Jump to content

Recommended Posts

I recently began dabbling with PHP. I've had a few tries with it, but I never got into scripting/programming much before.

I decided to give it another shot and just have a few questions about my methods. The following script does work correctly with my login register/login scripts, but I just want to know if I am way off base for a sturdy authentication system or if it really needs a lot more to it.

 

<?php

include("dbconn.php");

function failedAuth($username, $password) {
	global $conn;
	$q = "SELECT uname, pword FROM accounts WHERE uname = '$username' AND pword = '$password'";
$result = mysql_query($q, $conn);
return (mysql_num_rows($result) != 1 );
}

if (!isset($_COOKIE['site'])) { // If cookie doesn't exist, non-user content used
echo 'Default info retrieved from DB<br />Page loads with no special content.';
}
else {
$logged_in = explode(":", $_COOKIE['site']); // Exploding cookie! Pull the username and password out of cookie

// Checked stored cookie's creditials against database
if (failedAuth($logged_in[0], $logged_in[1])) {
	echo 'Default info retrieved from DB<br />Page loads with no special content.';
}
else {
 	setcookie("site", "$user:$pass", time()+3600); // extend cookie 1hr.
	echo 'Pull user row from DB and use data for the page';
}
}

?>

Most articles I could find on the subject seem 4+ years old, but are cookies still valid or should I only be using sessions for this kind of thing?

And while the script runs and does exactly what I think it should, is there something I've done that doesn't seem to make sense for the concept of authenticating a user?

 

Appreciate any guidance.

I'd use sessions only.  Also, you're going to want to md5 or SHA1 the passwords.

Yeah, the password stored in database is MD5 encrypted, as is the cookie's password content.

I'm more interested if my auth logic has some large loophole that I'm too green to see?

why do you store the users password in the cookie, thats bad practise, also you shouldnt need to...

That would be why I'm asking...

maybe elaborate on why it's bad practice, or "you shouldn't need to..." what. That kind of comment goes no where.

The reason its bad is due to the fact you have no security/contents control over cookies, the user can edit them, and crack the password (yours is plan/clear text that worse still), or maybe even inject code (if it isn't sanatized correctly),

 

 

why do you store the users password in the cookie, thats bad practise, also you shouldnt need to...

That would be why I'm asking...

maybe elaborate on why it's bad practice, or "you shouldn't need to..." what. That kind of comment goes no where.

NB:

That kind of comment does help.. if you want someone to elaborate then just ask.. personally i won't elaborate on everything i type or i'll never finish the post.. why i agree blueman378 could of said more its easier just to ask, remember we are here to help you.. we are not being paid for this..

Okay lets say i have a cookie called site

i store this text it in

Admin:' OR 1=1

 

you code

$q = "SELECT uname, pword FROM accounts WHERE uname = '$username' AND pword = '$password'";

translates to

$q = "SELECT uname, pword FROM accounts WHERE uname = 'admin' AND pword = '' OR 1=1";

Cool admin access

this is problem is called SQL injection.. you need to use something like mysql_real_escape_string

like so

<?php

function failedAuth($username, $password) {
	global $conn;
	$username = mysql_real_escape_string($username);
	$password = mysql_real_escape_string($password);
	$q = "SELECT uname, pword FROM accounts WHERE uname = '$username' AND pword = '$password'";
$result = mysql_query($q, $conn);
return (mysql_num_rows($result) != 1 );
}

?>

 

Now the problem we still have is you have a clear text password

so solve this try MD5 this is a ONEWAY encryption this means you can NOT change the password back..

so

ClearTextPass = password

MD5Passw = 5f4dcc3b5aa765d61d8327deb882cf99

 

so when someone sets/updates their password your need to MD5 it first (more info here)

 

Okay you could store the Hashed password (the MD5ed password) in the cookie but it can be cracked so still a bad idea..

if you may also want to ask about adding salt to the hash (its better protections, against rainbow tables) simply put you add extra data to the password ie

$hash = MD5($Password."MySalt");

or

$hash = MD5(MD5($Password)."MySalt");

I guess I should of been clearer in stating that I am already using MD5 on my passwords. The code I provided was ONLY for re-authenticating a user that has already logged in.

Although I didn't realize 'salting' was as easy as stated.

 

My login script does in fact use mysql_real_escape _string when the user submits the login form.

 

$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$pass = md5($pass);

 

Then, after quering to ensure a legit user, the cookie I created would be set with that info

setcookie("site","$user:$pass", time()+3600);

Would look like  myid:2c3ae6a9099114fef22d337bf5a6983f1

 

 

I guess the most general portion of my question has probably been answered. It would seem cookies aren't to be used for passwords regardless of encryption methods.

So then my question becomes - Is the concept of holding the username and password in a session variable how people are re-authenticated in practice?

 

I'm sure I could make it work, but is that really how it's done?

Simple Idea

 

have a sql table called RememberedUsers

Fields UserID, Hash, timestamp

the Hash is something like

$UserID = 10 //the users ID

$SALT = substr(md5(time()), 0, 7);

$HASH = md5($Salt.$UserID); which i store in the table and in a cookie

 

Now

When the user opens the site i lookup the Hash, this gives me the UserID.

 

very basic idea you and expland it to suite

 

ie add 2 hashes ect

sorry mate, i didnt mean for it to be taken rudly, i jsut didnt have time to reply fully, anyway an idea is you could store the users username, in the cookie, no password, you also store that users cookie id, thatway you check the database if the username stored in that cookie matches the one in the database, then that user is authenticated, just an idea, and it saves you storing the users password in a cookie,

 

ah never mind basically the same idea as MadTechies, my bad

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.