generate unique url id

[noobdood]

hi, im trying to create a website and only now started thinking about the security part(noob mistake). say for example i have home.php page and an index.php page. index.php is where users would sign up/log in. the login and sign up processes are all done but i was thinking of creating a unique id of some sort for when the user logs in. or something like this site (forum.phpfreaks) when we sign in, you are signed but the url stays the same = forums.phpfreaks.com. like if we were signed out we will be permanantly signed out and typing in forums.phpfreaks.com would just land us at the main page where we need to sign in. 

right now ,my home.php can be accessed with or without logging in even with sessions.

 

hope im making sense, thanks in advanced! 

 

**haha that rhymed. 

 

i tried adding:

 

<?php echo $_SERVER[php_SELF] . '?name=' . $userData['name'];?> in the index.php:

<?php
ob_start();
session_start();
 
if(isset($_POST['login']))
{
	$email = $_POST['email'];
	$password = $_POST['pass'];
	 
	 require "connection.php";
	 
	$emails = mysqli_real_escape_string($con, $email);
	$query = "SELECT id, name, email, password, salt FROM users WHERE email = '$emails';";
	 
	$result = mysqli_query($con, $query);
	 
	if(mysqli_num_rows($result) == 0) // User not found. So, redirect to login_form again.
	{
		echo "<script>alert(\"User does not exist!\")</script>";
	}
	 
	$userData = mysqli_fetch_array($result, MYSQLI_ASSOC);
	$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
	 
	if($hash != $userData['password'])
	{
		echo "<script>alert(\"Incorrect Password!\")</script>";
	}else{ 
		session_regenerate_id();
		$_SESSION['sess_user_id'] = $userData['id'];
		$_SESSION['sess_name'] = $userData['name'];
		session_write_close();
		header('Location: home.php?user=');
	}
}
ob_flush();
?>
<!DOCTYPE html>
<form name="login" method="post" action="<?php echo $_SERVER[PHP_SELF] . '?name=' . $userData['name'];?>">

but i got access forbidden! 

 

 

Edited May 20, 2014 by noobdood

[Jacques1]

Hi,

 

this is absolutely unnecessary. The session already tells you whether the user is logged in and who she is. So all you need to do is check the session.

 

Speaking of security:

• The SHA-2 algorithm is not suitable for password hashing at all. A stock PC can calculate billions of SHA-2 per second and find out almost any password simply by trying out different combinations. You need an actual password hashing algorithm like bcrypt. If you have PHP 5.5, use the new hashing API. If you don't have PHP 5.5 but at least 5.3.7, use the password_compat library.
• Inserting $_SERVER['PHP_SELF'] directly into the HTML document makes the page vulnerable to cross-site scripting attacks. Always escape data with htmlspecialchars() before you insert it into an HTML context. Never trust the user input.
• While you do escape the SQL input, a much more secure solution would be to use a parameterized statement and separate the data from the query itself.

[noobdood]

Thanks for the tips Jacques. so i read through the  password_hash() doc. changed my code. is this correct?:

$password1 = $_POST['pass'];
	 
$hash = password_hash($password1, PASSWORD_DEFAULT);
 
$name = mysqli_real_escape_string($con, $name);

$query ="INSERT INTO users (id, name, email, number, password) VALUES('','$name','$email','$number','$hash')";

[Jacques1]

The hash part is fine, but the dynamic query should be replaced with a proper parameterized statement:

$insert_user_stmt = $database->prepare('
    INSERT INTO
        users (name, email, number, password)
    VALUES(?, ?, ?, ?)
');
$insert_user_stmt->bind_param('ssis', $name, $email, $number, $hash);
$insert_user_stmt->execute();

[noobdood]

yeah im still reading up on that. whats 'ssis' in

 

bind_param('ssis', $name, $email, $number, $hash)

 

 also there was a 'cost' in password hashing and was wondering what its for? in the doc it says by default the cost is 10 but higher is better (?)

Edited May 20, 2014 by noobdood

[noobdood]

well, my questions are veering off course of the topic. so i will mark solved and open a new one for the other line of questioning. heh

[Jacques1]

yeah im still reading up on that. whats 'ssis' in

 

You really need to get familiar with the manual.

 

The first parameter lists all data types of the bound values. “s” stands for “string”, “i” is for “integer”.

 

If you don't wanna fumble with low-level stuff like this, consider using PDO instead of MySQLi. It's much more convenient.

 

 

 

 also there was a 'cost' in password hashing and was wondering what its for? in the doc it says by default the cost is 10 but higher is better (?)

 

Yes, the higher the cost factor, the harder it is for an attacker to do a brute-force attack against the hashes.

 

But of course a high cost factor will also slow down your own password-related procedures (registration, log-in and password reset). A common recommendation is that you choose a duration you think your users find acceptable, let's say one second. Then you increase the cost factor until you reach that duration on your current hardware. This is the cost factor you use.

 

You can also have different cost factors for different user groups. For example, an administrator should have a higher cost factor than a standard user.