PHP Sessions and Password Salting

[Hitman]

Hey

I used to know quite a reasonal amount of PHP but then I was away from the computer for over 6 months. Therefore, I've forgotten alot but I'm trying to get back into PHP coding by writing little scripts (news script, forum etc...)

Something I didn't learn though, was how to use sessions (secure) and salting passwords (and with md5 encryption).

First I'll talk about the sessions. I don't know much about them in terms of coding. Could anybody post/make a code that enables the session, disables it and what you need on a page to be able to see it with your session. And explain how it works!

Now for salting, I don't know much about this. What is the code for salting the password? And then for somebody logging in, how would be do this? I saw this:

PHP Code:

<?php md5($salt . $password); ?>

What do we put as the $salt variable? Anything? Like 0@i99SK03#s or does it have to change each time? I wouldn't think so because if your pass is hello and it has the salt it'll be 0@i99SK03#shello in md5 which would take forever to decrypt. Somebody explain about this too!

Thanks to anybody that replies with good info, I will +rep!

[Invent]

In a database you have 2 columns, one containing the salted md5 hash and in the other column the salt.

Then when someone enters a password it does:

PHP Code:

<?php

$query = mysql_query( "SELECT `password`, `salt` FROM `table` WHERE `username` = '".$username."'" );

$rows = mysql_fetch_array( $query );

$encrypted = md5( $password . $rows["salt"] );

if( $encrypted == $rows["password"] )
{

    # Correct

}
else
{

    # Incorrect

}

?>

As for sessions to start a session you do:

PHP Code:

<?php

session_start();

?>

This tells apache/php to enable sessions.

To set a session you do:

PHP Code:

<?php

session_start();

$_SESSION["session_var"] = "Whatever";

?>

To remove ONE session you do:

PHP Code:

<?php

session_start();

$_SESSION["session_var"] = "Whatever";

unset($_SESSION["session_var"]);

?>

This will destroy that one php session and keep the rest intact.

To destroy ALL sessions you do:

PHP Code:

 <?php
 
 session_start();

$_SESSION["session_var"] = "Whatever";

unset($_SESSION["session_var"]);

session_destroy();
 
 ?>

This ends ALL of the sessions.

[Hitman]

Thanks VERY much Invent, the info you've given me is great! +rep!

So, for login if the password was correct and matches the DB you'd put:

PHP Code:

$_SESSION["session_var"] = "Whatever"; 


How does it check the session? Like on a member page only, how does it know if you've got it or not? Is that all in the session_start();?

EDIT: Must spread rep. >_>

What would you set as the salt? Can you choose random things yourself or what?

[RYANNNNN]

For the checking the session,

if(isset($_SESSION['id'])) {
// logged in
} else {
// logged out
}

[Hitman]

Thanks!

BTW, Invent or Ryan I need some more help!

On the registration, what code would I use for doing the salt and the password? For making the salt then encrypting it or whatever?

[Beau]

Do you mean generating a random salt?

PHP Code:

function generate_random_string() {
    $chars='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789`~!@#$%^&*()_+{}|\-=[]\:",./<>?';
   
        $string = NULL;
   
        for($i = 0; $i <= 4; $i++) {
   
            $string .= $chars[rand(0,strlen($chars)-1)];
      
        }

        return $string;
        
} 


That will generate a 5 character random string.

For hashing the password (you're not encrypting it, encrypting generally means you can decrypt it easily, which you generally don't want to do with passwords), just use MD5.

PHP Code:

$encrypted_password = md5($salt . $password); 


[Hitman]

Wow, thanks man!

Keep watching this space I may need more help!

+rep!

[Hitman]

I can't edit, but when generating a string it doesn't work. It doesn't come up with anything. o.o; Is it the $string = NULL; that is causing nothing?

Also, what would the var be for $encrypted_password = md5($salt . $password); wouldn't it be $string? Or if I did $salt = $string; ?

I see how it works now, before I didn't.

The salt is added onto the beginning of the pass, so say if the salt is 3$@93k$$%" then the pass is hello1 the whole thing being md5 encypted and stored in the db is 3$@93k$$%"hello1 which is almost impossible to decrypt. Thanks again! ^^

EDIT AGAIN: Bah I've not done it right! Help!

[Beau]

Have the function code above, then have this:

PHP Code:


$salt = generate_random_string();

$encrypted_password = md5($salt . $password); 


Should work.

[Hitman]

Yes, it now works! The salt is now being made and going into the db!

A question: How do I make the length 8?
And a problem, I've made a simple login. Doesn't work, here's the error:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/belite/public_html/news/login.php on line 9

Here's the code!

PHP Code:

<?php
session_start();
include 'config.php';
$username = $_POST[username];
$password = $_POST[password];
if ($_POST['submit']) {
$query = mysql_query( "SELECT `password`, `salt`, FROM `users` WHERE `username` = '".$username."'" );

$rows = mysql_fetch_array( $query );

$encrypted = md5( $password . $rows["salt"] );

if( $encrypted == $rows["password"] )
{
$_SESSION["$username.$encrypted"] = "logged";
    echo "Correct password!";

}
else
{

    echo "Incorrect password.";

}
}
if (!$_POST['submit']) {
        
    }
    echo "
    <form action=\"login.php\" method=\"POST\">
    Username: <input type=\"text\" size=\"30\" name=\"username\"></br>
    Password: <input type=\"password\" size=\"20\" name=\"password\"></br>
    <input type=\"submit\" value=\"Login!\" name=\"submit\">
    ";

?>

The session thing is also, errr, not good.

$_SESSION["$username.$encrypted"] = "logged";

what would go there...? I've put those vars so it's hard to guess the session id. Is that done correctly (don't think so).