, ENT_QUOTES );

[waynew]

If you want to be careful, use the user agent and IP address as a Session identifier. Be careful though as AOL users change IP addresses regularly. This makes it a little bit harder Also, sessions should be okay as long as you dont accept session identifiers via GET or POST variables.

[waynew]

Also, from my experience; it always better to set up some kind of common include file from which to sanitize data with. Maybe even a class if you're able for OOP. This way, you know for a fact that all external data on your website is being taken care of. The problem with using functions such as htmlentities() and mysql_real_escape_string() individually, is that sometimes you might forget to filter one piece of data. And as we all know. One piece of unfiltered data can have the potential to kick you straight in the nads. Focus on security before building any live systems. I never build a system without first thinking of how I am going to make a secure system.

[olie122333]

Try encrypting it on the form page, then encrypt it again on the login page.

[dlate]

Wow I read this and I'm amazed at how little people know about sessions!!!

 

 

Sessions are stored SERVER SIDE!!!! UNTOUCHABLE EXCEPT BY THE SERVER

 

They are linked to the end user via a cookie storing the sessionid number which is virtually unhackable.

 

You can not alter session data without having the server do it

sure if you wrote this below it would change sessions but thats a stupid example that is never done.

 

please read about sessions before posting fake "ideas" about em

 

An added note would be to change ur sessionpath if ur working with sessions, yes they are stored on the server, but if ur on a shared hosting account people can target the standard sessionpath and read all the information stored there (c:\windows\temp\).

 

In my experience its better to set the session save handler to a directory outside the siteroot where only u can access it.

 

To increase security for the sessions so no one can hijack ur cookie, u could make a script that would regenerate ur SID every couple of minutes.

 

done with:

session_regenerate_id(true); // true: delete old sessiondata, false, leave the old session data.

 

And to keep people logged on for a longer period of time u could make ur session cookie last longer i guess...

session_set_cookie_params(1800, '/');

 

Though im not a big fan of using cookies.