FW: saving sessions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In addition to the info below, I would caution you to do some research on
password hashing.
MD5 and SHA-1 are both known to be compromised because they are too fast. 
OWASP (Open Web Application Security Project) is a great resource for
security research. 

There are many hashes available, if you have PHP 5.3+ look into bCrypt
(built into PHP 5.3+ as CRYPT). 
The CRYPT_BLOWFISH option is the best choice.  
A good article is here: 
http://yorickpeterse.com/articles/use-bcrypt-fool/

Otherwise, use this code to see a list of your available algorithms. You
also want to make sure
to research salting and stretching of your hash if you are unable to use
bCrypt.

<?php print_r(hash_algos()); ?>  

You might also want to look into PHPASS if you have a version of PHP
previous to 5.3. 
Although it will default to using MD5 for older versions, the salting and
stretching of the hash are what make it more
secure, not the algorithm itself (seems to be a bit of controversy on this
point). 
* Note that if you use PHPASS, once you do upgrade to 5.3+, it will default
to the CRYPT_BLOWFISH option. 

Cheers! 
Jen


-----Original Message-----
From: Florian Müller [mailto:floripipo@xxxxxxxxxxx] 
Sent: Friday, August 05, 2011 1:35 AM
To: midhungirish@xxxxxxxxx; php-general@xxxxxxxxxxxxx
Subject: RE:  saving sessions


But please do not use cookies to store a password as code! Cookies are human
readable with some add-ons....

Check like this:

if someone registers, insert it into a table:

<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
mysql_query("INSERT INTO USER VALUES('" . $username . "','" . $password .
"')");
header('location: register_success.php');
?>

Then, if someone wants to log in, use like this:

<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$sel = "SELECT * FROM USER WHERE USERNAME = '" . $username . "' AND PASSWORD
= '" . $password . "'";
$unf = mysql_query($sel);
$count = mysql_num_rows($unf);
if ($count == 1) {
    header('location: login_success.php');
}
else {
    echo "Login not successful!";
}
?>

If you want to store something into cookies, use a name which is not good
understandable, like a shortcut for a logical sentense:

Titcftmws   ("This is the cookie for the main webSite") or something ^^

In there, you can save username and password, but PLEASE save the password
at least md5()-encryptet, so not everyone can save it.

Now you can check like this:

<?php
if ($_COOKIE['Titcftmws'] == mysql_real_escape_string($_POST["username"]) .
"|" . md5($_POST["password"])) {
    //in the cookie is for the user with username 'jack' and password 'test'
this value: "jack|098f6bcd4621d373cade4e832627b4f6"
    echo "you are logged in";
}
else {
    echo "not logged in!";
}
?>

This is as far as I know a quite high level of security, in comparisions
with other ways.

Regs, Flo



> From: midhungirish@xxxxxxxxx
> Date: Fri, 5 Aug 2011 08:20:11 +0530
> To: wilprim@xxxxxx
> CC: php-general@xxxxxxxxxxxxx
> Subject: Re:  saving sessions
> 
> On Sat, Aug 6, 2011 at 7:56 AM, wil prim <wilprim@xxxxxx> wrote:
> 
> > Hello, im new to the whole storing sessions thing and I really dont know
> > how to ask this question, but here it goes.  So on my site when someone
logs
> > in the login.php file checks for a the username and password in the
table i
> > created, then if it finds a match it will store a $_SESSION [] variable.
To
> > be exact the code is as follows:
> > if ($count=='1')
> > {
> > session_start();
> > $_SESSION['user']=$user;   // $user is the $_POST['user'] from the login
> > form
> > header('location: login_success.php');
> > }
> >
> > Now what i would like to know is how do i make my website save new
changes
> > the user made while in their account?
> >
> > thanks!
> >
> >
> 
> You will have to store the user account related data in the database for
> persistence.... Or if the site not having a 'user account system'  you may
> use cookies to store the settings...
> 
> 
> 
> Midhun Girish
 		 	   		  


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux