简单的单用户登录页面

Question

Let's assume I wanted to make a super simple page with restricted access in php for a single user. Provided that the authorized user knows the directory and the url of the page, could he just pass manually a username and password (that he would know) through the get method in the url bar, and check it automatically against the script, in which the values of the username and password would be hardcoded in? The script has an if statement that if not true, wouldn't display the content. What flaws could there be?

The url

http://example.com/admin.php?user=admin&password=1324

admin.php

<?php if($_GET['user'] == 'admin' && $_GET['password'] == '1324')){
// display content here
}else{
echo "You're not authorized to visit this page";
} ?>

Scenario 2: the post method

Similar to the above scenario, in this one the authorized user would type the username, password in a form, which would be processed at the actual admin.php file. A similar if statement would be used, with the $_POST[] superglobals this time to check the input.

<?php if($_POST['user'] == 'admin' && $_POST['password'] == '1324'){
  // display content here
}else{
  echo "You're not authorized to visit this page";
} ?>

Answer 1

Both have their flaws.

If you use method 1, you'll end up with the variables passed to the header being saved in the page history, meaning anyone with access to the PC can just search through and find them, giving themselves access in the process. Search engines can also pick up on and save the link, leaving it open to the world.

If you use method 2, you'll need to re-send the POST data every single time you visit a secure page, meaning you end up with a mess of buttons and forms where links could have sufficed. It does however remove the problems of the first method.

A better method to both of these would be the usage of the $_SESSION variable. This basically allows data to be stored server side, while giving the user a 'key' which can be used to control access to the data - this key is stored in cookies, by default.

An example usage would be:

//Say the user is "admin", and the password is "1234"
//This data could be used to 'log in' via post.
//First of all we start the session, and check to see if the user is logged in
//If the user has the session active, they'll have a cookie on their PC which links to it
session_start();
if ($_SESSION['login']==true || ($_POST['user']=="admin" && $_POST['pass']=="1234")) {
    //If they already have a session, give them access.
    //If not, check for posted UN & PW and if correct, give access.
    $_SESSION['login']=true; //Set login to true in case they got in via UN & PW
    //Do stuff for when logged in
}
else { //Not already logged in, not sent a password

    //Give the user a login form redirecting to this page.

}

The benefits of this are:

• No password stored on user-side
• Session key that expires when the browser is closed
• The password is only passed over the internet once

Answer 2

Yes it can, with GET , POST has to pass from a form. It's not a safe way because of many reasons.

But yes, for your needs it can be passed with GET . With a single URL he can jump in restricted area.

BTW when you check for username and password:

if($_GET['user'] == 'admin' && $_GET['password'] == '1324' && $_GET['password'] != '' && $_GET['username'] != '')

you can exclude the last part because you are already verifying against data

if($_GET['user'] == 'admin' && $_GET['password'] == '1324')

Answer 3

Something like this

if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    $expectdUsername = 'username';
    $expectedPassword =  'secret';

    if($_SERVER['PHP_AUTH_USER'] != $expectdUsername || 
        $_SERVER['PHP_AUTH_PW'] != $expectedPassword) {
        echo 'Invalid username/password';
        exit;
    }

    //Add a cookie, set a flag on session or something
    //display the page
}

It can be called by

http://username:secret@thepage.com