[SOLVED] password protected site vulnerability

[kcp4911]

Hello.

 

I am cobbling together a new site that requires user id and password for access using cookies.

 

I have also included a simple visitor log that records user id, ip address, page visited and time of visit.

 

I have included a cookie/password check in the first line of each page - so a visitor should not be able to view a page without having logged in.

 

The problem is I keep getting the occasional visitor log where the ip address, page and time are recorded - but the user id is not recorded.

 

I have tried to visit the pages in question without logging in - and I can't view the page. It sends me back to the login page as it is designed to do.

 

This isn't a website that requires payment or where any great secrets are held - so there isn't really any reason to be hacking it. However, I am wondering if it is something silly I have done or could it be someone being clever?

 

Any ideas?

[kcp4911]

I may be onto it. It might having something to do with my coding. I will confirm after watching the logs for the next couple of days.

 

But if you know of anything that should be looked at as standard practice, I'd love to hear it.

[JonnoTheDev]

You should use sessions, not cookies to store user data. Without any code it is impossible to see what the issue is.

[kcp4911]

Hi Neil. Thanks for the reply.

 

sessions v cookies - why is that? I was reading up on that topic and it seemed to suggest that sessions should be used to store data for a single visit, whereas cookies were suitable for situations where data is to be stored for multiple visits. That is why I thought I would use cookies to store user id and p/w - so that the visitor didn't have to log in again if they navigated away and then came back to the site.

 

I will post my code if the problem persists. I fear it may be something embarrassing.

 

Thanks again.

[JonnoTheDev]

Use a cookie to store a piece of data that would keep a user logged in for a period of time i.e. 3 days. Do not store usernames / passwords in cookies!

 

If there is a login to your website set session values after successful login.

i.e.

session_start()
// login was successful
$_SESSION['userId'] = "123";

Then on pages where you must be logged in

session_start()
if(!is_numeric($_SESSION['userId'])) {
// redirect to login
header("Location:login.php");
exit();
}

 

You can set a value in a cookie to identify the user and log them in on a return visit. Cookies are just text files on the users computer. If you store a password in a cookie then anybody using that computer could read it.

[kcp4911]

Cool. I will do some homework and put that down on the "just one more bloody thing that needs to be done" list. 

[premiso]

To answer why you would use sessions to store user data over a cookie is that session files are stored on the server. Thus you have to authenticate to that sessionid in order to retrieve that data. With Cookies anyone can potentially steal the cookie with a trojan or spyware and use that to authenticate to the site and viola they have all your information.

 

So it is generally better to store the data on the server, where it is less likely to be hacked etc. But as neil suggested, cookies should be used to provide a means of authenticating a user and then you can store the user data in session for that session.

[kcp4911]

thanks premiso. That's why you guys get paid the big bucks.

[premiso]

thanks premiso. That's why you guys get paid the big bucks.

 

lol I do not get paid that much. It would be nice, but oh well. And actually this forum is run off of donations, so I just donate my time here.

[kcp4911]

OK. Sorry it has been a while, but I have only just got around to sorting out the use of sessions versus cookies as suggested above. However, my original problem remains. i.e. I keep getting "anonymous" logged visits.

 

If someone wants to enter the members area they must first log in. The credentials (email and password) are verified against the database and then the session is started using the code below.

// if login is ok then we start session
session_start();
session_register("username");
session_register("pw");
$_SESSION['username'] = $email;
$_SESSION['pw'] = $pass;
$sessionid = session_id();
setcookie("kranji4", $sessionid, 0);
//then redirect them to the members area
header("Location: member.php");

 

Then, I have this script at the top of each members page to verify the login

<?php
//place this script at the top of each "members only" page
session_start();
//checks cookies to make sure they are logged in
if(isset($_COOKIE['kranji4']))
{
$email = $_SESSION['username'];
$password = $_SESSION['pw'];
$check = mysql_query("SELECT * FROM members WHERE email = '$email'")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());

while($info = mysql_fetch_array( $check ))
{
//if the cookie has the wrong password, they are taken to the login page
if ($password != $info['password'])
{ 
header("Location: index.php");
}
}
}
//if the cookie does not exist, they are taken to the login screen
else
{
header("Location: index.php");
}
?>

 

And this is the code to log the visit

 

//enter visit into log
$domain = mysql_real_escape_string(htmlentities($_SERVER['SERVER_NAME']));
$ip = $_SERVER["REMOTE_ADDR"];
$page = "Preview - $date";
$email = $_SESSION['username'];
//add details to log
$query = "
insert into
log
(email, domain, page, ip)
values
('$email', '$domain', '$page', '$ip')
";
$result = mysql_query($query) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());

 

As I was saying, the domain, page and ip details are always recorded without fail. However, the email is not always recorded.

 

Why is this?

 

thanks for your help.

 

[PFMaBiSmAd]

The example code that neil.johnson posted above very specifically had an exit(); statement after the header() redirect. The code you just posted does not.

 

When you don't have an exit(); statement, the remainder of the code on the "protected" page is still executed, so a hacker or a search engine spider would only need to ignore the redirect and he would still have access to your "protected" pages.

[kcp4911]

PFMaBiSmAd,

Like this...?

//place this script at the top of each "members only" page
session_start();
//checks cookies to make sure they are logged in
if(isset($_COOKIE['kranji4']))
{
$email = $_SESSION['username'];
$password = $_SESSION['pw'];
$check = mysql_query("SELECT * FROM members WHERE email = '$email'")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());

while($info = mysql_fetch_array( $check ))
{
//if the cookie has the wrong password, they are taken to the login page
if ($password != $info['password'])
{ 
header("Location: index.php");
exit();
}
}
}
//if the cookie does not exist, they are taken to the login screen
else
{
header("Location: index.php");
exit();
}

[kcp4911]

yep, looks like the exit() thing did the trick.

 

Many thanks.