OH I forgot one thing...

The HTTP_REFERER part, I just take the first x characters of that string... just enough to verify
http....com/XXX is in the url of the last page.

First of all, Welcome to Webmaster World! :)

Now, relying on the referer sent by the browser is not secure at all. It has nothing to do with PHP's security (which is pretty darn secure, until you create the security hole yourself.)

The referer can be spoofed (faked). Some browsers send incorrect or incomplete referers. If you want to be sure that the user is coming from an allowed page, pass some random information to the page that is different each time that page is reached. This random string can then be verified on the next page.

Have you looked into PHP Sessions?

Agreeing with DrDoc, check into PHP Sessions, very simple to use. Also have you thought about storing the usernames and passwords in a database rather then a file (I know you said it is not in the public folder), but if the list is long, it would be faster to query in a database.
-FM-

I am also a new born php programmer and have recently built a secure log in section using Mysql and php sessions.

The sessions in php are great, checking to make sure that an open session has a specific active string which can be yes, no, 0 or 1.

For extra security I would recommend a database storing all info on a seperate table and create a log of every log in made just so you can see the activity.

I have found php to be very secure have tested all sorts of methods. One thing I would NOT do is store the passwords or usernames on a text file even in a completely different folder.

agreed - use a database for your username & password

preferably store only an md5 hash of the password

don't rely on referrer, although it's nice to add that in as well for added security

i don't use sessions in general - i generate my own cookie with a randomised value in it, and create a corresponding database entry to remember that value, the IP the cookie went to, and the time... that way I am in control of my security - not php session.

i then check before returning _each and every_ page that the cookie value is a) present, b) the IP is the same as when it was sent out, and c) the time is within X mins from cookie issue (login).

i think you should have reasonable security if you do this. i always shy away from using standard security functions etc. as once a hole is found in it - it soon becomes common knowledge and every site using it becomes at risk.

b) the IP is the same as when it was sent out,

Isn't this a potential problem with certains ISPs? I notice in logs that AOL surfers seem to have a different IP with each request. Just wondering ...

M.

AOL surfers

need i say more? i never had any complaints about not being able to use any of my sites security.

Isn't this a potential problem with certains ISPs?

Yes I think that happens in case of dialup users, that IPs change during same session.

with dialup users, true, they will need to log in again - but i'd say that with an average reconnection time of say an hour, their hourly typing a password is worth it to ensure nobody hijacks the session

Just store the first three numbers.

###.###.###

The IP switch usually only affects the fourth...

Just store the first three numbers.
###.###.###

The IP switch usually only affects the fourth...

which would leave the system open to cookie hijack by only 255 different people - and in the case of a network on static IPs - that would most likely be people nearby... ie those who are in a position to easily hijack.

something i'd rather not leave to chance

Well, I'm already liking this forum. I go away for the weekend and I get everyones opinion :) Gives me something to do Monday morning at work haha.

Anyway, So what you guys are saying is the "Referer" can be fraud? Well why the hell would my book tell me to do it this way :P

I do have a database at my disposal, but there is only 1 user allowed into this site. No username just a password. It's just a documentation site for a project. Basically a way to communicate usually information that isn't sensitive, but just in case I'm securing it so we could pass sensitive information. And I'm just using this for something to do. The boss don't come back for a week and I have finished everything that was dumped on me already. So this is just something I'm doing to pass the time :)

THanks for all your input guys/gals. I think I'm going to stick with just the file outside of the public folder. No real advantage on look-up(only 1 pass anyway). As for the session stuff, I was looking at that in my books. What my book says for good security is to create a session and pass a variable from page to page, checking that variable on every page. That would be a better solution compared to what I have?

create a session and pass a variable from page to page, checking that variable on every page

yes, that's a really good way of doing it... BUT...
make sure register_globals is OFF in php.ini, i.e. make sure you use $_SESSION['loggedin'] not just $loggedin... otherwise i can write www.yoursite.com?loggedin=1 and get in :-)

heh, nice try HACKER! hehe j/k.

Actually I have written into my pages that if any args are in the url, I reload the page stripping the args out...

Something like this
if( $HTTP_SERVER_VARS["argc"]!= 0 ) {
header( "Location: $PHP_SELF" );
exit;
}

That way, any information I get won't be input through the URL.