1

I have a session that I gave to users that has matching password = stored password, like a simple login system :

// Checks Password and Username
if ($pSys->checkPassword($AccountData['password'], $StoredData['password'])) {
    $_SESSION['login'] = true;
}

The question is: is this secure enough?

// put this on every header page that needs to be loggedin.
function loginCheck(){
    if ( empty( $_SESSION['login'] )) {
        header( 'location:index.php' );
        die();
    }
}

Is there a difference between die() and exit()? Second, some say that I should add session_regenerate_id()? (Is that an overkill?) Anyway the real question is said above.

addon*

I have read PHP Session Security but it seems it doesn't match my problem here (that link is just to general).

Here is the checkPassword() method

function checkPassword($password, $storedpassword) {
    if($password == $storedpassword){
        return true;            
    }
}
Community
  • 1
  • 1
Adam Ramadhan
  • 22,712
  • 28
  • 84
  • 124

3 Answers3

3

Answering the first part: empty and die are not comparable:

  • empty is to check if a variable does not exists or has a value equal to false (see also this type comparison table).
  • die is an alias of exit and is used to immediately abort the execution of the current script with an optional message.

Now to your authentication example: Yes, you should use session_regenerate_id to generate a new session ID and revoke the old session ID by setting the optional parameter for session_regenerate_id to true:

if (!sizeof($ErrorAccount)) { // Checks Password and Username
    session_regenerate_id(true);
    $_SESSION['login'] = true;
}

The purpose of session_regenerate_id is to avoid session fixation attacks. This will not be necessary if the server only allows session ids to be sent via cookies, but since PHP by default allows them in URL, you're strongly recommended to regenerate the id.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • i mean die and exit, ive just edit it, thanks gumbo, you are always great on answering questions, so using session_regenerate_id does make effect then .. hmm is that just enough ? – Adam Ramadhan Jul 26 '10 at 18:11
  • 1
    Please explain the need for `session_regenerate_id` It would be quite useful for the answer. – George Marian Jul 26 '10 at 18:11
  • how about the logincheck function is that just good ? no need to add things ? – Adam Ramadhan Jul 26 '10 at 18:13
  • I don't think session hijacking is relevant here. I think you also missed the second part I've added by editing over it; you may want to put it back. – Artefacto Jul 26 '10 at 18:15
  • 2
    @Adam Ramadhan: That depends on in what cases `$ErrorAccount` is filled. How does the authentication process look like? – Gumbo Jul 26 '10 at 18:15
  • edited. its simple really . thanks for asking it. :) anyway if you have a good example link or code for login system its excellent .. – Adam Ramadhan Jul 26 '10 at 18:21
  • Why is regenerate better than disallowing cookies in the URL? – dkretz Jul 27 '10 at 06:06
  • 1
    @ledorfier It's not about disallowing cookies in the URL, but rather using a cookie to hold the session id instead of placing it in the URL. You'd want to do both. Depending on your security needs, that may not be enough. This page in the php manual gives a brief explanation and links to a white paper (PDF) which talks about session fixation and compares it to session hijacking: http://www.php.net/manual/en/session.security.php – George Marian Jul 27 '10 at 07:11
1

Since you are looking for answers about security, also don't keep the stored password in plain text. At the very least, salt and hash your passwords, then store the hash. Rehash and compare hashes, not plain text.

Zak
  • 24,947
  • 11
  • 38
  • 68
1

You could added a token (hash) to the form and then validate the token to make sure that the token which was submitted via the form is still valid. This helps to prevent CSRF attacks.

You could also store the IP address and browser together with the token in a database for additional validation, however you need to be aware that some ISP's change the clients IP address fairly often and could cause the validation to fail incorrectly.

More Info

Community
  • 1
  • 1
KSS
  • 337
  • 3
  • 10