Using sessions for log-in problem - please help

[willc]

Hello,

I am trying to create simple log in script using sessions.  The browser is not cooperating so I'm clearly doing something wrong.  I keep getting kicked back to the log-in page.

 

Thanks for your help!

Will

 

Here is my code for the main login page:

<?

session_start();

if ($_SESSION['access'] == true)

{

header("location:URL to members only page");

}

?>

HTML for log-in form....

<form name="form1" method="post" action="checklogin2.php">

 

 

Here is the code for the checking of the log-in (checklogin2.php):

<?php

session_start();

$host=xxxxx";

$username="xxxxx";

$password="xxxxx";

$db_name="xxxxx";

$tbl_name="xxxxx";

 

mysql_connect("$host", "$username", "$password")or die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

 

$myusername=strtoupper($_POST['myusername']);

$mypassword=$_POST['mypassword'];

 

$sql="SELECT * FROM $tbl_name WHERE UPPER(lastname) LIKE '%$myusername%' and membernum='$mypassword'";

 

$count=mysql_num_rows($result);

 

if($count==1){

$_SESSION['access'] == true;

header("Location: url to members only page");

}

else {

echo "Wrong Username or Password";

}

?>

 

Finally, here is the code for the members only page:

<?php

session_start();

if ($_SESSION['access'] !== true)

{

header("location:back to main login page");

}

?>

HTML of members only page

[BlueSkyIS]

"The browser is not cooperating"

 

what do you mean????????????

[BlueSkyIS]

the problem is probably this:

 

$_SESSION['access'] == true;

 

[willc]

Sorry yes, the browser keeps kicking me back to the log-in page so there is something going on with $_Session.  But I'm unsure of how to fix it.  Any ideas?

[discomatt]

Echo your query and post please..

 

Also, do not rely on session data alone. Session data is normally stored in cookies, and the end user can modify those as he/she pleases.

 

Also also.... the LIKE '%$myusername%' is not the best way of a secondary verification. Imagine 2 people use the same password? Unless you're using hashing with a random salt, (it doesn't seem like it) you can wind up with multiple results returned, which would cause your num_rows==1 to return false.

 

Also, you scripts are wide open to injection. I could enter this into the 'mypassword' field:

 

somestring' OR 1=1 LIMIT '1

 

So your query would be like this:

SELECT * FROM `table` WHERE `something`='something' AND `password`='somestring' OR 1=1 LIMIT '1'

 

This would always return 1 row, and thus the attacker has logged in.

 

check out mysql_real_escape_string()

 

 

[BlueSkyIS]

the problem is probably this:

 

$_SESSION['access'] == true;

 

 

by which I mean you attempt to assign the value of true to $_SESSION['access'], but instead you use the comparison operator. should be:

 

$_SESSION['access'] = true;

 

[willc]

Echo your query and post please..

I'm such a noob and am afraid I don't know how to do that.

 

Also, do not rely on session data alone. Session data is normally stored in cookies, and the end user can modify those as he/she pleases.

What do you recommend?  Any links to tutorials that you know are good?  Again, I'm pretty new at this and really don't know the best way to make this secure.

 

Also also.... the LIKE '%$myusername%' is not the best way of a secondary verification. Imagine 2 people use the same password? Unless you're using hashing with a random salt, (it doesn't seem like it) you can wind up with multiple results returned, which would cause your num_rows==1 to return false.

I'm just trying to get the username to match what's in the database.

 

Also, you scripts are wide open to injection. I could enter this into the 'mypassword' field:

 

somestring' OR 1=1 LIMIT '1

 

So your query would be like this:

SELECT * FROM `table` WHERE `something`='something' AND `password`='somestring' OR 1=1 LIMIT '1'

 

This would always return 1 row, and thus the attacker has logged in.

 

check out mysql_real_escape_string()

 

 

I will check that out.

 

Thanks and sorry for the questions.

[willc]

the problem is probably this:

 

$_SESSION['access'] == true;

 

 

by which I mean you attempt to assign the value of true to $_SESSION['access'], but instead you use the comparison operator. should be:

 

$_SESSION['access'] = true;

 

 

Thank you, I will try that.

Actually, shouldn't I assign true using "==" if the username and password are correct?  And then I use "=" on the other pages?

[BlueSkyIS]

== is never assignment. it is always comparison. = is an assignment.

 

$a = "hello world";

if ($a == "hello world") {
     echo $a;
} else {
     echo "$a is not hello world.";
}

 

output:

hello world

 

your use of !== true is correct. it appears it's just the assignment that is wrong.

[willc]

Blue,

Thank you, that worked!  Any suggestions on how I can tighten up the security and other issues re: discomatt's points above?

 

Much obliged.

[BlueSkyIS]

Well, first, session data is not typically stored in cookies. it is always stored on the server. only the session identifier is stored in a cookie, passed within the url if cookies are turned off. I rely on sessions for everything. the only danger may be if someone has access to /tmp or wherever the session data is kept. if that's a problem stealing sessions is the last of your worries.

 

the second point, check out mysql_real_escape_string() is a good idea. you should look into using that function on all user-entered data.

[willc]

Thank you my friend.

I will look into that.

Really appreciate the help.