Creating a secure PHP login script

nuk3 posted this at 04:18 — 23rd March 2003.

Joined: May 2002

I'm in need of a secure PHP login script which preferably uses sessions. I have seen some code snippets around but because I dont know how they work I'm not sure if they're safe. I'd need the username and password stored in a mysql database and have the password encrypted. I'd also need a login page and a logout link. Anyone know of where I could find a script to do this?

Thanks.

samsm posted this at 17:44 — 23rd March 2003.

They have: 28 posts

Joined: Feb 2003

I posted something like this on another forum awhile ago. The answer I got back was: "Make one yourself!"

Well, I wanted unlimited, multidimensional hierarchies so I am actually still working on completing that project.

However, they are correct in that making a basic login script is pretty easy. I could attempt a step-by-step if you wanted.

Heck, I'll write up a basic one right now:
1. Start session
2. If logged in user valiable exits (5) else (3)
3. Present log-in form. User submits data.
4. Check data against records. If valid, store username and such in a session variable. Goto (1)
5. Logged in, cool!

The biggest security pitfall in PHP is relying upon registered global varaibles. This article explains that issue pretty well: http://www.sitepoint.com/article/758

nuk3 posted this at 05:51 — 24th March 2003.

They have: 238 posts

Joined: May 2002

Thanks for your help samsm

Suzanne posted this at 06:17 — 24th March 2003.

She has: 5,507 posts

Joined: Feb 2000

On topic, is there an opinion out there regarding whether it's better to use PHP -- mcrypt, md5 (?) -- or MySQL -- PASSWORD()?

Mark Hensler posted this at 06:43 — 24th March 2003.

He has: 4,048 posts

Joined: Aug 2000

depends on your application..

Quote: quoted from here: http://www.mysql.com/doc/en/Miscellaneous_functions.html#IDX1334

PASSWORD() encryption is non-reversible. PASSWORD() does not perform password encryption in the same way that Unix passwords are encrypted. See ENCRYPT(). Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should NOT use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC-2195 for more information about handling passwords and authentication securely in your application.

Sounds like good enough advice for me.

Mark Hensler
If there is no answer on Google, then there is no question.

Renegade posted this at 08:02 — 24th March 2003.

He has: 3,022 posts

Joined: Oct 2002

Here's a link you might find useful

Suzanne posted this at 16:28 — 24th March 2003.

She has: 5,507 posts

Joined: Feb 2000

Oh, so MD5 is MySQL, too. Got it. While reading around, people were discussing them without specifying which went with what language.

Thanks for the links guys, this is great. I keep reaping the benefits of other people asking questions, lol.

Mark Hensler posted this at 17:46 — 24th March 2003.

He has: 4,048 posts

Joined: Aug 2000

MD5 is simply an encryption method (not specific to mySQL). There is a mySQL function (conveniently called MD5) which will encrypt data with the MD5 algorythm. Same for SHA1.

PASSWORD() is specific to mySQL.

Mark Hensler
If there is no answer on Google, then there is no question.

Cog posted this at 05:18 — 26th March 2003.

They have: 24 posts

Joined: Feb 2002

I'm working on a script that will do either all the work for you or the main bulk of it.

http://usermanage.sourceforge.net/

nuk3 posted this at 07:51 — 26th March 2003.

They have: 238 posts

Joined: May 2002

Quote: Originally posted by Renegade
Here's a link you might find useful

Thanks for that link Renegade. I think I'll be able to get the login script up and running with the help of that tutorial.

Renegade posted this at 10:03 — 26th March 2003.

He has: 3,022 posts

Joined: Oct 2002

Not a problem nuke