Back to General and Gameplay Programming

[web] php user/pass storing cookie??

General and Gameplay Programming Programming

Started by Thoover January 04, 2008 02:41 AM

14 comments, last by Colin Jeanne 16 years, 3 months ago

Thoover

134

Author

January 04, 2008 02:41 AM

i am trying to make a login page to store the user and pass for all the other pages, so far my code is: and its not working at all...


<?PHP
$place=$_GET['place'];
$usernam=$_POST['usn'];
$passwor=$_POST['pwd'];
$host = "*";
$user = "*";
$pass = "*";
mysql_connect($host, $user, $pass) or die(mysql_error());
mysql_select_db($user) or die(mysql_error());
$result = mysql_query("SELECT * FROM users") or die(mysql_error());  
$corr="[0]";
while($row = mysql_fetch_array($result)){
	$dpwd=$row['pass'];
	$dusr=$row['user'];
	if($dusr == $usernam)
	{
		if($dpwd == $passwor)
		{
			$corr = $row['type'];
		}
	}
}
if($corr=="[0]"){echo '<script type="text/javascript">window.location = "**[1]'.$place.'"</script>';}
if($corr=="[1]"){
setcookie("signedas", $usernam); 
setcookie("signedpass", $passwor); 
if($place == "home")
	echo '<script type="text/javascript">window.location = "**[2]"</script>';
else
	echo '<script type="text/javascript">window.location = "**[2]'.$place.'"</script>';
}
if($corr=="[2]"){
setcookie("signedas", $usernam); 
setcookie("signedpass", $passwor); 
if($place == "home")
	echo '<script type="text/javascript">window.location = "**[2]"</script>';
else
	echo '<script type="text/javascript">window.location = "**[2]'.$place.'"</script>';
}
if($corr=="[3]"){
setcookie("signedas", $usernam); 
setcookie("signedpass", $passwor); 
if($place == "home")
	echo '<script type="text/javascript">window.location = "**[2]"</script>';
else
	echo '<script type="text/javascript">window.location = "**[2]'.$place.'"</script>';
}
?>

this 1 dosnt store safely nor at all keeps going to **1 never (even with right user/pass) to **2 any better suggestions?

tstrimp

1,798

January 04, 2008 02:50 AM

Never store that sort of information in a cookie. You should really learn about sessions.

Colin Jeanne

1,115

January 04, 2008 03:00 AM

Several comments on your system:

1) Never store the user's password in the database. If the database is stolen then the thief has all of your users' passwords

2) Never store the user's password in a cookie. Gamedev did that once. One member then wrote a program called "FongerChat" which pretended to be a chat client but also read the user's GDNet cookie and sent the password to the program's author. The result was that several user's accounts were compromised. Dont let this happen to you.

3) In fact, never store the user's password anywhere. Even storing an MD5 hash of the plaintext password is no longer enough. It's much safer to store a salted hash of the password. This can be done by generating a random string, appending it to the password, then storing the MD5 or SHA-1 (or whatever other one-way hash algorithm you use) hash of that in the database.

To check if the user has submitted the correct password, regenerate that hash and compare to what you have stored in the database.

Thoover

134

Author

January 04, 2008 03:23 AM

Quote:Original post by Colin Jeanne
Several comments on your system:

1) Never store the user's password in the database. If the database is stolen then the thief has all of your users' passwords

2) Never store the user's password in a cookie. Gamedev did that once. One member then wrote a program called "FongerChat" which pretended to be a chat client but also read the user's GDNet cookie and sent the password to the program's author. The result was that several user's accounts were compromised. Dont let this happen to you.

3) In fact, never store the user's password anywhere. Even storing an MD5 hash of the plaintext password is no longer enough. It's much safer to store a salted hash of the password. This can be done by generating a random string, appending it to the password, then storing the MD5 or SHA-1 (or whatever other one-way hash algorithm you use) hash of that in the database.

To check if the user has submitted the correct password, regenerate that hash and compare to what you have stored in the database.

ok first of all who would want GDNet usernames, there is no point to that

second you got more info on this salted passwords, for one i dont trust wikipedia plus it dosnt really explain how to do that.

and about sessions that helps, but the code still sais that $corr = "0" (any idea on this (and yes type is not 0 on the users))

Thoover

134

Author

January 04, 2008 04:20 AM

heck since this is all over https how secure would it be to just use post on every page to send this info around if i encrypt it by using &#106avascript? even though if you left this on your computer screen anyone can look in source and find the encrypted version and decrypt it

tstrimp

1,798

January 04, 2008 04:21 AM

Salting a password is simply adding a text string to it before you hash it. To check a password to see if it's correct you need to add the same string to the password and hash it and compare the two hashes.

It would help to have more information about your database although there are a few glaring problems before we even get that far. You should be doing the username/password check in SQL. Something along the lines of...

SELECT    typeFROM    usersWHERE    usn = $usernam AND    pwd = $pass;

Are you really storing the type in the database as [1], [2] and [3]? You should look into using something a bit more descriptive.

tstrimp

1,798

January 04, 2008 04:22 AM

Quote:Original post by Thoover
heck since this is all over https how secure would it be to just use post on every page to send this info around if i encrypt it by using &#106avascript? even though if you left this on your computer screen anyone can look in source and find the encrypted version and decrypt it

There is no such thing as encrypting is using &#106avascript. Well there is, but it's thoroughly useless and not in any way secure.