brentech Posted June 9, 2008 Share Posted June 9, 2008 I recently began dabbling with PHP. I've had a few tries with it, but I never got into scripting/programming much before. I decided to give it another shot and just have a few questions about my methods. The following script does work correctly with my login register/login scripts, but I just want to know if I am way off base for a sturdy authentication system or if it really needs a lot more to it. <?php include("dbconn.php"); function failedAuth($username, $password) { global $conn; $q = "SELECT uname, pword FROM accounts WHERE uname = '$username' AND pword = '$password'"; $result = mysql_query($q, $conn); return (mysql_num_rows($result) != 1 ); } if (!isset($_COOKIE['site'])) { // If cookie doesn't exist, non-user content used echo 'Default info retrieved from DB<br />Page loads with no special content.'; } else { $logged_in = explode(":", $_COOKIE['site']); // Exploding cookie! Pull the username and password out of cookie // Checked stored cookie's creditials against database if (failedAuth($logged_in[0], $logged_in[1])) { echo 'Default info retrieved from DB<br />Page loads with no special content.'; } else { setcookie("site", "$user:$pass", time()+3600); // extend cookie 1hr. echo 'Pull user row from DB and use data for the page'; } } ?> Most articles I could find on the subject seem 4+ years old, but are cookies still valid or should I only be using sessions for this kind of thing? And while the script runs and does exactly what I think it should, is there something I've done that doesn't seem to make sense for the concept of authenticating a user? Appreciate any guidance. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted June 9, 2008 Share Posted June 9, 2008 I'd use sessions only. Also, you're going to want to md5 or SHA1 the passwords. Quote Link to comment Share on other sites More sharing options...
brentech Posted June 9, 2008 Author Share Posted June 9, 2008 I'd use sessions only. Also, you're going to want to md5 or SHA1 the passwords. Yeah, the password stored in database is MD5 encrypted, as is the cookie's password content. I'm more interested if my auth logic has some large loophole that I'm too green to see? Quote Link to comment Share on other sites More sharing options...
blueman378 Posted June 9, 2008 Share Posted June 9, 2008 why do you store the users password in the cookie, thats bad practise, also you shouldnt need to... Quote Link to comment Share on other sites More sharing options...
brentech Posted June 9, 2008 Author Share Posted June 9, 2008 why do you store the users password in the cookie, thats bad practise, also you shouldnt need to... That would be why I'm asking... maybe elaborate on why it's bad practice, or "you shouldn't need to..." what. That kind of comment goes no where. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted June 9, 2008 Share Posted June 9, 2008 The reason its bad is due to the fact you have no security/contents control over cookies, the user can edit them, and crack the password (yours is plan/clear text that worse still), or maybe even inject code (if it isn't sanatized correctly), why do you store the users password in the cookie, thats bad practise, also you shouldnt need to... That would be why I'm asking... maybe elaborate on why it's bad practice, or "you shouldn't need to..." what. That kind of comment goes no where. NB: That kind of comment does help.. if you want someone to elaborate then just ask.. personally i won't elaborate on everything i type or i'll never finish the post.. why i agree blueman378 could of said more its easier just to ask, remember we are here to help you.. we are not being paid for this.. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted June 9, 2008 Share Posted June 9, 2008 Okay lets say i have a cookie called site i store this text it in Admin:' OR 1=1 you code $q = "SELECT uname, pword FROM accounts WHERE uname = '$username' AND pword = '$password'"; translates to $q = "SELECT uname, pword FROM accounts WHERE uname = 'admin' AND pword = '' OR 1=1"; Cool admin access this is problem is called SQL injection.. you need to use something like mysql_real_escape_string like so <?php function failedAuth($username, $password) { global $conn; $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $q = "SELECT uname, pword FROM accounts WHERE uname = '$username' AND pword = '$password'"; $result = mysql_query($q, $conn); return (mysql_num_rows($result) != 1 ); } ?> Now the problem we still have is you have a clear text password so solve this try MD5 this is a ONEWAY encryption this means you can NOT change the password back.. so ClearTextPass = password MD5Passw = 5f4dcc3b5aa765d61d8327deb882cf99 so when someone sets/updates their password your need to MD5 it first (more info here) Okay you could store the Hashed password (the MD5ed password) in the cookie but it can be cracked so still a bad idea.. if you may also want to ask about adding salt to the hash (its better protections, against rainbow tables) simply put you add extra data to the password ie $hash = MD5($Password."MySalt"); or $hash = MD5(MD5($Password)."MySalt"); Quote Link to comment Share on other sites More sharing options...
brentech Posted June 9, 2008 Author Share Posted June 9, 2008 I guess I should of been clearer in stating that I am already using MD5 on my passwords. The code I provided was ONLY for re-authenticating a user that has already logged in. Although I didn't realize 'salting' was as easy as stated. My login script does in fact use mysql_real_escape _string when the user submits the login form. $user = mysql_real_escape_string($_POST['user']); $pass = mysql_real_escape_string($_POST['pass']); $pass = md5($pass); Then, after quering to ensure a legit user, the cookie I created would be set with that info setcookie("site","$user:$pass", time()+3600); Would look like myid:2c3ae6a9099114fef22d337bf5a6983f1 I guess the most general portion of my question has probably been answered. It would seem cookies aren't to be used for passwords regardless of encryption methods. So then my question becomes - Is the concept of holding the username and password in a session variable how people are re-authenticated in practice? I'm sure I could make it work, but is that really how it's done? Quote Link to comment Share on other sites More sharing options...
MadTechie Posted June 9, 2008 Share Posted June 9, 2008 Simple Idea have a sql table called RememberedUsers Fields UserID, Hash, timestamp the Hash is something like $UserID = 10 //the users ID $SALT = substr(md5(time()), 0, 7); $HASH = md5($Salt.$UserID); which i store in the table and in a cookie Now When the user opens the site i lookup the Hash, this gives me the UserID. very basic idea you and expland it to suite ie add 2 hashes ect Quote Link to comment Share on other sites More sharing options...
brentech Posted June 9, 2008 Author Share Posted June 9, 2008 Ohhh, that makes sense. I'll have to play around with that idea. Appreciate the discussion. Quote Link to comment Share on other sites More sharing options...
blueman378 Posted June 10, 2008 Share Posted June 10, 2008 sorry mate, i didnt mean for it to be taken rudly, i jsut didnt have time to reply fully, anyway an idea is you could store the users username, in the cookie, no password, you also store that users cookie id, thatway you check the database if the username stored in that cookie matches the one in the database, then that user is authenticated, just an idea, and it saves you storing the users password in a cookie, ah never mind basically the same idea as MadTechies, my bad Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.