Jump to content
  • Advertisement
Sign in to follow this  
Thoover

[web] php user/pass storing cookie??

This topic is 3821 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

i am trying to make a login page to store the user and pass for all the other pages, so far my code is: and its not working at all...
<?PHP
$place=$_GET['place'];
$usernam=$_POST['usn'];
$passwor=$_POST['pwd'];
$host = "*";
$user = "*";
$pass = "*";
mysql_connect($host, $user, $pass) or die(mysql_error());
mysql_select_db($user) or die(mysql_error());
$result = mysql_query("SELECT * FROM users") or die(mysql_error());  
$corr="[0]";
while($row = mysql_fetch_array($result)){
	$dpwd=$row['pass'];
	$dusr=$row['user'];
	if($dusr == $usernam)
	{
		if($dpwd == $passwor)
		{
			$corr = $row['type'];
		}
	}
}
if($corr=="[0]"){echo '<script type="text/javascript">window.location = "**[1]'.$place.'"</script>';}
if($corr=="[1]"){
setcookie("signedas", $usernam); 
setcookie("signedpass", $passwor); 
if($place == "home")
	echo '<script type="text/javascript">window.location = "**[2]"</script>';
else
	echo '<script type="text/javascript">window.location = "**[2]'.$place.'"</script>';
}
if($corr=="[2]"){
setcookie("signedas", $usernam); 
setcookie("signedpass", $passwor); 
if($place == "home")
	echo '<script type="text/javascript">window.location = "**[2]"</script>';
else
	echo '<script type="text/javascript">window.location = "**[2]'.$place.'"</script>';
}
if($corr=="[3]"){
setcookie("signedas", $usernam); 
setcookie("signedpass", $passwor); 
if($place == "home")
	echo '<script type="text/javascript">window.location = "**[2]"</script>';
else
	echo '<script type="text/javascript">window.location = "**[2]'.$place.'"</script>';
}
?>

this 1 dosnt store safely nor at all keeps going to **1 never (even with right user/pass) to **2 any better suggestions?

Share this post


Link to post
Share on other sites
Advertisement
Several comments on your system:

1) Never store the user's password in the database. If the database is stolen then the thief has all of your users' passwords

2) Never store the user's password in a cookie. Gamedev did that once. One member then wrote a program called "FongerChat" which pretended to be a chat client but also read the user's GDNet cookie and sent the password to the program's author. The result was that several user's accounts were compromised. Dont let this happen to you.

3) In fact, never store the user's password anywhere. Even storing an MD5 hash of the plaintext password is no longer enough. It's much safer to store a salted hash of the password. This can be done by generating a random string, appending it to the password, then storing the MD5 or SHA-1 (or whatever other one-way hash algorithm you use) hash of that in the database.

To check if the user has submitted the correct password, regenerate that hash and compare to what you have stored in the database.

Share this post


Link to post
Share on other sites
Quote:
Original post by Colin Jeanne
Several comments on your system:

1) Never store the user's password in the database. If the database is stolen then the thief has all of your users' passwords

2) Never store the user's password in a cookie. Gamedev did that once. One member then wrote a program called "FongerChat" which pretended to be a chat client but also read the user's GDNet cookie and sent the password to the program's author. The result was that several user's accounts were compromised. Dont let this happen to you.

3) In fact, never store the user's password anywhere. Even storing an MD5 hash of the plaintext password is no longer enough. It's much safer to store a salted hash of the password. This can be done by generating a random string, appending it to the password, then storing the MD5 or SHA-1 (or whatever other one-way hash algorithm you use) hash of that in the database.

To check if the user has submitted the correct password, regenerate that hash and compare to what you have stored in the database.


ok first of all who would want GDNet usernames, there is no point to that

second you got more info on this salted passwords, for one i dont trust wikipedia plus it dosnt really explain how to do that.


and about sessions that helps, but the code still sais that $corr = "0" (any idea on this (and yes type is not 0 on the users))

Share this post


Link to post
Share on other sites
heck since this is all over https how secure would it be to just use post on every page to send this info around if i encrypt it by using javascript? even though if you left this on your computer screen anyone can look in source and find the encrypted version and decrypt it

Share this post


Link to post
Share on other sites
Salting a password is simply adding a text string to it before you hash it. To check a password to see if it's correct you need to add the same string to the password and hash it and compare the two hashes.

It would help to have more information about your database although there are a few glaring problems before we even get that far. You should be doing the username/password check in SQL. Something along the lines of...


SELECT
type
FROM
users
WHERE
usn = $usernam AND
pwd = $pass;



Are you really storing the type in the database as [1], [2] and [3]? You should look into using something a bit more descriptive.

Share this post


Link to post
Share on other sites
Quote:
Original post by Thoover
heck since this is all over https how secure would it be to just use post on every page to send this info around if i encrypt it by using javascript? even though if you left this on your computer screen anyone can look in source and find the encrypted version and decrypt it


There is no such thing as encrypting is using javascript. Well there is, but it's thoroughly useless and not in any way secure.

Share this post


Link to post
Share on other sites
Unless you buffer the output, cookies should be set before any data is sent to the client. Same goes for starting sessions.

Share this post


Link to post
Share on other sites
ok in the case of hashing passwords that are in the dbase how would i unhash if say i want to do a password recovery for the user??

Share this post


Link to post
Share on other sites
The point is that passwords cannot be unhashed. The typical approach is to instead generate a new password and send it.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!