What methods are there for hacking my own PHP login form? Is it secure enough?

Question

In a nutshell, I have a test server/website where I uploaded a folder called "private" with PHP scripts. The flow of the program is as follows: login -> search for an item number -> display item image --> logout or search again.

In the future the item pages will display a large amount of database information about each specific item, but for the time being it only displays an image. The link to the test website is below:

http://testserver574.hostei.com/private/login.html

My main question is about security and vulnerabilities. the login.html page has a form which posts information to a php script called "ProcessLogin.php", which redirects you back to the login page with the wrong credentials. The username and password is hardcoded into that script for the time being.

Other than adding an SSL (Secure Socket Layer), is this secure "enough"? How is hard coding the username and password into ProcessLogin.php insecure when users can't read php code?

The username and password isn't really hard to guess if you really want to try :P But even if it was a real username and password, how can a login such as this be hacked to display the images?

PS: username and password are the same, i'm just wondering if anyone can hack this login without any effort...

Edit: My login function is as follows:

function login($userName, $URL) {
        session_regenerate_id(TRUE); //Security measure - create new sesion id
        $_SESSION['valid'] = 1;
        $_SESSION['userName'] = $userName;

        redirectPage($URL); //Redirect Page
    }

which occurs after the username and password are verified with "===" in php.

Answer 1

The important question is what happens after the login. Are you setting a cookie to identify the user? What is in that cookie? How easy is it to fake that cookie? How easy is it to intercept that cookie (hint: without SSL, pretty easy)? Is a valid cookie required to open any of your protected pages? Or can I simply go to one of your "protected" pages if I know the URL and there'll be no check at all? Is there any flaw in how the cookie is checked on those protected pages that may allow me to bypass the check? etc. etc...

Answer 2

What will it secure as security is relative to what it is you are protecting. IE consider the scenario that i put a list together with my favourite sports teams on it and stick that on the internet with the edit form behind a login screen would ssl be enough to protect this data? probably as the information is meaningless to anyone else. However if it were a list of my bank account details i'd probably want to go further, and do more checks such as look at implementing a one time password such as yubikey http://www.yubico.com/yubikey look at the server config strengthen up the security of the server the site is hosted on and maybe look at some more complex encryption/decryption on the login form. So if these images are of you walking your dog or such an other then in all likely hood the security you have placed on the form is adequate. However if they are design plans or something that is vitaly more important/critical to you/your company you would probably want to look at implementing some other security procedures.