PDA

View Full Version : Is it secure/safe?


Lea Verou
03-03-2006, 04:31 AM
I'm developing a website for a client, it has nothing to do with vBulletin.
There is only one admin account in the system. (Users do not register)
Obviously I needed to make a system for her to login, and then keep her logged in while she browses the admincp and adds stuff to her website. I read that most php applications do this with sessions and cookies, but I did not have a knowledge on either of them, and I didn't like the fact that you can only call setcookie before sending any html. Also, sessions seemed too complicated for me to understand, and I have to finish the site until about 15th of March, so I can't waste any more time.
So, this is what I did:
When she installs the software, she enters her preffered admin username and password. These are stored in the database (btw should I encrypt the password? If so, why?). There are also 2 other entries in that db table, islogged and adminip. By default they are both set to 0. When she logs in, the script gets the correct username and password from the database, compares them with the submitted ones, and if they match it sets islogged to 1 and adminip to the computer's IP from which she logged in. In every page in the admincp I include (require() in fact) a small script that checks if islogged is 1 AND adminip matches the computer's ip. If not, it redirects the user to the login page by header(location: blah blah blah); . There is also a logout that sets islogged to 0 and adminip to 0. There is no timeout (but eventually the IP will change if it's not static) and the good thing (compared to cookies) is that it doesn't need a second login if you view the site with a different browser (as it doesn't depend on the browser's cookies).

My question is (and thank you for reading the whole thing! :o):
Since I haven't heard of this way for logins, there must be a reason for that. Does it pose a security risk? How can it be bypassed?

Thanks a lot in advance! :)

Xenon
03-03-2006, 10:26 PM
Yep, it holds a big security risk:

as long as she doesn't log out, any user with the same external IP will ahve access. for example if she works behind a router, everyone behind the same router will have access.
also if she forgets to log out, and her ip will change, the old ip (if it's dynamical could be assigned to someone else who will get access)

and yes, you should encrypt the password. if there is any security flaw and someone gets access to the db he can read the pw and then knows it forever, and if she doesn't have different password, that won't be good ;)

Lea Verou
03-03-2006, 11:21 PM
Firstly thanks a lot for answering!!

She will probably use it from her house, where only she and her husband live.
Also, I think it's quite an exaggeration to say that when her IP changes, the other one who takes her IP will be able to enter. To do that he should:
-Know her site
-Know her IP
-Know that he got HER IP
-Know the URL of the admincp
-want to harm the site

Quite impossible, isn't it?

About the password, although it also seems quote exaggerated, I will try to encrypt it as it won't be a big change in the code :)

Xenon
03-03-2006, 11:50 PM
well, you just asked for security aspects, not if it's likely ;)

but why coding insecure, if you can do it secure
(just add a cookie on her pc and add a timeout, will make it much more secure without much work :))

Lea Verou
03-04-2006, 12:39 AM
Yes but I don't know how to use cookies and it seemed quite complicated when I tried to learn it (cause it said that you have to set the cookie before sending any html and I didn't find any function to manipulate the value of the cookie afterwards, so this is impossible with my code) :( :( :(

Andrew
03-04-2006, 02:23 AM
You could always use sessions - I find them much easier to use that dealing with cookies directly.

Lea Verou
03-04-2006, 06:21 AM
I said in the first post that I did this because I don't know how to use sessions and cookies and I find it hard to learn it while being in pressure!

Xenon
03-04-2006, 11:57 AM
you have to send the cookies before you send the first part of html output of a pgae, but not before the scipr itself starts, you can already do some test

to give you the general idea

she visits the site
check if admin cookie is set
not set: redirect to login page
if login is correct set cookie and afterwards redirect to the admin index page

it's not hard, believe me

Lea Verou
03-04-2006, 12:01 PM
Yes, but the way I have it now there is the login form, and when she clicks submit the form stays there and the results appear below it (eg "incorrect password"). I have to change a lot of things to use cookies and if the only security risks are the ones mentioned in the 2nd post I don't think there is a reason :ermm:

Xenon
03-04-2006, 03:44 PM
it's your customer, not mine ;)

Lea Verou
03-04-2006, 04:05 PM
Of course Xenon, and thanks a lot for helping.
I asked about the security risks though, are they the only ones that you wrote on your first post? That's all I need to know for now :)

Xenon
03-05-2006, 08:29 PM
apart from the mentioned ones, i don't see any more

Lea Verou
03-10-2006, 08:26 PM
...and if she doesn't have different password, that won't be good ;)

She can change her password, as often as she wants from the admincp (I forgot to mention it earlier)

Deaths
03-10-2006, 08:52 PM
As for the password, if I were you I would indeed encrypt it.

Adding a simple md5 should so, add one to the "register" form (guessing this is in the install script), and add an md5 hash to the password before it gets verified. (so basicly add $password = md5($password) before your password checking conditional ;))

Good luck! I personally find cookies and sessions a pain in the neck aswell, heh.