Hello,

Long time since I've been on this forum. Well I started learning php, again lol and I understand it more then I did before. I was just wondering if this login and config script was safe enough to use? Maybe you guys could give me tips on how to make it better? thx :]

login.php
<?
ob_start(); //allow cookies
session_start(); //allow sessions
include ("config.php"); //connects to the Database
include ("functions.php"); //inludes the function file

if (isset($_COOKIE['remember_panel_user'])){
$check = CHECKED;
}
if ($log != 1){ // if user is logged in
if (!$_POST[submit]){ //checks if post was submitted
//Post wasn't submitted so we show the form
echo ("
<html>
<head>
</head>
<body>
<center><form method='POST'><br>
Username: <input type='text' size='15' maxlength='12' name='username' value = '$_COOKIE[remember_panel_user]'><br>
Password: <input type='password' size='15' maxlength='12' name='password'><br>
Remember Username? <input type='checkbox' name='remember' $check><br>
<input type='submit' name='submit' value='Login'>
</body>
</html>
");
}
else
{ //post was submitted so we move on
$username = secure($_POST['username']); //sets variables and removes symbols
$password = sha1(md5($_POST['password'])); //encodes the entered password
$ticket = rand(1000000000,9999999999); //makes a ticket
$remember = $_POST['remember']; //sets variable

if (empty($username)) //if username field is empty
{
die ("<center>All fields must be filled in. (Missing username)<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a><meta HTTP-EQUIV='REFRESH' content='4; url=login.php'>");
//die the field was empty
}

$userpass = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
$userpass = mysql_fetch_array($userpass); //query that selects the information

$uid = $userpass[id]; //get's the users id
$ua = sha1(md5($_SERVER['HTTP_USER_AGENT']));

if($userpass[password] != $password) { //if the password in the database equals the one entered
echo ("<meta HTTP-EQUIV='REFRESH' content='3; url=login.php'>Wrong username or password.<br><br><br>You will be redirected<br> If you're not redirected in 5 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
//shows echo wrong username or password
}else{
$set_ticket = mysql_query("UPDATE users SET ticket = sha1(md5($ticket)) WHERE username = '$username'") or die(mysql_error());
//enters the ticket in the database
setcookie("panel_pass", md5($ticket), time()+3600);
//enters the password in a cookie
$_SESSION['panel_pwd'] = $password;
//enters the ticket in a session
$_SESSION['panel_uid'] = $uid;
//enters id in a session
$_SESSION['panel_ua'] = $ua;
//enters the users HTTP AGENT in a session for security reasons

if ($remember != on){ //if the remember me box was checked
setcookie("remember_panel_user", "", time()-9999); //destroy the remember me cookie
}else{
setcookie("remember_panel_user", "$username", time()+9999); //enter the username in a cookie
}

echo ("<center><meta HTTP-EQUIV='REFRESH' content='0; url=login.php'><br><br>You will be redirected<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
//If everything is ok refresh the page
}
}
}
else
{
echo("Hello $logged[username], how are you today?<br><a href='logout.php'>Logout</a>");
//Show page content
}
?>config.php
<?php
ob_start(); //allow cookies
session_start(); //allow sessions

session_regenerate_id(true); //gives the user a new session id

$conn = mysql_connect("localhost","",""); //Database connection information
mysql_select_db() or die(mysql_error()); //Database query

$check_ticket = sha1($_COOKIE['panel_pass']); //Encode's session ticket

$logged = MYSQL_QUERY("SELECT * from users WHERE id = '$_SESSION[panel_uid]'"); //Query
$logged = mysql_fetch_array($logged);

if ($_SESSION['panel_pwd'] != $logged['password']){ //Check to see if the cookie pwd is equal to the user's password
echo ("Wrong username or password.<br><br>You will be redirected<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
}elseif (!isset($_SESSION['panel_ua'])){ //Checks to see if session exists
}elseif ($_SESSION['panel_ua'] != sha1(md5($_SERVER['HTTP_USER_AGENT']))){ //Compares the session user agent with his current 1
echo ("<center>Session has died.<br>Please login again.");
session_destroy(); //destroys the cookie
exit(0);
}elseif ($check_ticket != $logged['ticket']){ //compares the ticket in the session and the one in the database
echo ("<center>Session has died.<br>Please login again.");
}else{
$log = '1'; //puts log to 1 because the user is logged in
}
?>Thanks,
Waz

Im no expert on sessions but please post functions.php so we can see Secure();

Here's the fnction page :]

<?php
function secure($str) {
$str = strip_tags($str);
$str = htmlspecialchars($str);
$str = trim($str);
$str = stripslashes($str);
$str = mysql_real_escape_string($str);
return $str;
}
?>

Waz

Here's the fnction page :]

<?php
function secure($str) {
$str = strip_tags($str);
$str = htmlspecialchars($str);
$str = trim($str);
$str = stripslashes($str);
$str = mysql_real_escape_string($str);
return $str;
}
?>Waz

You don't need stripslashes unless u have used addslashes somewhere i believe.

All you really need is mysql_real_escape_string to secure it for db, but obviously removing html you will need what you have. Yeh it looks like a safe function

Ok thanks,
I was always to strip slashes on another forum or maybe it was strip tags? lol

But I also wanted to know if it was safe enough so people can't steal a person's session id or cookies or login info. I've read many blogs and forums talking about id fixation and stealing cookies, etc. So I also want to know how to make it safer in that area too.

Thanks again, lol
Waz ;]

Merged by Meti (Forum Moderator): Due to forum lag

Jackboy, gpc magic quotes is on by default this means all GET, POST and COOKIE are add slashes although magic quotes sybase will overwride thing. I see an ever increasing number of people using this despite not realising that their code is likely to be slashes already so it ends up being double slashes you might want to look into this wazup999.

If I understand what you are saying, if i would write /" it would come out as //"?

I'm not sure if that is what you meant lol

I'm really paranoid with security :] I want to learn the most I can about making a secure script before going into making cool and very useful scripts. If you want something good well you need to protect your users right?

Waz ;]

no what I'm saying is if gpc magic quotes is enabled and not overwritten your say input if it was like "It's a nice day" it would be slashes automatically and become "It\'s a nice day", so by doing it a second time (your own addslashes) it will become "It\\'s a nice day".

Oh my lol
That would be kind of funny wouldn't it? x]

Well guess I'd better leave that there right?

Thanks again,
Waz ;]

Well again it's up to you some servers has it enabled or not you can look at the function get_magic_quotes_gpc to see if it's enabled but again it is overwritten with magic quotes symbase so also check what magic_quotes_sybase is set to. Yeah it's a pain :P It's not hard if you're only developing for yourself, if that's the case simply escape if your server has it disabled if not don't escape it.

Well I don't really know what I'm going to use it for.
I've been thinking of a djpanel but that's already been done by a gazillion people.

So I might try to make a website with it on my own. But before that I have to make the securiest system lol If the login page and config page aren't safe then the users wont be either.

Php can be easy but you always have to think about the security :]

Waz ;]

Don't use shorttags! :rolleyes:

Lol thanks,

I didn't really see that :P

Waz ;]

Jackboy, gpc magic quotes is on by default this means all GET, POST and COOKIE are add slashes although magic quotes sybase will overwride thing. I see an ever increasing number of people using this despite not realising that their code is likely to be slashes already so it ends up being double slashes you might want to look into this wazup999.

POST & GET :S

I didn't know that as i have never used stripslashes on them before.

Only had a quick glance but I noticed you are regenerating the session ID on every page load. Do not do this as you effectively break the client browser's back button and its not needed. Regenerate the session ID only when the privileges of the client are altered (e.g when logged in)

Seems pretty secure to me. There's not much point in using striptags and htmlspecialchars. One or the other will do. The secure function strips the slashes added by magic_quotes, if there are any and then adds them itself, so thats okay. An alternative would be to see if magic_quotes was on or not and decide whether to add them depending on that, like Iszak said.
I don't really see much point in the tickets. The useragent idea is good, but won't stop someone who knows how it works from using stolen cookies. There isn't anyway cookies could be stolen from what I've seen of the script so far though.

Well it's not safe anymore now that everyone on this forum can see it.

Well it's not safe anymore now that everyone on this forum can see it.
Doesn't mean it's not safe. Just means it would be easier for someone to find vulnerabilities, if there were any.

@Fazon: I know the risks when I post things on a forum. This is my first login script I've ever done. So of course I'm going to have to re-write it.

@Jxhn: I always wondered if it was bad to make the id regenerate the ID on refresh, didn't think it was really that good. And I'm still figuring out the magic quotes thing. The ticket only notices you that someone has logged in to your account and unluckily has the same ua as you.

I still feel like it could be even safer. Guess I'll have to search on google :P

Waz ;]