dotxxh0998 2013-06-21 06:05
浏览 50

PHP Cookie安全[关闭]

I have this secure page. just want to ask if there should be anything that i need to worry about on my cookie login. I don't use mysql for saving the users data since only the admins need to access the page. Could you tell me any flaws to my secure login page. How will hackers be able to hack this secure page of main? and what more do i need to do to make it more secure. thank you very much.

<?php
$salt = 'a|s534#ihtuQb84z<xIR_ kU;L~?-A?-x|u+Njw##Us(Pi(-hM+YmiQF`Bz[Bl -';
$salt2 = ',/Da|H#s7cWINVi&a4wy9Qc&gVrF*o)u(XoidF?-8w=vkzLRLN4U9 #u88T5818E';

//checks for post details
if (isset($_POST['user'], $_POST['pass'])) {

//santizes the details
$user = preg_replace('/[^A-Za-z0-9]/','', $_POST['user']);
$pass = preg_replace('/[^A-Za-z0-9]/','', $_POST['pass']);

//check if user exists
    if (($user === 'admin1' && $pass === 'pass1') ||
        ($user === 'admin2' && $pass === 'pass2') ||
        ($user === 'admin3' && $pass === 'pass3')) {


        //i can make it that the $user will also be hashed just in case i need to
        $cookiemd5 = $user.'-'.sha1(crypt($pass, $salt).md5($_SERVER["REMOTE_ADDR"].$salt2.$_SERVER["HTTP_USER_AGENT"]));


            if (intval($_POST['rememberme']) === 1) {
                setcookie("temp", $cookiemd5, time()+60*60*24*365, "/", ".domain.com", false, true);
            } else {
                setcookie("temp", $cookiemd5, false, "/", ".domain.com", false, true);
            }

        header("Location: /secure.php"); exit();

    } else {

        header("Location: /secure.php"); exit();

    }

}  elseif($_GET['do'] === 'logout') {

        setcookie("temp", "", time()-2592000, "/", ".domain.com", false, true);

        header("Location: /secure.php"); exit();

} elseif (isset($_COOKIE['temp'])) {

    $details = explode('-', $_COOKIE['temp']);


    if (($details[0] == 'admin1' && $details[1] == sha1(crypt('pass1', $salt).md5($_SERVER["REMOTE_ADDR"].$salt2.$_SERVER["HTTP_USER_AGENT"]))) ||
        ($details[0] == 'admin2' && $details[1] == sha1(crypt('pass2', $salt).md5($_SERVER["REMOTE_ADDR"].$salt2.$_SERVER["HTTP_USER_AGENT"]))) ||
        ($details[0] == 'admin3' && $details[1] == sha1(crypt('pass3', $salt).md5($_SERVER["REMOTE_ADDR"].$salt2.$_SERVER["HTTP_USER_AGENT"])))) { 
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++       
//+++++++++++++++++++++ EVERYTHING STARTS HERE AFTER LOGIN ++++++++++++++++++++++++++++++++++++++
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
?>




<?php 
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++       
//+++++++++++++++++++++ EVERYTHING ENDSSS HERE AFTER LOGIN ++++++++++++++++++++++++++++++++++++++
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
} else { setcookie("temp", "", time()-2592000, "/", ".domain.com", false, true); header("Location: /secure.php"); }
} else {  echo'<form name="login" method="post" action="secure.php"> Username: <input type="text" name="user"><br> Password: <input type="password" name="pass"><br>  Remember Me: <input type="checkbox" name="rememberme" value="1"><br> <input type="submit" name="submit" value="Login!"></form>'; } ?>

EDIT.... what about this simple PHP session login... is this much more secure than the cookie?

<?php
session_start();

if ($_SESSION['logged_in'] == true) {
//++++++++++++++++ secure data start +++++++++++++++++++



//++++++++++++++++ secure data end +++++++++++++++++++
} elseif ($_POST['user'] == 'admin' && $_POST['pass'] == 'H@rDP@s$w0rD98741') {

    $_SESSION['logged_in'] = true;


} else {

    session_destroy();

}


?>
  • 写回答

3条回答 默认 最新

  • dongmacheng3222 2013-06-21 06:24
    关注

    Secure is in the eye of the beholder. All of the hashes sound great, but really it looks like you're taking one username and one password from the user. You're requiring that they always use the same browser (or device) and that they never upgrade their system (insecure for them).

    "Secure" in my mind is SSL/TLS. That would prevent (or make it really hard) for someone to capture the username and password from the network when the user was connecting using an app like WireShark. Since it's for Admins only, it's best to whitelist their IP addresses and authenticate against that with your preshared info.

    Rather than allowing them access from anywhere, make them use VPN into the corporate network where they can access this if it's on the web.

    I don't see anything here in regard to tracking failed login attempts or anything of that nature. So basically someone could run a brute force (or if they knew your password habits a dictionary) attack on the box to try and get in. So you're hopefully running something like ip tables to prevent this sort of thing.

    Also you're not checking the referrer so someone could keep hitting the handler page automatically bypassing the login page if they wanted to try and get in.

    You also need to document the process you're using to create the hash somewhere else (not in the code) then make sure that you're not storing any of the vars in the code in clear text. That way if someone gets ahold of this file they don't get all of the logins at once.

    From a better security standpoint you can make the cookie expire within a certain amount of time after inactivity. This would force the user to login again rather than giving them a cookie for a year, or as @deceze suggested use sessions (provided the timeouts are reasonable).

    评论

报告相同问题?

悬赏问题

  • ¥170 如图所示配置eNSP
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改
  • ¥20 wireshark抓不到vlan
  • ¥20 关于#stm32#的问题:需要指导自动酸碱滴定仪的原理图程序代码及仿真
  • ¥20 设计一款异域新娘的视频相亲软件需要哪些技术支持
  • ¥15 stata安慰剂检验作图但是真实值不出现在图上
  • ¥15 c程序不知道为什么得不到结果
  • ¥15 键盘指令混乱情况下的启动盘系统重装