sha256 with PHP session

Question

New to security and wondering how secure this type of login is? I am not protecting any bank/financial data by any means but trying to secure somewhat sensitive data that shouldn't be exposed to the general public. I only require a password - no official logins are done.

This is in a file called access.php which houses a password input field.

<?php
session_start();
if (!isset($_SESSION['loggedIn'])) {
    $_SESSION['loggedIn'] = false;
}

// sha256() password 
$password = '13d249f2cb4127b40cfa757866850278793f814ded3c587fe5889e889a7a9f6c';

if (isset($_POST['password'])) {
    if (hash('sha256',$_POST['password']) == $password) {
        $_SESSION['loggedIn'] = true;
    } else {
        die ('That is the incorrect password - Please leave now');
    }
} 

if (!$_SESSION['loggedIn']):
?>

Then my index.php requires access.php at page load. Should access live outside the public directory? Am I missing anything else I should be considering?

Answer 1

New to security and wondering how secure this type of login is?

1. SHA-256: You're using the entirely wrong tool for the job. Use password_hash() and password_verify():
   • How to safely store a password
   • Cryptography terms explained for non-experts
2. Additionally, SHA-256 is vulnerable to length-extension attacks.
3. Using == to compare hashes has two vulnerabilities:
   • Timing attacks
   • Magic hash comparison (the more pressing concern)

So, to answer your question: Not very. The problem your code is trying to solve is well-known among security experts, and they've gone out of their way to make it simple for others to solve it. That's why password_hash()and password_verify() exist. Use them.

That said, welcome to software security. If you need some additional resources to aid your self-education, check out this application security reading list on Github.