Jump to content

Basic (Very) User Admin System


tozjerimiah

Recommended Posts

Hello.

 

I designed a system a bit back and kinda cobbled it together. I was wondering if anyone could tell me of any security implications with the following setup:

  • Usernames & passwords are stored on disk as a php array.
  • A user enters their username and password into a form.
  • On submit, the page include()s the username file & the checks to see if their username exists is the array.
  • If it does, it checks that the password matches.
  • If it does, a session variable key is assigned (username), with the username as the variable.
  • As the user navigates the site, the session variables are maintained (session_start()), ensuring that a valid user is logged in.

Is the above system relatively secure? Yes, it would be better over ssl and yes it would be vulnerable if a user managed to get read access to the files in the directory in which the usernames.php file is stored but it's on a hosting service which I believe to be secure and the uploader system ensures that uploads are stored in a separate directory with valid file extensions (.jpg etc).

 

Thanks in advance for any advice.

 

Toz

Link to comment
Share on other sites

I'm concerned about where the password file is stored, and if it can be reached via the web server. Alternatively, if other users on the server have read access to it.

 

Secondly, it doesn't look like you're hashing the passwords in any way, which makes them extremely vulnerable if attackers does get access to the file.

 

I would like to recommend that you read this article about secure login systems, as it will help you understand a lot more about the basic security concerns. :)

Link to comment
Share on other sites

  • 3 weeks later...

You are taking a poop behind a glass wall and hoping no one will see you. That dog just won't hunt. Much like your glass wall, a flat file format with no encryption gives you very little privacy or security. The best option would be to use a database and some sort of one way encryption algorithm to store the password. You could get the password from your user, apply the same one way encryption algorithm and compare that to see if the password is correct. Now if you are dead set that you don't want to use a database then I suggest http_auth as a possible solution. It would be better than your current solution and done without a database. If that won't do then at least encrypt the passwords and restrict access to the file that stores the passwords to only be accessible from 127.0.0.1 (the loopback interface on the server). That would be at least a slight increase in security. I assume you are running an apache server (it is a pretty popular option) and in the .conf (configuration files) you can find a reference to .ht files these are .htaccess and .htpasswd just off the top of my head and apache makes effort to keep those files from just being casually read by the public at large. You could look to your server configuration for inspiration for securing your information, but by no means is that a solution to your problem. My first answer is the easiest to implement and most likely the best option you'll find for shared level hosting. The other options I mentioned are far less secure and only there as a last resort to show you some other possibilities, but by no means am I suggesting you go that route. I strongly urge you to look into the database option.

Link to comment
Share on other sites

This thread is more than a year old. Are you sure you have something important to add to it?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.