scenario:
in-house web server running apache2, here are the virtual hosts:
domain.com <– for public, wordpress site
employee.domain.com <– for employees only, login required, non-wordpress site
employee visits employee.domain.com/page1.php
//page1.php
session_start();
if (isset($_SESSION['username']))
{ <page displayed here> }
else
{
$_SESSION['redir_after_auth'] = $_SERVER['PHP_SELF'];
header('Location: http://domain.com/login?sid='.session_id());
}
at domain.com/login, all $_SESSION variables are restored, then auth. continues. If successful, the employee is re-directed back to where they were trying to visit, employee.domain.com/page1.php. Now, since $_SESSION[‘username’] is set, page1.php will load.
//domain.com/login
<?php
//check for session_id (sid) and attempt to restore $_SESSION variables that were set at employees.domain.com
if (isset($_GET['sid']) && trim($_GET['sid']) != '') {
session_id($_GET['sid']);
}
session_start();
date_default_timezone_set('America/city');
$date = date('l jS F Y h:i A T');
$hostname = 'localhost';
$dbname = 'employees'; //no, these are not the real values
$username = 'sql_username'; //no, these are not the real values
$password = 'password'; //no, these are not the real values
mysql_connect($hostname, $username, $password) or DIE('Connection to host is failed, perhaps the service is down!');
mysql_select_db($dbname) or DIE('Database name is not available!');
if(isset($_POST['username'])){
if(isset($_POST['password'])){
$login = mysql_query("SELECT * FROM users WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')");
$num_results = mysql_num_rows($login);
if ($num_results == 1){
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
while ($row = mysql_fetch_assoc($login)){
$_SESSION['priv'] = $row['priv'];
$_SESSION['email'] = $row['email'];
}
$tbl_name2="access_log";
$user = $_POST['username'];
//lets record logins in mysql for later review
$addrecord = mysql_query("INSERT INTO $tbl_name2 (id, username, date) VALUES ('','$user','$date')");
if(isset($_SESSION['redir_after_auth'])){
header('Location: http://employees.domain.com' . $_SESSION['redir_after_auth']);
die();
}
else {
header('Location: http://employees.domain.com?sid=' . session_id());
unset($_SESSION['$num_results']);
die();
}
}
else {
?>
<table align="center">
<tr><td align="center">
<p style="color:#F00">
<?php echo 'Incorrect Username or Password'; ?>
</p>
</td></tr>
</table>
<?php
}
}
}
?>
//this is actually a shortcode in wordpress, hence the html login form here
<div>
<form action="" method="POST">
<table align="center">
<tr><td align="left">Username: </td><td align="left"><input type="text" name="username"></td></tr>
<tr><td align="left">Password: </td><td align="left"><input type="password" name="password"></td></tr>
<tr><td align="left"><input type="submit" value="Login"></td></tr>
</table>
</form>
</div>
There isn’t any sensative info on employees.domain.com, just company calendar, forms, ect…but, how secure is this method? It is open to the www, so I’m a bit nervous.
thought, suggestions?
thanks!
edit:
forgot to add, passwords encrypted MD5 in mysql
You should have the authentication pages on employee.domain.com rather than domain.com if its only your employees you’ll be using the login functionality. From what I understand, you want your session only to be valid on employee.domain.com.
This way the cookie (and session) set for employee.domain.com will be different from domain.com
Also, the following code leaves scope for session fixation attacks: