jamesbrauman Posted September 19, 2008 Share Posted September 19, 2008 These are my functions for logging in a user, logging out a user, checking if a user is logged in and checking the 'power level' of a user: //Logs a user in. function user_login($username, $md5password) { setcookie("username", $username, strtotime("+90 days"), "/"); setcookie("md5password", $md5password, strtotime("+90 days"), "/"); } //Logs a user out. function user_logout() { setcookie("username", "", strtotime("+90 days"), "/"); setcookie("md5password", "", strtotime("+90 days"), "/"); $_COOKIE['username'] = ""; $_COOKIE['md5password'] = ""; setcookie("username", "", 1, "/"); setcookie("md5password", "", 1, "/"); } //Returns true if a user is logged in. function user_loggedin() { $username = clean_string($_COOKIE['username']); $password = clean_string($_COOKIE['md5password']); if (empty($username) || empty($password)) return false; $conn = mysql_connect("localhost", "****", "****"); mysql_select_db("redbox_main", $conn); if (mysql_num_rows(mysql_query("SELECT * FROM members WHERE username='$username' AND md5password='$password'")) > 0) { //They are logged in. return true; } else { //They are not logged in. return false; } } //Returns the username of the logged in user. function user_username() { if (isset($_COOKIE['username'])) return $_COOKIE['username']; return ""; } //returns the email of the logged in user function user_email() { if (isset($_COOKIE['username']) && isset($_COOKIE['md5password'])) { $username = clean_string($_COOKIE['username']); $md5password = clean_string($_COOKIE['md5password']); if (!empty($username) && !empty($md5password)) { $current_email = mysql_result(mysql_query("SELECT email FROM members WHERE username='$username' AND md5password='$md5password'"), 0); return $current_email; } } return ""; } //returns the power level of the logged in user function user_level() { if (isset($_COOKIE['username']) && isset($_COOKIE['md5password'])) { $username = clean_string($_COOKIE['username']); $md5password = clean_string($_COOKIE['md5password']); if (!empty($username) && !empty($md5password)) { $current_level= (int) mysql_result(mysql_query("SELECT level FROM members WHERE username='$username' AND md5password='$md5password'"), 0); return $current_level; } } return ""; } Do they look secure (i.e no 'hackers' would easily be able to break them)? Thanks. Link to comment https://forums.phpfreaks.com/topic/124896-do-these-look-secure/ Share on other sites More sharing options...
JonnoTheDev Posted September 19, 2008 Share Posted September 19, 2008 Why would you save the username & password in a cookie file (even if it is md5 encrypted)? Don't you think if somebody was to grab the cookie data they could gain access via your login page. It is far better to store the user ID in the cookie file or when they login create a unique key for the user that is stored in the cookie to identify them to the site. This can expire and a new key created on each login. Link to comment https://forums.phpfreaks.com/topic/124896-do-these-look-secure/#findComment-645425 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.