Reputation: 21
secure script action in php
Hi I want to ask about the security of "script action" in this example
<form method="post" action="chek_user.php" enctype="multipart/form-data"/>
And the action is
$username= htmlentities($_POST['username']);
$mdp=htmlentities(md5($_POST['pass']));
if($user->check_login($username,$mdp)==0)
{
$_SESSION["IP"]=$_SERVER["REMOTE_ADDR"];
$_SESSION["USER_AGENT"]=$_SERVER['HTTP_USER_AGENT'];
$_SESSION["timestamp"] = time();
if (isset($_POST['remembre']))
{
$expire = time() + 24*3600;
setcookie('user', $_SESSION['user'], $expire);
}
header('location:indes.php');
}
else if ($user->check_login($username,$mdp)==-2)
{
echo 'no';
}
Upvotes: 2
Views: 138
Answers (1)
Reputation: 67019
NEVER use setcookie() to setup a session state. You should have a session_start() in your header file.
NEVER use md5() its extremely broken, sha1() is on the NIST list of approved message digest functions (but its kind of broken), however the sha2 family is better, sha256() is a great choice but you'll need to find the source code online for it because PHP doesn't have a secure hash function. You also need a salt, try searching SO for one of the 10,000+ posts relating to password storage.
ALWYAS die() after you do a header("location: ...");. This function only modifies the HTTP response header, the script still executes.
The entire session must be over HTTPS. Currently you are probably violating OWASP A9. And yes, StackOverflow volates OWASP, and they don't care.
Upvotes: 4