Basic sessions and security

[jxiong]

Posted: Tue Apr 06, 2004 9:17 am Post subject: Basic understanding of session and register_globals

--------------------------------------------------------------------------------

Hi all,

I am new with php and the web. I have done some programmings
but nothing to a point that I would be able to understand what is
needed to have a website that is secure. Meaning a login page
and tracking sessions to ensure the user is valid on each page.

I have done some simple php script that will take the username
and password and validating against the database, but the more
I read about the web security the more I fear that my idea would
be too easy to get around.

I read little bit about php and the use of sessions but then
I am confused because it said if I don't turn on the
register_globals I can not use it, but if I turn this on in my
php.ini it is not safe.

Can someone please help clarify this.

Greately appreciated any help you can provide.

Regards,

[kows]

The session variables are just as easily accessed without register_globals on. They can be obtained through the super global $_SESSION, with $_SESSION['var'] being what you want to call.

Here's some stuff you can look over, I don't suggest using all of this within one script, I just put it all together..

PHP Code:

<?
  session_start();

  if($action == "login"){
    $login = false;
    //check if the user can be logged in
    $qry = mysql_query("SELECT user FROM tablename WHERE user='$_POST[user]' AND pass='" . ecrypt($_POST[user]) . "' LIMIT 1");
    $arr = mysql_fetch_array($qry);
    if($arr[0] != ""){
      //log them in
      $_SESSION['user'] = $_POST['user'];
      //encrypt the password if you want
      $_SESSION['pass'] = ecrypt($_POST['pass']);
      echo "you're now logged in\n";
    }else{
      //give them an error
      echo "we could not log you in\n";
    }
  }elseif($action == "checklogin"){
    $login = false;
    //check if the user is logged in
    if(isset($_SESSION['user'], $_SESSION['pass'])){
      $qry = mysql_query("SELECT user FROM tablename WHERE user='$_SESSION[user]' AND pass='$_SESSION[pass]' LIMIT 1");
      $arr = mysql_fetch_array($qry);
      if($arr[0] != ""){
        //user login information is correct, set their login status
        $login = true;
      }
      //don't do anything if their session information is not correct
  }elseif($action == "logout"){
    //log the user out if they are logged in
    if(isset($_SESSION['user'], $_SESSION['pass'])){
      //close their session
      unset($_SESSION['user']);
      unset($_SESSION['pass']);
      $login = false;
      echo "you're now logged out\n";
    }else{
      //give them an error
      echo "you aren't logged in\n";
    }
  }
  function ecrypt($str){
    return crypt($str, "pw");
  }
?>

I added an encrypt function to encrypt passwords just because whenever I build my MySQL databases I have the passwords encrypted just for added security..

Hope that helps you out.. ask questions if you have any, or if that just confused you more.

Edited to fix some syntax errors.. there might be more, as it's untested code because I'm at school and don't have anywhere to test it, and I don't feel like uploading it to a server and setting up a database just for this..

[jxiong]

Kows,

Thanks for the info and your time. The crypt() that your
referred to (at the bottom) is a php system function right?

Again, thanks for taking the time to help.

[kows]

yeah, crypt() is a built-in PHP function. I made my own function [ecrypt()] so that I would have a uniform salt when encrypting my passwords. The salt is an optional second parameter in crypt() that will change the first two letters of the encrypted password.

Code:

  //returns something like pwsdjfsdkfh32hkf, note "pw" is the first two characters
  echo crypt("word", "pw");

More on crypt() can be found here:
http://ca2.php.net/manual/en/function.crypt.php