HI, this is my first time doing this. I’ve read The definitive guide to form-based website authentication and http://en.wikibooks.org/wiki/PHP_Programming/User_login_systems, but I still have doubts as to whether I’m doing this correctly. Note: I’m doing this to learn, so please don’t suggest a framework and php pear auth or any other related class. I just want some guidance on what I can do to improve this.
I don’t need CIA style security, just something basic for a login site:
Anyway, this is how my login works:
-
Wait for user to press Login
if (isset($_POST[‘action’]) && $_POST[‘action’] == ‘Login’)
-
Does form token match token stored in session? If not die.
- Use php filters to validate string in username and password
- Hash the password (sha256) (with salt, I use the same salt for every password)
- Use mysqli to check for username and hashed password (LIMIT 1 in SQL).
- If no match is found show an error — otherwise set the session (hashed with sha256)
At the bottom of all this I place the following, this is the line I am most worried about:
My thinking is that, if the session is not set, then show the login form and exit.
if
(!isset($_SESSION['authenticated'])) {
require_once 'html/login_form.html';
exit(); }
// secret stuff goes here
The full code can be found here. It is still incomplete.
I will also attempt to implement this: How can I throttle user login attempts in PHP.
I am grateful for any feedback.
This is a pretty open question as there are so many areas to pick apart. However, for average security, I would at least recommend changing the following.
Number 2: Don’t use the same salt. This means if the salt is compromised so are all the hashed values. I would recommend one way encrypting the password. Users would rather reset it than know it could be reasonably decrypted.
Number 5: Don’t forget about SQL Injection. Far more important than
LIMIT 1. Check outmysql_real_escape_string()