hi, I have a session script, before i use it in my website, i want to know if this script is strong enough or have any bugs/weakness in it. 1. if so, please show me the weakness, please modify it, and make it stronger & give some explaination about it. 2. Does it necessary to include cookie protection in this script, if so please show me how to do that. --------------------------------------- <?PHP if (!isset($_SESSION["username"]) || !isset($_SESSION["password"])) { header ("location:index.php"); } else { $username=$_SESSION["username"]; $password=$_SESSION["password"]; if(!$username || !$password) { header ("location:index.php"); } else { include "delConfig/config.php"; $connection=mysql_connect($host,$user,$pass) or die(mysql_error()); mysql_select_db($db,$connection); $loginQuery=mysql_query("select * from adminSp where adminUsername='$username' and adminPassword='$password'",$connection) or die (mysql_error()); $loginRow=mysql_num_rows($loginQuery); if($loginRow=="0") { $_SESSION=array(); session_destroy(); header ("location:index.php"); } } } ?> PHP: ------------------ Best Regards
depends what $_SESSION['password'] is but seems insecure as you should never save a password into a session. Is this meant to be a login script ? or ? If so you should be using $_POST instead. under each header() add an exit; so the file cannot be processed any further than where it fails. Unless you are using a remember me system, dont use cookies. There are also other issues, as when is the session set if the details match ? If a session is initiated with the USER and PASS stored and then checked if it doesnt exist and clears the session its insecure. You should only set a session on a MATCH to the posted data of the login. you should also change if(!$username || !$password) Code (markup): to if(empty($username) || empty($password)) Code (markup): you also need to sanitise data before it is parsed to the database i.e. use mysql_real_escape_string() trim()
Thanx for the answer lfhost, The points that i've got from your answer are: It is not secure to use user's password in a session Under each header i have to use exit; to stop an ilegal process Do not use cookies I should only set a session on a MATCH to the posted data of the login change "!" with "empty" i have to sanitise data before it is parsed to the database i.e. use mysql_real_escape_string() trim() That's my problem, i dont know how to check the session is macth, if i dont use username & password. i mean, i use username & password in session, to ensure that visitor only can open their own pages, not the other one. But last day i'm not sure what i'm doing is secure. could you give me the script how to ensure visitor only can open their pages, not the other one, without using their username & password in the session, i really still not understand with this case...
You can store the password in the session. Although instead of having it in plain text, hash it with sha1 or something alike.
When they login just make a session $_SESSION['loggedin'] = 1; Then check for its existance to see if they're logged in. Simple Like this: if ($_SESSION['loggedin']) == 1) { //logged in } else { //not logged in } Code (markup): There is absolutely no need to store anything other than the username (or user_id) in sessions.
use md5 encryption for yours passwords $pass = md5($_POST['pass']); Or better, start encrypting by JS on clicking by submit button, just like at this forum.
I personally wouldn't do that because not everyone has JS enabled. If vB does start the encryption before it is send to PHP, it most likely has the ability to do both if one fails. But in my opinion its just extra work for no real gain.
Tell it to vBulletin developers =) Well, is a little bit paranoya i think, but very effective protection actually. Don't remember really, but is no option like. And is no problem to checking with PHP for md5 value getted or not.
Yes You right about that, but i think visitor still can access another member pages by changing the page ID in URL, let say in case member=jack, i use username jack to open jack's page as the ID to open. but i have to ensure that he is really jack, the only one thing that i believe is his password. so i have to check do the username jack & his password XXXXXXXXXX are match. if so, the page will be opened, if not he will be redirected to other page. that is all what i'm thinking before. How about if i hash the password with a string just like chopsticks said, is it better or still has a weakness????
All you have to do for that is check that the $_GET['member'] == $_SESSION['username'] There really is no need at all for the password to be in there.
The password & ussername was taken from here,... <?PHP session_start(); include "config.php"; $connection=mysql_connect($host,$user,$pass) or die(mysql_error()); mysql_select_db($db,$connection); $pageId=htmlspecialchars($_POST[pageId]); $filUsername=htmlspecialchars($_POST[username]); $filPassword=htmlspecialchars($_POST[password]); $password_encr=md5($filPassword); $ctry = htmlspecialchars($_GET[ctry]); $query_login = mysql_query("select * from memberRegSp where userCp='$filUsername' and activePwd='$password_encr'",$connection) or die (mysql_error()); $numRow=mysql_num_rows($query_login); $row = mysql_fetch_array ($query_login); if ($numRow!="") { $levelStatus=$row["levelStatus"]; $_SESSION["username"] = $filUsername; $_SESSION["password"] = $password_encr; $_SESSION["levelStatus"] = $levelStatus; if($pageId=="1") { $levelStatus=$row["levelStatus"]; if($levelStatus=="1") { $memberLevel="PersonalCommon"; } else if($levelStatus=="0") { $memberLevel="PersonalStudent"; } echo "<META HTTP-EQUIV=\"refresh\" content=\"4; URL=../nextPageSp.php?ctnt=". $memberLevel ."&tle=Personal&ctry=$ctry\"> "; } } ?> PHP: So it think it is still in MD5 when used in session
Why are you running all $_POST's through htmlspecialchars() ? That will give you problems. You should be using mysql_real_escape_string()
I'm really sorry if i make you all guys so confuse, because i'm not to smart. actually i'm only a farmer in my place not a programmer. website & design is my other hobbies. OK papa_face i become clear now, ....this a question from my standard IQ: "is it possible to some one to change the $_SESSION value???
well..well..well i really confuce now... because i was reading that htmlspecialchars() strong enough to counter wild script in my form or URL,....please explain me what problem that you mean. And than what is the function of mysql_real_escape_string() & how to use it, in the PHP manual it is not too clear.....
Yea... i see it.....i found it here that it is strong enough to prevent SQL injection,... but still not found about the problem that you mentioned about html_special_chars(), could you help me