0

Aim

A simple login page that only check the user credentials if it correct as in database lets the user to login and check on other pages if the already the sessoin is provide let user to do any operation in pages else will redirect them out to login page for authentication.

the connection is set and working fine:

the session has started:

for checking the input and echo variables simple checking function:

function Check_Param($val){
    $value1=addslashes($val);
    $string1=htmlspecialchars($value1);
    $string2=strip_tags($string1);
    return $string2;
}

now the user will authenticate trough the form and runs this function to check if he can login the pages and pass the $_session['username'] AND $_session['password'] AND $_session['level'] to next page and store to the browser tell getting the destroy command.

public function auth($name = '', $password = '', $level=''){
        $sql = "SELECT COUNT(*) FROM dab_users WHERE `name`=:name AND `password`=:password AND `level`=:level ";
        $result = $this->conn->prepare($sql);
        $passme = hash_value(Check_Param($this->password));
        $result->execute(array(
            ":name" => Check_Param($_POST['name']),
            ":password" => Check_Param($_POST['passwrod'),
            ":level" => Check_Param($_POST['level'])
         ));
        $num = $result->fetchColumn();
        if($num==1){
            $_SESSION['level'] = $_POST['level'];
                    $_SESSION['is_log'] = 1;
            header("location:home/index.php");
        }else {
        $result->execute(array(
            ":name" => Check_Param(''),
            ":password" => Check_Param(''),
            ":level" => Check_Param('')));
            echo "wrong password and user";
        }
    }

this works OK and i can get access to the pages after giving the correct password on the view of index page which after this authentication the user can get access here is the way i have manage to restrict unknown user or the blank session or correct session for this page.

index.php:

<?php 
if(!empty($_SESSION['is_log'] && !$_SESSION['level'] == 101){
    header("location:../login.php");
} else {
?>
<h1>header + content + footer</h1>
<?php } ?>

Question: here after submit the form with correct user name and password and level which are in database i get login to the index page, and on the echoing session i see the level and is_log which on aut class is been set. and the (if) on the index page also works and redirect user if not login...

  • is this secure?
  • is this enough for session restriction?
  • is this fine session control ?
  • Am i doing right the session controlling?
  • any good suggestion or tutorial?
Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
SAR
  • 1,765
  • 3
  • 18
  • 42
  • 1
    Your `Check_Param` is nonsense. And Location headers require an absolute URL by definition. – CBroe Jun 01 '14 at 03:42
  • Make sure you have `session_start()` at the top of all your pages (Not sure if you did) – David Corbin Jun 01 '14 at 04:01
  • @CBroe , so what is ur sugestion how i should check the input and out put variables, NOTE: here i am useing arabic input so i need to escape and allow some parts. – SAR Jun 01 '14 at 07:58
  • @DavidCorbin here i have set the session_start() in config file which is include to all other pages, please let me know if this is correct any good idias related session controlling in php secure way from hackers... – SAR Jun 01 '14 at 08:09
  • 1
    Escaping always depends on the _context_ you are bringing data into, at that very moment. You, however, have just cobbled together a bunch of functions with no discernible purpose whatsoever – it clearly looks like you read somewhere that _“this functions make it more safe”_, but have not even thought a little bit about what those functions do, and in what contexts it could be helpful – and in what _not_. And that you are using _“arabic input”_ justifies the use of _not one_ of those three functions; that you _think_ it would is another sign that you did not think about this properly. – CBroe Jun 01 '14 at 15:01

1 Answers1

1

Your authentication systems works, but what if you fail to check the control security on each page you have? You should learn about the front controller pattern and see if it suits your needs better.

Related to front controller pattern, I advice you to also read those 2 chapters from the fantastic symfony documentation (they are somewhat related to symfony but talk about HTTP / PHP in general and how and why a framework may benefit your code in the end):

And If you are worried about security as you seem to be (and of course you should), take a look at the OWASAP top 10 web vulnerabilities (a must read for every web developer).

Specific to you question is the session hijacking problem, you can find more here.

Community
  • 1
  • 1
mTorres
  • 3,590
  • 2
  • 25
  • 36