Is it possible to create a PHP login script (ideally supporting only one user, although if I'm on the right track I'm sure an array would support others) that uses only one or two files? I want to create a simple page to lock a user out without the right credentials, and use sessions to keep things going. Something like this, but a little more advanced: http://www.zend.com/code/codex.php?id=304&single=1 Is this possible, or do I need to use a database? Is this secure? (I know it's possible, the focus is more on the second question: Is it possible AND secure?) Thanks, Peter
Storing the username and password inside the file..? - No, not secure. IMHO. You should use a database, and hash the password.
Well, one important aspect of the script that I'm making is that it all runs on flat files - and I assumed a PHP file would be more secure than a flat file...
Passwords are stored in flat files all the time. Use the following precautions 1. Don't store the password file in the public_html directory 2. Use a one-way hash on the passwords This is the same technique that is used by htaccess to password protect web directories.
Interesting, lemaitre. Would you happen to know a good tutorial on the second point of your response? Thanks, Peter
OK A simple tutorial: http://www.webcheatsheet.com/php/md5_encrypt_passwords.php Some useful theory: http://www.cs.bham.ac.uk/~mdr/teaching/modules04/security/lectures/hash.html You will probably have to cut and paste those urls, sorry. The basic idea is to use the md5 function before you store a password and whenever you test a password entered by the user against the value in the password file. The first tutorial shows an example with a database but the technique can be adapted to flat files.
Here is a single login/logout script that you may implement along with measures exposed above: www.php-mysql-tutorial.com/user-authentication/basic-authentication.php
Something like this should work. <?php ob_start(); session_start(); $username = "username here"; $password = md5(sha1("password here")); switch($_GET['action']) { default: if($_POST['login']) { $errors = array(); if($_POST['username'] == "" || $_POST['username'] != $username) { $errors[] = "You have supplied an incorrect username!"; } if($_POST['password'] == "" || md5(sha1($_POST['password'])) != $password) { $errors[] = "You have supplied an incorrect password!"; } if(count($errors) > 0) { foreach($errors as $err) { echo"$err<br />"; } } else { $_SESSION['username'] == "$username"; $_SESSION['logged_in'] == "true"; $_SESSION['password'] == $_POST['password']; echo"<META HTTP-EQUIV='Refresh' Content='0; login.php?action=locked_area'>"; } } else { echo"<form action='login.php' method='post'> Username: <input type='text' name='username' /><br /><br /> Password: <input type='text' name='password' /><Br /><br /> <input type='submit' name='login' value='Login!' /> </form>"; } break; case "locked_area": if(!isset($_SESSION['username'] || $_SESSION['logged_in']) || $_SESSION['logged_in'] != "true") { echo"You are not authorized to view this page!"; } else { //Put all the stuff you don't want anyone but yourself to see here } break; } ?> PHP: Make sure you change the username and password variables where it says username here, and password here. Make sure you leave the password variable encrypted with md5(sha1()) encryption. md5 has been cracked. I didn't test this script, so it might need a little editing.
Noticed some problems the script posted by Chris. Set = signs where there were == and added a password check if the session exists. <?php ob_start(); session_start(); $username = "username here"; $password = md5(sha1("password here")); switch($_GET['action']) { default: if($_POST['login']) { $errors = array(); if($_POST['username'] == "" || $_POST['username'] != $username) { $errors[] = "You have supplied an incorrect username!"; } if($_POST['password'] == "" || md5(sha1($_POST['password'])) != $password) { $errors[] = "You have supplied an incorrect password!"; } if(count($errors) > 0) { foreach($errors as $err) { echo"$err<br />"; } } else { $_SESSION['username'] = "$username"; $_SESSION['logged_in'] = "true"; $_SESSION['password'] = $_POST['password']; echo"<META HTTP-EQUIV='Refresh' Content='0; login.php?action=locked_area'>"; } } else { echo"<form action='login.php' method='post'> Username: <input type='text' name='username' /><br /><br /> Password: <input type='text' name='password' /><Br /><br /> <input type='submit' name='login' value='Login!' /> </form>"; } break; case "locked_area": if(($_SESSION['username'] != $username) || ($_SESSION['password'] != $password) || ($_SESSION['logged_in'] != "true")) { echo"You are not authorized to view this page!"; } else { //Put all the stuff you don't want anyone but yourself to see here } break; } ?> PHP: It is still untested so you may still receive errors. e39m5
That particular example defeats the purpose of using a one-way hash because this line: $password = md5(sha1("password here")); PHP: stores the password in plaintext. But it can be fixed by writing a one-off script that prints the hashed password and storing that. Then you delete the script! In a more realistic example the passwords would be stored in a password file and the registration script would hash and store them.
Use the database and encrypt the password field.It will solve your security problem.Make session active using Php session cookie.All the Best
Yeah, carry a session of some sort. Be it an object of the logged in user, or even just a flag variable.
He wants a flat file login type thing. WIthout using a database. THis isn't for a member system. And the md5(sha1()) encryption doesn't defeat the purpose of encrypting. The first thing that happens is the password is encrypted in sha1, then the sha1 hash is encrypted with md5. If you haven't heard, md5 has been cracked.
The idea behind using a one-way hash is that you never store the passwords in plaintext. That way even if your password file is compromised, no passwords are leaked unless they are able to decrypt them, which is computationally difficult. Your code should not have stored the password in plaintext. md5 and sha1 have both been broken, but they are still difficult to break for the casual hacker. It's a matter of doing enough security to protect against the kind of attacks that are realistically possible. md5 is good enough for that. md5 plus sha1 may be better, but there's no guarantee that it can't be cracked as well.