Reputation: 3287
PHP: Using hidden GET variable as login?
I'm looking at doing a very basic authentication script as follows:
<?php
// admin.php
session_start();
if($_GET['login'] == 'adminLoginWord')
{
$_SESSION['auth'] = true;
}
if($_SESSION['auth'])
{
// code to show Admin control panel
}
else
{
echo 'Please login.';
}
Therefore, to login, someone would need to know to navigate to the URL
admin.php?login=adminLoginWord
Is this a safe way of authentication?
Upvotes: 1
Views: 289
Answers (7)
Reputation: 3287
In this case in particular, I was just being thick, and making it more complicated than needs be.
A .htaccess file was more than sufficient for this... woops!
Upvotes: 1
Reputation: 557
I understand your wanting to do easy basic authentication and everyone here has had valid security suggestions. If you really don't mind security but want it more secure than having credentials passed in the URL, you could try something like this (of course you could add a lot more HTML in the form/page area):
/* admin.php */
<?php
$username = "adminLoginWord";
$password = "adminLoginWordPassword";
$msg = "";
if ($_POST['mySiteUsername'] == $username && $_POST['mySitePassword'] == $password){
$_SESSION['auth'] = true;
} else {
$msg = "Invalid Username/Password Combination";
}
if(!$_SESSION['auto']){
$html = "<html>
<body>
<div class='error'>$msg</div>
<form action='admin.php' method='POST'>
<label for='mySiteUsername'>Username:</label>
<input type='text' name='mySiteUsername' />
<label for='mySitePassword'>Password:</label>
<input type='password' name='mySitePassword' />
</form>
</body>
</html>";
} else {
// Authorized
}
?>
Upvotes: 0
Reputation: 4538
You have to be aware that, if you use this system, your password will be stored in any browser saving history. One can even add this as a bookmark...
Upvotes: 0
Reputation: 1385
No it's not safe. You can hash your special login with sha1 and test if that sha1 is equal to the sha1 of 'adminLoginWord'.
Furthemore, in your case, you should use a POST.
Upvotes: 0
Reputation: 3346
It's not safe at all, you would leave the "password" in the computer's history, it would be very vulnerable to anyone sniffing... etc
This said, safe always depends on the application, but if you want a safer approach, use a POST variable and compare it like so:
if($_POST['pass'] == 'password123'){
echo 'Login OK';
}
(Which still isn't the best approach, but it's better than a GET variable)
Upvotes: 3
Related Questions
- Hidden variable and session
- PHP Security - GET Variables, URL safe?
- How can I hide a $_GET variable to be more secured in PHP?
- Using hidden value instead of $_GET or $_REQUEST
- Hiding $_GET variables by a re-direct
- Can I securely store username and password in PHP session variables?
- Using a variable to direct traffic
- PHP Login script, session variables or $_GET
- Alternative to using Session Variables for Authentication
- How to obscure a GET variable?