Home/ Questions/Q 7730065
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T06:07:46+00:00

I got to thinking that maybe my login system isn’t as secure as I

  • 0

I got to thinking that maybe my login system isn’t as secure as I thought it was.
So first, I’m going to explain to you, in words, what I am doing.

When a user registers, a 16 character salt is generated.
I store the salt in the database in a field called “salt”
I store the hashed password+salt (they are hashed together hash("sha256", $salt.$password);) in a field called “password”

When a user attempts to log in, I fetch the “password” field and the “salt” field from the database, along with a few other things.

To check if they entered their password correctly, I do this:

$hashed = hash("sha256", $row['salt'].$pass);
if ($row['password'] == $hashed) {
//success

($row is the fetched array from the database. $row[‘salt’] is the salt in the database, $pass is the password they entered, and $row[“password”] is the hashed pass+salt in the database)

I was thinking, and it looks to me that my salt offers little (or no) security benefits at all. My question to you all is just that: DOES my method offer additional security (or is it even secure it all?)

In addition, I have a second ‘question.’ I want to verify that this “check login” script can’t be spoofed/cheated in order to gain entry to someone’s account without their password.

session_start();
require_once 'db_connect.php';
//If the session variable "id" isn't set (i.e. they aren't logged in)
if (!isset($_SESSION['id'])) { 
    //Check if they wanted to be "remembered" (so they have 2 cookies
    if (isset($_COOKIE['rem_user']) && isset($_COOKIE['rem_pass'])) 
    { 
        $query = "SELECT 
                      id, 
                      password, 
                      auth, 
                      email, 
                      username 
                  FROM users 
                  WHERE 
                      username='".$_COOKIE['rem_user']."' 
                  AND active IS NULL"
        $res = mysql_query( $query );
        if (mysql_num_rows($res) == 1) 
        {
            $row = mysql_fetch_array($res);
            // If the "remember me" cookie containing their password 
            // is equal to the one in the database, log them back in.
            if ($_COOKIE['rem_pass'] == $row['password']) 
            { 
                $_SESSION['id'] = $row['id'];
                $_SESSION['username'] = $row['username'];
                $_SESSION['auth'] = $row['auth'];
                $_SESSION['email'] = $row['email'];
                $logged_in = 1;
            }   
        }
    } 
    else 
        $logged_in = 0;
} 
else 
    //Since the session variable "id" WAS set, they ARE logged in. 
    $logged_in = 1;

I would think that the only way to log in is…

  1. To spoof a session variable which I don’t think is possible without server access
  2. Spoof a cookie with the encrypted password+salt, which I believe is nearly impossible without access to the database.

Feedback would be appreciated. I want to make sure my system is secure. 🙂

Thank you!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Okay, here it goes… do not roll-your-own security. Here are some issues with above:

    1. The hashed password is stored as a cookie. THIS IS NO DIFFERENT THEN STORING/PASSING A PLAIN-TEXT PASSWORD because it is validated as-is without the hash function function applied.

    2. The cookie is an SQL Injection Attack vector.

    3. Uses SHx for hashing. (Use bcrypt, scrypt, hmac, etc.)

    And then I stopped looking. #1 shows that this should be left to an existing tested/vetted library.

    • 0