stackoom
  简体   繁体   中英

PHP Login system hard coded username and password

 原文  2015-09-17 13:43:55       php/ security/ authentication/ login-script/ hardcoded

Question

I had to do a basic login system to protect a page, and I have no access to database so i store the username and password hard coded in php page.

My question is, can this login system hold againts an attack? I need it to hold about 1 month.

Any sugestions to improve will be helpefull. The code is not in laravel, even if it might look like. The username and password, will be changed to something stronger of course.

Thank you in advance. 

<?php
class UserController {
private $username;
private $password;
private $isLoggedIn = false;

// Credentials
public function credentials() {
    $credentials = array(
        array(
            "username" => "telekom",
            "password" => "1234"
        ),
        array(
            "username" => "telekom2",
            "password" => "1234"
        )
    );
    return $credentials;
}

// Basic login
public function login() {
    foreach ($this->credentials() as $credential) {
        if ($this->username == $credential['username'] && $this->password == $credential['password']) {
            Session::put('username', $this->username);
            Session::put('password', $this->password);
            $this->isLoggedIn = true;
        }
    }
}

// Get login status
public function isLoggedIn() {
    return $this->isLoggedIn;
}

// Logout
public function logout() {
    // Delete all sessions
    Session::all();
    redirect('/telekom/');
}

// Telekom
public function telekom() {
    $form = new Form();
    if (Input::get('logout') == 1) {
        $this->logout();
    }

    // Post Data from login form
    if (Input::has('username') || Input::has('password')) {
        if (!$form->isCsrfValid()) {
            $form->errors['CSRF'] = "CSRF Token";
        } // CSRF protection is on, comment to disable
        if (empty($form->errors)) {
            $this->username = Input::get('username');
            $this->password = Input::get('password');

            // Check Login
            $this->login();
            if (!$this->isLoggedIn()) {
                Session::put('login', 'Username and password do not match.');
            } else {
                redirect('/telekom/');
            }
        } else {
            Session::put('login', '<p class="color-dark-red"><strong>Errors:</strong></p>
                        <p>' . $form->displayErrors($form->errors) . '</p>');
        }
    // Check if session has username and password 
    } elseif (Session::has('username') && Session::has('password')) {
        $this->username = Session::get('username', false);
        $this->password = Session::get('password', false);
        // Check Login 
        $this->login();
    }
}
}// EOF Class User

// Outside class
$user = new UserController();

// Outside class
if (!$user->isLoggedIn()) {
    // display login form
} else {
    // display protected content    
}
?>

3 answers

solution1
 1 ACCPTED  2015-09-17 14:38:29

My comments are getting lengthy, so I'll just move them here. I would not recommend you put the username and password in the same file. If PHP ever fails to process the page, it will be dumped as plain text to the user. Even for database connections (where the un/pwd almost have to be stored plain text), most people don't put the information in the same file.

You have a couple options:

  1. Make a separate PHP file that sets your UN/PWD variables, put it somewhere that isn't accessible from outside your server, and include it in index.php. In this case, I wouldn't include the file until right when you're going to compare the variables and let the local scope dump it as soon as possible.

  2. Since this is such basic authentication, you could use Apache's built in password authentication module .

solution2
 0  2015-09-17 13:51:46

in my opinion, this solution is safe enough when you don't plan to use it forever. What would I check is setting of your web server - some text editors makes backup copies of edited files, like index.php~, index.php.bkp or so. Make sure whether your web server do not serve those files, if any.

solution3
 0  2015-09-22 09:46:21

The problem with temporary solutions is that they've never temporary.

Never hard code passwords. Some of the reasons are:

  • It is harder to keep source code secret than it is a key.
  • Any vulnerabilities in your site that allow reading of source code may reveal the password.
  • Passwords from development will end up in production.
  • It is impossible to change passwords without redeploying.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Login system password and username Encrypt hard coded password in php script PHP Login with Username/Password My PHP login system still Logging in even if the password or username is incorrect Username/Password Login Trouble with PHP password/login system in php PHP Username's for login system Why is hard coding username password security threat in php? Password hasing in PHP login system PHP login function not finding correct username and password
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM