On Mon, Jul 6, 2009 at 2:01 AM, Jason Carson<jason@xxxxxxxxxxxxxx> wrote:
>> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson<jason@xxxxxxxxxxxxxx> wrote:
>>>> Hello everyone,
>>>>
>>>> I am trying to create a PHP login script using cookies but am having
>>>> some
>>>> troubles. Here is my setup
>>>>
>>>> index.php -> authenticate.php -> admin.php
>>>>
>>>> I want a login form on index.php that allows me to login with my
>>>> username
>>>> and password and then passes $_POST['username'] and $_POST['password']
>>>> to
>>>> authenticate.php
>>>>
>>>> Then authenticate.php authenticates against a database of allowed users
>>>> (Which I already have setup and it works fine), if a valid user has
>>>> entered the correct information then admin.php is loaded...
>>>>
>>>> header("location:admin.php");
>>>>
>>>> ...the admin.php code would look something like the following..
>>>>
>>>> Code: [Select]
>>>> <?php
>>>> if (isset($_COOKIE['username'])) {
>>>> echo "success!";
>>>> } else {
>>>> echo "Failure";
>>>> }
>>>> ?>
>>>>
>>>> So basically I think I need to create a cookie from index.php OR
>>>> authenticate.php and then pass the information to admin.php.
>>>> I set the cookie like this...
>>>>
>>>> setcookie("Admin", $username);
>>>>
>>>> Which file(index.php OR authenticate.php) do I create the cookie and
>>>> how
>>>> do I access the information in the cookie on admin.php?
>>>>
>>>>
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>> I finally got it working. I needed to setcookie() in login.php. Also,
>>> the
>>> names of the cookies(Using setcookie()) where wrong (The names where
>>> "Admin" when they should have been "adminuser" and "adminpass") Once I
>>> fixed that then the following worked in admin.php...
>>> <?php
>>> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) {
>>> echo "Success";
>>> } else {
>>> echo "Failed";
>>> }
>>> ?>
>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>
>> You're not storing anything usable in the adminpass cookie, are you?
>> It sort of sounds like you're storing a password, or even a passhash,
>> in the cookie and you might want to rethink what that cookie contains
>> to prevent session hijacking.
>>
> Yeah, I am storing an unencrypted password in the cookie. Should I encrypt
> it, if so how, if not what should I do?
>
> I am new to programming and PHP web development so I am not aware of all
> the security problems that can occur.
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
That's an enormous question without an easy, or even a correct answer.
I'd start by googling around for "session hijacking." One of the
things that's probably not PC to say, is don't learn to prevent
session hijacking, learn to hijack sessions. Once you know how to
hijack a session, you can audit your own code and fix the security
holes.
Although the best advice would probably be to find someone else's
session implementation and use that, seeing as there's no real reason
to recreate such a worn-in wheel.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
