Loginsystem Bug: I Can Login From My Server Computer, But Not From Any Other Computers

[nonamenoob]

my login system is awesome, i added one small thing and BAM it broke, i cant see the problem but i hope to have it fixed here, here is my code for my login page

<?PHP
include_once("sql.php");
if (isset($_POST["user"])) {
if (isset($_POST["pass"])) {
if ($_POST["user"] == "") {
 login("u");
}
else {
 $loggedIn = false;
 $result = mysql_query("select * from users;");
 while($row = mysql_fetch_assoc($result)) {
 if ($_POST["user"] == $row["user"]) {
	 if ($_POST["pass"] == $row["password"]) {
	 $loggedIn = true;
	 setCookie("user",$row["user"], time()+3600);
	 setCookie("password",$row["password"],time()+3600);
	 setCookie("team",$row["team"], time()+3600); \\ added this (a new colium in the table)
	 break;
	 }
 }
 }
 if ($loggedIn) {
 print "
 <a href=\"index.php\">Login</a>
 ";
 }
 else {
 login("up");
 }
}
}

else {
if ($_POST["user"] == "") {
 login("up");
}
else {
 login("p");
}
}
}
else {
login("");
}
function login($error) {
$user = "";
$pass = "";
if ($error == "u") {
$user = "<br />Username is incorrect";
}
if ($error == "p") {
$pass = "<br />Password is incorrect";
}
if ($error == "up") {
$user = "<br />Username not used";
$pass = "<br />Password is incorrect";
}
// form here just simple "username" and "password" fields
}
?>

 

note: my website is only small

thanks

Edited November 19, 2012 by nonamenoob

[MDCode]

Define "it broke"

Edited November 19, 2012 by SocialCloud

[nonamenoob]

i mean i cant login from any other computer, i can only from the computer its hosted on.

[Pikachu2000]

That's not a very good definition at all. Maybe you'd care to share with us what else you added that caused the script to stop working? Was it only the one line in the code that you've commented? Did you change the DB structure? Do you have error reporting on? An awesome login system doesn't store passwords in cookies, BTW.

Edited November 19, 2012 by Pikachu2000

[PFMaBiSmAd]

You also wouldn't ever retrieve all the rows from a database table and loop through them to find if a row existed in the table. You would perform the check for a match in the query and only return the matching row, if any.

[Christian F.]

Also, storing passwords in clear text is a big no-no.

 

I recommend that you read this article about secure login systems. Should help you fix your script, and make it more secure.

[nonamenoob]

i figured out the problem, and that this website is tiny and doesnt need a 'advanced' login system, the problem started at daylight savings, and my computer for whatever reason wasnt set for it, and so the cookies expired as they were created, thanks for all your help tho

[Christian F.]

This is not a question about a site being "big" or not, nor whether or not it needs an "advanced" login system. It's a question about whether or not your login solution is secure, or if you will leak your users' email/username and password combinations (which almost everyone will be using everywhere else!) when your site is attacked.

Security isn't something you'll need only when you're "big" or "advanced", it is necessary for every single site that's going to be accessible to other people. After all, attackers scour the net using search engines and bots to find the weakest links: Don't let your site be one of those.

 

Not to mention the fact that you do not need access to the passwords for any reason, and by storing them in clear text you're already violating your users' trust. As noted above most people use the same password everywhere, which means that anyone who gains access to your database can impersonate them elsewhere as well.

You wouldn't want to give me your e-mail, username and password for this site, would you? I'm willing to bet that you've used the same password for your e-mail account, and most (if not all) other sites you're on.