I have this secure page. just want to ask if there should be anything that i need to worry about on my cookie login. I don't use mysql for saving the users data since only the admins need to access the page. Could you tell me any flaws to my secure login page. How will hackers be able to hack this secure page of main? and what more do i need to do to make it more secure. thank you very much.
<?php
$salt = 'a|s534#ihtuQb84z<xIR_ kU;L~?-A?-x|u+Njw##Us(Pi(-hM+YmiQF`Bz[Bl -';
$salt2 = ',/Da|H#s7cWINVi&a4wy9Qc&gVrF*o)u(XoidF?-8w=vkzLRLN4U9 #u88T5818E';
//checks for post details
if (isset($_POST['user'], $_POST['pass'])) {
//santizes the details
$user = preg_replace('/[^A-Za-z0-9]/','', $_POST['user']);
$pass = preg_replace('/[^A-Za-z0-9]/','', $_POST['pass']);
//check if user exists
if (($user === 'admin1' && $pass === 'pass1') ||
($user === 'admin2' && $pass === 'pass2') ||
($user === 'admin3' && $pass === 'pass3')) {
//i can make it that the $user will also be hashed just in case i need to
$cookiemd5 = $user.'-'.sha1(crypt($pass, $salt).md5($_SERVER["REMOTE_ADDR"].$salt2.$_SERVER["HTTP_USER_AGENT"]));
if (intval($_POST['rememberme']) === 1) {
setcookie("temp", $cookiemd5, time()+60*60*24*365, "/", ".domain.com", false, true);
} else {
setcookie("temp", $cookiemd5, false, "/", ".domain.com", false, true);
}
header("Location: /secure.php"); exit();
} else {
header("Location: /secure.php"); exit();
}
} elseif($_GET['do'] === 'logout') {
setcookie("temp", "", time()-2592000, "/", ".domain.com", false, true);
header("Location: /secure.php"); exit();
} elseif (isset($_COOKIE['temp'])) {
$details = explode('-', $_COOKIE['temp']);
if (($details[0] == 'admin1' && $details[1] == sha1(crypt('pass1', $salt).md5($_SERVER["REMOTE_ADDR"].$salt2.$_SERVER["HTTP_USER_AGENT"]))) ||
($details[0] == 'admin2' && $details[1] == sha1(crypt('pass2', $salt).md5($_SERVER["REMOTE_ADDR"].$salt2.$_SERVER["HTTP_USER_AGENT"]))) ||
($details[0] == 'admin3' && $details[1] == sha1(crypt('pass3', $salt).md5($_SERVER["REMOTE_ADDR"].$salt2.$_SERVER["HTTP_USER_AGENT"])))) {
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
//+++++++++++++++++++++ EVERYTHING STARTS HERE AFTER LOGIN ++++++++++++++++++++++++++++++++++++++
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
?>
<?php
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
//+++++++++++++++++++++ EVERYTHING ENDSSS HERE AFTER LOGIN ++++++++++++++++++++++++++++++++++++++
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
} else { setcookie("temp", "", time()-2592000, "/", ".domain.com", false, true); header("Location: /secure.php"); }
} else { echo'<form name="login" method="post" action="secure.php"> Username: <input type="text" name="user"><br> Password: <input type="password" name="pass"><br> Remember Me: <input type="checkbox" name="rememberme" value="1"><br> <input type="submit" name="submit" value="Login!"></form>'; } ?>
EDIT.... what about this simple PHP session login... is this much more secure than the cookie?
<?php
session_start();
if ($_SESSION['logged_in'] == true) {
//++++++++++++++++ secure data start +++++++++++++++++++
//++++++++++++++++ secure data end +++++++++++++++++++
} elseif ($_POST['user'] == 'admin' && $_POST['pass'] == 'H@rDP@s$w0rD98741') {
$_SESSION['logged_in'] = true;
} else {
session_destroy();
}
?>
Secure is in the eye of the beholder. All of the hashes sound great, but really it looks like you're taking one username and one password from the user. You're requiring that they always use the same browser (or device) and that they never upgrade their system (insecure for them).
"Secure" in my mind is SSL/TLS. That would prevent (or make it really hard) for someone to capture the username and password from the network when the user was connecting using an app like WireShark. Since it's for Admins only, it's best to whitelist their IP addresses and authenticate against that with your preshared info.
Rather than allowing them access from anywhere, make them use VPN into the corporate network where they can access this if it's on the web.
I don't see anything here in regard to tracking failed login attempts or anything of that nature. So basically someone could run a brute force (or if they knew your password habits a dictionary) attack on the box to try and get in. So you're hopefully running something like ip tables to prevent this sort of thing.
Also you're not checking the referrer so someone could keep hitting the handler page automatically bypassing the login page if they wanted to try and get in.
You also need to document the process you're using to create the hash somewhere else (not in the code) then make sure that you're not storing any of the vars in the code in clear text. That way if someone gets ahold of this file they don't get all of the logins at once.
From a better security standpoint you can make the cookie expire within a certain amount of time after inactivity. This would force the user to login again rather than giving them a cookie for a year, or as @deceze suggested use sessions (provided the timeouts are reasonable).
What is the point in adding salt and creating a digest for this cookie? Generating a random string would do better right?, BTW, if you are sending password as plain on wire, then the question of security is blunder!
If you are using the cookie string to decrypt and find some info from it, then its a good logic to encrypt the cookie, and not to hash it. I personally prefer just a random string in this case.
The way i see you receiving password to your script is a plain request parameter, this breaks the first ring of security in this script, i can simply sniff your password from line. Making a cookie secure does not solve, all access security concerns.
Please do correct me, if I am wrong :)
Thanks
The main problems I see are:
Particularly the second point and third point together break it IMO. If an attacker manages to capture or find a cookie once, it'll be valid forever. An attacker can simply try all possible valid cookies, since the cookies are essentially static. Once he has found the secret handshake, it's valid forever and you have no idea it's happening.
You should be using battle tested login methods instead of coming up with your own. And the simplest is a standard run of the mill session. The cookie will contain a time-limited meaningless blob, and the server knows about all running sessions and can revoke them if needed. Let this all run over HTTPS and you're about as secure as you'll ever be.