Skip to main content
Code Review

Return to Question

edited tags
Link
200_success
200_success
  • 145.4k
  • 22
  • 190
  • 478
deleted 143 characters in body; edited title
Source Link
Jamal
Jamal
  • 35.2k
  • 13
  • 134
  • 238

Is this a secure way to handle Securely handling a password protected application

I have some small applications that I want to secure. I've been using the following setup that I think is fairly safe, but I've never been able to set my mind at ease that it really is. Could you (yes, you!) give me some reviews on the security of this? It doesn't need super-security like credit card data, but I suppose secure is secure. And I apologize in advance if this is too much code. This is my first time here.

Summary

Cookie-based Sessions. User table is:

Cookie-based Sessions. User table is:

  • usernameUsername field (cleartext)
  • randomRandom/unique salt field (created with mt_rand() at signup
  • passwordPassword field (sha256SHA256 hash).
  • (among other stuff)

Login method takes username, looks for the dbDB row, gets the salt, adds it to the end of the posted password, calcs a sha256SHA256 hash for that string, and compares that to the password field in the dbDB.

Code

**auth.php include at beginning of app**

auth.php include at beginning of app

andAnd the relevant part of the user class:

Is this a secure way to handle a password protected application

I have some small applications that I want to secure. I've been using the following setup that I think is fairly safe, but I've never been able to set my mind at ease that it really is. Could you (yes, you!) give me some reviews on the security of this? It doesn't need super-security like credit card data, but I suppose secure is secure. And I apologize in advance if this is too much code. This is my first time here.

Summary

Cookie-based Sessions. User table is:
  • username field (cleartext)
  • random/unique salt field (created with mt_rand() at signup
  • password field (sha256 hash).
  • (among other stuff)

Login method takes username, looks for the db row, gets the salt, adds it to the end of the posted password, calcs a sha256 hash for that string, and compares that to the password field in the db.

Code

**auth.php include at beginning of app**

and the relevant part of the user class

Securely handling a password protected application

I have some small applications that I want to secure. I've been using the following setup that I think is fairly safe, but I've never been able to set my mind at ease that it really is. Could you give me some reviews on the security of this? It doesn't need super-security like credit card data, but I suppose secure is secure.

Cookie-based Sessions. User table is:

  • Username field (cleartext)
  • Random/unique salt field (created with mt_rand() at signup
  • Password field (SHA256 hash)
  • (among other stuff)

Login method takes username, looks for the DB row, gets the salt, adds it to the end of the posted password, calcs a SHA256 hash for that string, and compares that to the password field in the DB.

auth.php include at beginning of app

And the relevant part of the user class:

added mysql_real_escape_string
Source Link
JakeParis
JakeParis
  • 183
  • 5
<?php
session_start();
if(!isset($_GET['logout']) && isset($_SESSION['user']) && $_SESSION['ipadd'] == $_SERVER['REMOTE_ADDR']) {
    // currently logged in
        // setup data 
    require_once('lib/functions.php');
    $db = new ezSQL_sqlite('./','main.db');
    $user = new user($db,$_SESSION['user']);
    return;
    
}


// build login form

$head = '<html><head><title>Please login</title>
<style type="text/css">h2 { margin-top: 75px; margin-left: 100px; }</style>
</head><body>';

$form = '<form method="post" action="'.$_SERVER['PHP_SELF'].'" id="userLogin">
    <table><tr>
    <td>UserName:</td><td><input type="text" name="username" value="'.$_POST['username'].'"></td>
    </tr><tr>
    <td>Password:</td><td><input type="password" name="pass" /></td>
    </tr><tr>
    <td>Remember me on this computer</td>
    <td><input type="checkbox" name="remember" value="1" /></td>
    </tr><tr>
    <td>&nbsp;</td>
    <td><input type="hidden" name="loggingin" value="true" />
    <input type="submit" value="login" />
    </td></tr></table>
    </form></body></html>';

$msg[1] = '<h2>You\'ve logged out.</h2>';
$msg[3] = '<h2>That username and password didn\'t match anything on record.</h2>';
$msg[4] = '<h2>You must login to use this application</h2>';


// used logout button
if($_GET['logout'] == 'true') {
    setcookie('SaveMe','',time()-3600);
    session_unset();
    die($head.$msg[1].$form);
    
    
// trying to login from form or returning with 'save me' cookie
} elseif ($_POST['loggingin'] == 'true' || isset($_COOKIE['SaveMe'])) {
    
    require_once('lib/functions.php');
    $db = new ezSQL_sqlite('./','main.db');
$loginName = (isset($_POST['username'])) ? $_POST['username'] : $_COOKIE['worshipSaveMe'];

    // ADDED: escaping of posted/cookie data;
$loginName = mysql_real_escape_string($loginName);


        // try to create new user object, error on fail
    try {
        $user = new user($db,$_POST['username']);
    } catch (Exception $e) {
        die($head.'<h2>'.$e->getMessage().'</h2>'.$form);
    }

        
        // try to login with user object, die on fail
    if( ! $user->login($_POST['pass'])) 
        die($head.$msg[3].$form);
    else {
                // if remember me box was checked
        if($_POST['remember'] == 1)
            setcookie('worshipSaveMe',$_POST['username'],time()+60*60*24*365); 
        return;
    }

// no post data, no save me cookie, just got here
} else { 
    die($head.$msg[4].$form);
}

<?php
session_start();
if(!isset($_GET['logout']) && isset($_SESSION['user']) && $_SESSION['ipadd'] == $_SERVER['REMOTE_ADDR']) {
    // currently logged in
        // setup data 
    require_once('lib/functions.php');
    $db = new ezSQL_sqlite('./','main.db');
    $user = new user($db,$_SESSION['user']);
    return;
    
}


// build login form

$head = '<html><head><title>Please login</title>
<style type="text/css">h2 { margin-top: 75px; margin-left: 100px; }</style>
</head><body>';

$form = '<form method="post" action="'.$_SERVER['PHP_SELF'].'" id="userLogin">
    <table><tr>
    <td>UserName:</td><td><input type="text" name="username" value="'.$_POST['username'].'"></td>
    </tr><tr>
    <td>Password:</td><td><input type="password" name="pass" /></td>
    </tr><tr>
    <td>Remember me on this computer</td>
    <td><input type="checkbox" name="remember" value="1" /></td>
    </tr><tr>
    <td>&nbsp;</td>
    <td><input type="hidden" name="loggingin" value="true" />
    <input type="submit" value="login" />
    </td></tr></table>
    </form></body></html>';

$msg[1] = '<h2>You\'ve logged out.</h2>';
$msg[3] = '<h2>That username and password didn\'t match anything on record.</h2>';
$msg[4] = '<h2>You must login to use this application</h2>';


// used logout button
if($_GET['logout'] == 'true') {
    setcookie('SaveMe','',time()-3600);
    session_unset();
    die($head.$msg[1].$form);
    
    
// trying to login from form or returning with 'save me' cookie
} elseif ($_POST['loggingin'] == 'true' || isset($_COOKIE['SaveMe'])) {
    
    require_once('lib/functions.php');
    $db = new ezSQL_sqlite('./','main.db');

        // try to create new user object, error on fail
    try {
        $user = new user($db,$_POST['username']);
    } catch (Exception $e) {
        die($head.'<h2>'.$e->getMessage().'</h2>'.$form);
    }

        
        // try to login with user object, die on fail
    if( ! $user->login($_POST['pass'])) 
        die($head.$msg[3].$form);
    else {
                // if remember me box was checked
        if($_POST['remember'] == 1)
            setcookie('worshipSaveMe',$_POST['username'],time()+60*60*24*365); 
        return;
    }

// no post data, no save me cookie, just got here
} else { 
    die($head.$msg[4].$form);
}

<?php
session_start();
if(!isset($_GET['logout']) && isset($_SESSION['user']) && $_SESSION['ipadd'] == $_SERVER['REMOTE_ADDR']) {
    // currently logged in
        // setup data 
    require_once('lib/functions.php');
    $db = new ezSQL_sqlite('./','main.db');
    $user = new user($db,$_SESSION['user']);
    return;
    
}


// build login form

$head = '<html><head><title>Please login</title>
<style type="text/css">h2 { margin-top: 75px; margin-left: 100px; }</style>
</head><body>';

$form = '<form method="post" action="'.$_SERVER['PHP_SELF'].'" id="userLogin">
    <table><tr>
    <td>UserName:</td><td><input type="text" name="username" value="'.$_POST['username'].'"></td>
    </tr><tr>
    <td>Password:</td><td><input type="password" name="pass" /></td>
    </tr><tr>
    <td>Remember me on this computer</td>
    <td><input type="checkbox" name="remember" value="1" /></td>
    </tr><tr>
    <td>&nbsp;</td>
    <td><input type="hidden" name="loggingin" value="true" />
    <input type="submit" value="login" />
    </td></tr></table>
    </form></body></html>';

$msg[1] = '<h2>You\'ve logged out.</h2>';
$msg[3] = '<h2>That username and password didn\'t match anything on record.</h2>';
$msg[4] = '<h2>You must login to use this application</h2>';


// used logout button
if($_GET['logout'] == 'true') {
    setcookie('SaveMe','',time()-3600);
    session_unset();
    die($head.$msg[1].$form);
    
    
// trying to login from form or returning with 'save me' cookie
} elseif ($_POST['loggingin'] == 'true' || isset($_COOKIE['SaveMe'])) {
    
    require_once('lib/functions.php');
    $db = new ezSQL_sqlite('./','main.db');
$loginName = (isset($_POST['username'])) ? $_POST['username'] : $_COOKIE['worshipSaveMe'];

    // ADDED: escaping of posted/cookie data;
$loginName = mysql_real_escape_string($loginName);


        // try to create new user object, error on fail
    try {
        $user = new user($db,$_POST['username']);
    } catch (Exception $e) {
        die($head.'<h2>'.$e->getMessage().'</h2>'.$form);
    }

        
        // try to login with user object, die on fail
    if( ! $user->login($_POST['pass'])) 
        die($head.$msg[3].$form);
    else {
                // if remember me box was checked
        if($_POST['remember'] == 1)
            setcookie('worshipSaveMe',$_POST['username'],time()+60*60*24*365); 
        return;
    }

// no post data, no save me cookie, just got here
} else { 
    die($head.$msg[4].$form);
}
Tweeted twitter.com/#!/StackCodeReview/status/37887076552802304
Source Link
JakeParis
JakeParis
  • 183
  • 5