Sessions / Password Protection

[Medyman]

Hey guys...

I've just added password protection to the CMS that I've been working on forever. It works perfectly locally, but when I upload it to the server, it doesn't!

I'm not quite sure what's happening. Whenever I type any username or password combo (whether it's valid or not), it redirects to web root.

Again, this all works locally. I'm running PHP 5.2.4 locally and the server is running 5.2.1.

PHP Code:

<?php

session_start();

// Open Database
include_once('php/config.php');
mysql_connect($dbhost,$dbuser,$dbpass);
mysql_select_db($dbname);

$admin_user_name = $HTTP_POST_VARS['u_name'];
$query  = "SELECT * FROM ulist WHERE uname='$admin_user_name' ";
$result = mysql_query($query);
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{    
    $admin_password = $row['pword'];

}

//you can change the username and password by changing the above two strings 

if (!isset($HTTP_SESSION_VARS['user'])) {
    
    if(isset($HTTP_POST_VARS['u_name'])) 
        $u_name = $HTTP_POST_VARS['u_name'];
    
    if(isset($HTTP_POST_VARS['u_password']))
        $u_password = md5($HTTP_POST_VARS['u_password']);
    
    if(!isset($u_name)) {
        ?>
        
        <!-- FORM -->
            
        <?php
        exit;
    }
    else {

        function login_error($host,$php_self) {
            
            // ERROR MESSAGE
        
        session_unregister("adb_password");
        session_unregister("user");
        exit;
        }
        
        $user_checked_passed = false;
        
        
        if(isset($HTTP_SESSION_VARS['adb_password'])) {
            
            $adb_session_password = $HTTP_SESSION_VARS['adb_password'];
            
            if($admin_password != $adb_session_password) 
                login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);
            else {
                $user_checked_passed = true;
            }
        }
        
        
        if($user_checked_passed == false) {
            
            if(strlen($u_name)< 2) 
                login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);
            
            if($admin_user_name != $u_name) //if username not correct
                login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);        
            
            if(isset($admin_password)) {
                
                if($admin_password == $u_password) {
                    
                    session_register("adb_password");
                    session_register("user");
                    
                    $adb_password = $admin_password;
                    $user = $u_name;
                }
                else { //password in-correct
                    login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);
                }
            }
            else {
                login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);
            }
                
            $domain = $_SERVER['HTTP_HOST'];
            $page_location = "http://" . $domain . $_SERVER["PHP_SELF"];
            
            echo $page_location;
        }
    }
}

?>

[Medyman]

Anyone have any ideas?

Sorry to be a nag but time is running out on this project and I can't for the life of me figure out what's wrong.

[insanemonkey]

its not a good idea to show your php info page as hackers i bet would love to see this.. also...
do you have a seperate sessions page? on my login system i have a session.php file that has to be included everywhere i make new file that uses a login system, if you dont you should might think about one..

[emminar]

I suggest using cookies, they are somewhat more secure.

Article:

The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.

Full Article

About Cookies

[Medyman]

Thanks!
I'll look into it.

I've been away from this project for a couple days but I have to get this password thing worked out tomorrow.