Breaking this down you have a hardcoded password.
In the script you store a hash of the password rather than the actual
password.
Upon first access you take a hash of the password and compare it against
your stored hash. If it's a match you have an authentic user.
The authentic user is then supplied with a cookie that contains a hashed
version of your hash. On further logins you check the cookie
information against a hashed version of your stored hash password.
I think that this last step is really very flawed.
You gain nothing against people finding the cookie file on the harddrive
because the hashed version in the cookie is enough to access the page as
a logged in user.
You gain nothing against people sniffing the traffic to get the
password, they already have the password from the first page, they can
also pick up the cookie from the traffic and simply reuse it.
You actually allow someone who sees your sourcecode to log in as they
can calculate a hash on the string in your file and feed that in as a
cookie.
Hashing a hash is in general a bad idea as you actually decrease the
randomness.
I think the best option would be to store the original password in the
cookie and hash it on each page access just as you currently do for the
first access.
David
Dotan Cohen wrote:
> I'm in the horrible situation where I need a one-page script to hold
> it's own password and validate itself. I coded this together, I want
> this lists opinion as to whether or not it holds water, considering
> the circumstance:
>
> <?php
>
> $sha1_pw="5218lm849l394k1396dip4'2561lq19k967e'30";
>
> if ( $_COOKIE["password"] != sha1($sha1_pw) ) {
> $varis=explode("/",$PATH_INFO);
> $pre_password=explode("&",$varis[1]);
> if ( sha1( substr($pre_password[0],0) ) == $sha1_pw ) {
> setcookie("password", sha1($sha1_pw) );
> header("Location: ".$_SERVER["SCRIPT_NAME"]."/".rand(999,99999));
> exit;
> } else {
> print "Fvck Off";
> exit;
> }
> }
>
> // REST OF PAGE
>
> ?>
>
> The idea is that the user could call the page like this:
> http://server.com/directory/page.php/MyPassword
> and the page would refresh to not show his password, yet keep him logged
> in.
>
> Thanks for any and all input.
>
> Dotan Cohen
>
> http://nanir.com
> http://what-is-what.com/what_is/html.html
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
