3
\$\begingroup\$

I am busy on a protected page with login and I want know if there is more protection needed. It is a very simple system without database etc...

authentication.php

<?php
session_start();
if($_SERVER['REQUEST_METHOD'] == 'POST'){
 $account = array (
 'sebas' => '2ドルy10ドル96ドルYi1ezzoS6xZYjPhbvYTeCha.YypKF.7MSYwfruXtKaFyeGRLeMK',
 'bert' => '3ドルg10ドル96ドルYi1ezzoS6xZYjPhbvYTeCha.YypKF.7MSYwfruXtKaFyeGRLeMK',
 );
 if(array_key_exists($_POST['user'], $account)){
 if(password_verify($_POST['password'], $account[$_POST['user']])){
 session_regenerate_id();
 $_SESSION['username'] = $_POST["user"];
 $_SESSION["loggedin"]) = true;
 header("location: protected_page.php");
 }else{
 echo 'Something wrong';
 }
 }else{
 echo 'Something wrong';
 }
}
?>

protected.php

<?php
session_start();
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
 echo 'welcome';
}else{
 header("location: login.php");
 exit;
}
?>

Please let me know and give me any feedback for a better secure system without database.

asked May 11, 2020 at 15:17
\$\endgroup\$

1 Answer 1

3
\$\begingroup\$

One major concern is that you define the array of account names and their associated hashed passwords in the file that, presumably, is publicly accessible through a web server.

You might be tempted to think this is not a concern, because users will not be able to see the source code, right? Generally speaking, that's correct. However, if the web server somehow becomes misconfigured at some point, where .php files are not executed by the PHP engine, but in stead are served as plain text, you have a big security issue: any visitor will now be able to view the account info.

To deal with this, you should keep this sensitive information outside of the server's public directory.

So, let's imagine this is your web server's directory structure:

 - etc/
 - private/ <-- A hidden private directory, outside of the public directory
 - public/ <-- The public root directory from which your .php pages are served
 - img/
 - js/
 - authentication.php
 - protected.php

...then you should, for instance, put your account info in private:

 - etc/
 - private/
 - accounts.php
 - public/
 - img/
 - js/
 - authentication.php
 - protected.php

accounts.php would then look like this:

<?php
return array (
 'sebas' => '2ドルy10ドル96ドルYi1ezzoS6xZYjPhbvYTeCha.YypKF.7MSYwfruXtKaFyeGRLeMK',
 'bert' => '3ドルg10ドル96ドルYi1ezzoS6xZYjPhbvYTeCha.YypKF.7MSYwfruXtKaFyeGRLeMK',
);

authentication.php would then do something like this:

<?php
session_start();
if($_SERVER['REQUEST_METHOD'] == 'POST'){
 // I personally prefer to name this variable as plural
 $accounts = include '../private/accounts.php';
 // if include has failed, it will return false
 if(is_array($accounts)) {
 // continue your authentication procedure
 }
... etc.
answered May 11, 2020 at 16:18
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.