Login Script with session

[gtal3x]

Hello i have read many articles and i see that people use sessions to register users usernames and passwords, what i have done on my site is that whenever the user logs in i register a session with his (user)id... is it okay or is it very easy to hack?

[Crew-Portal]

it depends we need to see some code... if you got alot of isset and dies in your code then likely it will be safe? But we need some code to be better at evaluating your scripts

[rajivgonsalves]

mostly storing data in a Session is quite secure.. if your site a of a small scale its ok you do not want go to lengthy ways to secure it!

[gtal3x]

<?php
include("main.php");
mysql_select_db($dbname,$connect);

$username = $_POST['user'];
$password = $_POST['pass'];

$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$id = $row['id'];
$date = date("d M Y H:i");
$query = "UPDATE users SET lastconnect= NOW() WHERE id='$id'";
$result = mysql_query($query) or die(mysql_error());

session_register("id");
header("location:index.php");
}
else {
echo "Wrong Username or Password";
}

[Crew-Portal]

Not a Hotmail Worthy Login script but safe egnouph. heres the login script I made for all of my sites:

 

<?php
if ($action == 'login'){
$connection = @mysql_connect("$db_host", "$db_user", "$db_pass") or die("Couldn't connect.");
$db = @mysql_select_db($db_name, $connection) or die("Couldn't select database.");
$sql="SELECT * FROM $tbl_user
WHERE username = \"$_POST[username]\" AND password = \"$_POST[password]\"";
$result = @mysql_query($sql,$connection) or $result = FALSE;
if ($result == TRUE){
$num=mysql_num_rows($result);
while ($row = mysql_fetch_array($result)) {
$active = $row['active'];
$confirm = $row['confirm'];
$valid_user = $row['username'];
$user_id = $row['user_id'];
$air_id = $row['air_id'];
$admn = $row['administrator'];
$mode = $row['moderator'];
}
}
$sql="SELECT name FROM airlines WHERE air_id = $air_id";
$result = @mysql_query($sql,$connection) or $result = FALSE;
if ($result == TRUE){
$num=mysql_num_rows($result);
while ($row = mysql_fetch_array($result)) {
$va = $row['name'];
}
if($active == "yes") {
$valid_password = $_POST['password'];
session_register("valid_user");
session_register("valid_password");
session_register("user_id");
session_register("va");
session_register("mode");
session_register("admn");
$sql="UPDATE `pirep`.`user` SET `online` = 'yes' WHERE `user`.`user_id` =$user_id LIMIT 1 ;";
$result = @mysql_query($sql,$connection);
$error = $tblstart . 'Login Successful' . $tblend;
}
}
if($active == "no") {
$error = $tblstart . 'Were Sorry But Your Account Has Not Yet Been Activated!' . $tblend;
}
elseif($passpw == NULL) {
$error = $tblstart . 'You Did Not Enter A Password' . $tblend;
}
elseif($userac == NULL) {
$error = $tblstart . 'You Did Not Enter A Username' . $tblend;
}
elseif($valid_user == NULL) {
$error = $tblstart . 'You Entered Incorrect Login Information' . $tblend;
session_unregister("valid_user");
}
?>

 

Not sure if mines security safe but maybe theres a few things you can learn. But as far as yours goes it dies seem pretty safe? As long as you dont have your credit card number or something important on your site then dont worry

[gtal3x]

thnx for responce, i think my code is safe as well, the only thing is that i session register the user id only wich could be 1 or 123 and everyone knows users ids and very easy to gess any... isnt there any possiblity to hack the session (i dont really know how the session works all i know is serverside). I can add more sessions like username and password if its more secure like that, but if it doest matter then ill leave it as it is...

[gtal3x]

also i wont to add an option "Remember Me" at my login page, if anyone knows how to do it.... should i add cookie? should i add cookie that call up a session? should i log the ips?

[Crew-Portal]

use MD5 to encript data sent to the sessions but then you will never get them back, this will cause you distress... lol! Nahh Ive only been using PHP5.2.X for like a few weeks and I dont know how to make it safer yet, Sorry... Ask a better PHP Programmer then me. Im sure there has to be a way to make something stronger! There has to be!