homepage Welcome to WebmasterWorld Guest from 54.205.254.108
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Using $ SESSION to store your login is a bad idea?
ethan89




msg:4193691
 10:03 am on Aug 29, 2010 (gmt 0)

On yahoo questions, I was getting help with my php login system, and a prominent answerer (lol) on yahoo questions had this to say:

"Using $_SESSION to store your login is a bad idea!
When the user logs-in, you compare his entry with values in your DB. There, you also have his email.
The general idea is that your user's table contains user, pwd, email AND "sess", a field of 50 chars that will be filled, AT SIGN-IN, with the session number. Then, if you want any detail of the user, use $_SESSION and check it against the DB, field "sess"."

If I'm doing it wrong, I'd like to know how to fix my login system. I didn't understand exactly what he said though. I'm not sure how to fix it. Here is my code, tell me what you think please:

<?php

$dbhost = "localhost";
$dbname = ""; // I erased these 3 on purpose
$dbuser = "";
$dbpass = "";

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = $_POST['username'];
$password = $_POST['password'];

$query = "select * from members where username='$username' and password='$password'";

$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
echo '<br><div align="center"><font size="4" color="white">Invalid username or password. Please try again.</font></div><br>';
include "sign_in.php";

} else {
$_SESSION['username'] = "$username";
include "my_account.php";
}

?>

 

bhukkel




msg:4193724
 12:36 pm on Aug 29, 2010 (gmt 0)

I think you need to add some basic security to your php, like input filtering and mysql escaping. that is more important then the security of your $_SESSION vars at this moment.

please read the OWASP top10 of security risks [owasp.org ].

ethan89




msg:4193731
 1:45 pm on Aug 29, 2010 (gmt 0)

Thanks for bringing security to my attention. I really had no idea. I fixed the problems you mentioned. I just had to add a code into a few places to stop injections.

impact




msg:4193999
 12:36 pm on Aug 30, 2010 (gmt 0)

Also bring the session_start() to

} else {
$_SESSION['username'] = "$username";
include "my_account.php";
}

It doesn't make a big difference but just start_session only when it is absolutely required.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved