Admin login - the correct way

[Zephni]

Ok.. I have made an admin section for a couple of sites, and it works fine, alough i'm almost certain that the way i have done it is not the "proper way".

 

What I have done is had a form with a password field that sends the password via POST to another script that checks the password is correct via variable, something like this:

<?php

  $pass = $_POST["pass"];
  $correct = "imapassword";

  if($pass == $correct){
    
  //display contents of page

  else{
  //return user to login screen
  }
?>

 

And then it saves the password into a cookie, that dies either over time or when the browser closes. And then on each page it tests wether that cookie is still there and is correct. When the user wants to log out it just destroys the cookie.

 

This seems like a really hashed up way of doing it, could anybody let me know the bare essentials for making a similar system, but the "right way". Thankyou in advance

[Muddy_Funster]

I would never think about storing a password value in plain text (not in the code, and certainly not on an EU's computer).  Look into encypting and the use of SALT for password info.

[btherl]

Yep that's a bad way to do it.  A better way is to check the password and store a variable in $_SESSION, such as $_SESSION['admin_login'] = true.  An even better way is to compare against a salted md5 hash as Muddy is suggesting, and THEN set $_SESSION['admin_login'] = true.  Storing the password in a cookie leaves too many opportunities for the password to be observed by someone else.

 

Make sure you empty the session on logout and set $_SESSION['admin_login'] false when appropriate (such as when another user logs in).

[maxudaskin]

I would never think about storing a password value in plain text (not in the code, and certainly not on an EU's computer).  Look into encypting and the use of SALT for password info.

Yep that's a bad way to do it.  A better way is to check the password and store a variable in $_SESSION, such as $_SESSION['admin_login'] = true.  An even better way is to compare against a salted md5 hash as Muddy is suggesting, and THEN set $_SESSION['admin_login'] = true.  Storing the password in a cookie leaves too many opportunities for the password to be observed by someone else.

 

Make sure you empty the session on logout and set $_SESSION['admin_login'] false when appropriate (such as when another user logs in).

 

+1. Take a look at this article and give the dynamic salt a try.

[Zephni]

Awesome thanks guys, and thanks for that artical explaining salt coz' i didn't know what it was. Seems like the best solution to me! But still I dont really see the problem with testing the password in the first place in my script like:

 

if($password == "imapasswordlol")

 

Coz if the person whos hacking has managed to get to your scripts then your screwed anyway.

[Muddy_Funster]

Not really - your script is stored and run on the server before it is sent to the EU.  Thus, getting access to the code on the page is pretty hard to do.  however, if you start sending information too and from the server in a plain text format - then life gets easier for whom ever it is that would want to screw you over in the first place (its 99% kids with too much time and too little respect).

[Zephni]

Ok, but if you were importing in from a database the password string would still be in the markup? So would that be just as bad?