Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page Is it secure/safe?
FAQ Members List Calendar Search Today's Posts Mark Forums Read
Prev Previous Post   Next Post Next
  #1  
Old 03-03-2006, 04:31 AM
Lea Verou Lea Verou is offline
 
Join Date: Jul 2005
Location: Greece
Posts: 1,856
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Is it secure/safe?
I'm developing a website for a client, it has nothing to do with vBulletin.
There is only one admin account in the system. (Users do not register)
Obviously I needed to make a system for her to login, and then keep her logged in while she browses the admincp and adds stuff to her website. I read that most php applications do this with sessions and cookies, but I did not have a knowledge on either of them, and I didn't like the fact that you can only call setcookie before sending any html. Also, sessions seemed too complicated for me to understand, and I have to finish the site until about 15th of March, so I can't waste any more time.
So, this is what I did:
When she installs the software, she enters her preffered admin username and password. These are stored in the database (btw should I encrypt the password? If so, why?). There are also 2 other entries in that db table, islogged and adminip. By default they are both set to 0. When she logs in, the script gets the correct username and password from the database, compares them with the submitted ones, and if they match it sets islogged to 1 and adminip to the computer's IP from which she logged in. In every page in the admincp I include (require() in fact) a small script that checks if islogged is 1 AND adminip matches the computer's ip. If not, it redirects the user to the login page by header(location: blah blah blah); . There is also a logout that sets islogged to 0 and adminip to 0. There is no timeout (but eventually the IP will change if it's not static) and the good thing (compared to cookies) is that it doesn't need a second login if you view the site with a different browser (as it doesn't depend on the browser's cookies).

My question is (and thank you for reading the whole thing! ):
Since I haven't heard of this way for logins, there must be a reason for that. Does it pose a security risk? How can it be bypassed?

Thanks a lot in advance!
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 02:11 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04965 seconds
  • Memory Usage 2,616KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (14)post_thanks_box
  • (14)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (14)post_thanks_postbit_info
  • (14)postbit
  • (14)postbit_onlinestatus
  • (14)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete