Hi, I'm trying to develop a login system for my site. I've read that sessions are less secure then cookies (?) so I'm just using cookies, and requiring the user to specify how long they want to be logged in.

Here's the login code I have right now:

Login field:

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head><title>login</title></head>
<body>
<?php if($_COOKIE["login"] != "") 
{
$name=ucfirst($_COOKIE[login]);
echo"Welcome " . $name . ".";
die;
}
else
{
echo'
<form action="login.php" method="post">
Username: <input type="text" name="Username"><br>
Password: <input type="password" name="Password"><br>
Keep me logged in for: 
<select name="keeploggedin">
<option value="60">1 minute</option>
<option value="1800">30 min.</option>
<option value="3600">1 hour</option>
<option value="86400">1 day</option>
<option value="1209600">2 weeks</option>
</select><br>
<input type="Submit" value="Login">
</form>
<a href=javascript:self.parent.location="./register.php">Register</a>
';
}
?>
</body>
</html>

Login Script:

Code:

<?php

$username = $_POST['Username'];
$username = strtolower($username);
$password = $_POST['Password'];
$keeploggedin = $_POST['keeploggedin'];

$dbh=mysql_connect ("localhost", "team2008_login", "<pass>");
@mysql_select_db ("team2008_login") or die( "Unable to select database");

$query="SELECT * FROM login_table";
$result = mysql_query($query);

$success = "loginerror";
while ($tablearray = mysql_fetch_array($result))
{
   if($tablearray[1] == $username) 
   {
      if($tablearray[2] == $password)
      {
         setcookie("login", $username, time()+$keeploggedin);
         global $success;
         $success = "loginsuccess";
      }
   }
}

echo'<script type="text/javascript">
self.parent.location="'.$success.'.html";
</script>';

?>

I know it's not totally secure. Right now I'm trying more to learn concepts then making it secure.

Any advice would be appreciated.

Thanks,
Nathan

I personally would use php sessions. I've never had a problem with them and they remove a lot of code-cruft. Furthermore, php sessions use cookies as part of their implementation. Concepts to learn are:

• The session_start function.
• The $_SESSION variable.

If you want total security, consider using ssh to protect information exchanged between you and the client.

i think session are more secure than cookies since session are stored in the server and cookies are on the client computer that could be a shared one with other persons.

Quote:

Note:If you are not experienced with session programming it is not recommended that you use sessions on a website that requires high-security, as there are security holes that take some advanced techniques to plug.

Another site said that if enough people were browsing your site that the session cookies (or whatever gets stored on the server) would start being overwritten with new information...

I dunno what to use. What's you guys' personal experiences with sessions and cookies?

Both are insecure and are easily hacked. Like said tomythius sessions use cookies to store a sessionid to the client browser, but the actual session data is stored on the server. So if a hacker gets ahold of a sessionid, then they can theoretically fool the server into thinking that they are logged in as the person who initiated the session.

I personally use sessions to keep track of those that are logged in. In the case a project requires a "Remember Me" function I use cookies to store relog info (as php session cookies are erased when the browser is closed).
(You can find a snippet at on this post Invisible/visible parts of web page.)

You will notice that I do not store any sensitive information in the cookie, or the session for that matter, because like I said before are both insecure. I also store the ip of the session so that I can check it to make sure that the same ip that started the session is the one that is accessing it again. (WARNING: IPs can still be spoofed.) If want a more secure rather then convenient system drop the remember me and cookies.

You should look up the mysql_real_escape function it should (help) protect you from SQL injection, which in the current state i could say login as admin...

Dan

That is something that I forget to mention. Ty, Dan.

So the "mysql_real_escape_string()" function just deletes characters that could be used in a mysql injection?

So cookies can be edited. How do you store someones login information in a cookie that a malicious person can't fake/steal?

mysql_real_escape_string() actually just escapes the characters that could be used to inject SQL statements.

Cookies can be edited because they are just simple text files on the clients computer. The best way to store information is to only store non-sensitive identifiable data, my cookie stores a sessionid and username. They must both match what is stored in the table in order for the user to be authenticated. This isn't the most secure method, because a person who has the ability to incept that cookie pose as the user. Like I said, if you concerned about secure do not implement a remember me function.

I think alot of the time everyone must weigh up the risks and advantages.

Everything CAN be hacked/cracked and or stolen.

everysystem designed and built has some kind of override built in, which if its found can be used by every hacker.

The best you can do is write your scripts as secure as possible.

unless the account handles or uses in some way the users money or anything like that only then would i worry too much about security of cookies, if itb is handling money then it should always be using a https "secure" (s******) connection.

You could if you so wish at least on first login, when the cookie is set use a secure connection which should minimise the risk of someone phishing the connection and stealing the cookies and there-fore impersonating that user to gain access..

I came really close to going into a mini-rant/explination of some of the flaws and that with https... BUT I RESISTED!! - i might have one on my blog tho...

dan

EDIT: i wasnt swearing btw... i jsut said snig ger

One tip though with sessions if it is something like http://((SITE))/some.php?session=12
I am pointing out a problem if the session ID is bassed off of a simple number that can be easily guessed people will just add that at the end and change the session until they find a session that they can use to hack your website so always make your session ID long and not just numerical or alphabetical use alphanumerical oh and don't leave it on there and be like I will just trust my users because if your user bookmarks a page like that when he is in a session then he clicks the bookmark and someone with higher privileges now has the session he just got into their account with the higher privileges so make them long and alphanumerical I can't stress that enough