5 Replies - 1290 Views - Last Post: 14 February 2012 - 12:12 PM Rate Topic: -----

#1 AVReidy  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 65
  • View blog
  • Posts: 431
  • Joined: 17-February 11

My login system works, but is it correct?

Posted 13 February 2012 - 05:39 PM

I recently created my first login system, and I'm wondering how far from mainstream my approach was.

How it works:

A user registers by filling in a simple registration form that sends their username and password to be prepped for insertion into the database. I have the "username" column of my "users" table set as UNIQUE, so if a registrar attempts to create an account with a username that is in use, (I assume) it spits out an error. I have a simple function called create() that essentially attempts to insert the username and password. It is rigged to return false if the insert fails.

This is where I feel like my approach is kind of flaky. It seems efficient, but I feel like it would be more correct to somehow check if the username exists.

Once a user registers, they can log in with their credentials. I have a function (or method? It's in a class...) that takes the username and password as parameters, and attempts to conditionally select everything from a database where the username and password are the same as those given. If the database gives a result, the user_id of the specific user is then turned into a session variable. Here's the code for that part:
	function create_login_session($username, $password) {
	
		$result = mysql_query("SELECT * FROM users WHERE username = '{$username}' AND password = '{$password}';");
		
		if ($result) { 
			$row = mysql_fetch_array($result);
			$user_id = $row['user_id'];
			
			if (isset($_SESSION['user']) == false) {
				$_SESSION['user'] = $user_id;
			}
		}
		return $result;
	}



Once I have the user_id, I can use it to select other user information.

Let me know what I can do to improve this. I don't have any professional or academic programming experience, so if you happen to know the mainstream way of making a login system, I'd love to hear about its general structure. I didn't bother to do any form of password encryption either, so if you have any suggestions on the security side I'd like to hear them.

Thank you!

Is This A Good Question/Topic? 0
  • +

Replies To: My login system works, but is it correct?

#2 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2911
  • View blog
  • Posts: 10,083
  • Joined: 08-August 08

Re: My login system works, but is it correct?

Posted 13 February 2012 - 06:04 PM

Passwords should be hashed and you should be using prepared statements to protect against SQL injection.
Was This Post Helpful? 1
  • +
  • -

#3 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 946
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: My login system works, but is it correct?

Posted 13 February 2012 - 06:12 PM

I have a few suggestions and questions. Questions first:
  • How do you keep and check if a user is logged in?
  • Are your passwords hashed with a salt?


Suggestions:
  • Use prepared statements offered by PDO and MySQLi. The choice is yours but it allows you to omit the risk of SQL injections.
  • Since you're just setting $_SESSION['user'] I would assume to check if a user is logged in you're only checking to see if a value exists in there. This method only checks if a value exists but not if the value is the correct one.
  • Use keys to determine if a user is logged in. Personally my method is creating a random string and storing it within a cookie on the client and another random string which is stored in the session. These strings are hashed to produce another string which is also stored in the session. To verify if a user is logged in the strings are fetched from both the client (cookie) and server (session), hash and matched against the final string.

Was This Post Helpful? 1
  • +
  • -

#4 AVReidy  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 65
  • View blog
  • Posts: 431
  • Joined: 17-February 11

Re: My login system works, but is it correct?

Posted 14 February 2012 - 06:44 AM

@codeprada:

You assumed correctly, for the most part, on how I check if the user is logged in. After checking if the session exists, I check the value of it. The value is of couse what differentiates users, and it is used to select their data from the database.

I don't know what you mean by "correct one."

As for the other question, I didn't bother with any security other than mysql_real_escape_string() and strip_tags (the web app lets you make an 'agenda' page where you can use some HTML).
Was This Post Helpful? 0
  • +
  • -

#5 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2911
  • View blog
  • Posts: 10,083
  • Joined: 08-August 08

Re: My login system works, but is it correct?

Posted 14 February 2012 - 08:21 AM

If someone were to manage to hijack a session all they would need to do is set the variable since you don't check the value. They wouldn't need to set a "correct" value.

Why not make the user an object? Then you can store their status and preferences in one session variable.
<?php
class users {
	private $status;
	private $preferenceA;
	private $preferenceB;
	
	public function set_state($state, $value) {
		$this->$state = $value;
	}
	public function get_state($state) {
		return $this->$state;
	}
}
session_start();
if(isset($_SESSION['user'])) {
	$obj = $_SESSION['user'];
} else {
	$obj = new users();
	$obj->set_state("status","testing");
}
echo $obj->get_state("status");
$_SESSION['user'] = $obj;
?>

Was This Post Helpful? 0
  • +
  • -

#6 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 946
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: My login system works, but is it correct?

Posted 14 February 2012 - 12:12 PM

Have a look at my tutorial and hopefully it will clear up the "what's correct" question. User Authentication Via Two Keys & IP Address
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1