Not really secure

[sunziun]

Hi everyone.I am using this codes to login to an administration page I have created successfully.I recognized that the pages are not really secure if I log out myself, the direct link of the page would me full access to manage all contacts.THE LOGIN FORM

<?phpinclude("config/header.php");?><div id="login_form"><form name="login_form" method="post" action=https://news-tunnel.com/anonymous-proxy.php/Oi8vdzNzY2hvb2xzLmludmlzaW9uem9uZS5jb20vJg_3D_3D/b3/#34;login/login_check.php"><b>Login for registered administration</b><p />Username: <input type="text" name="username" id="username" /><br />Password: <input type="password" name="password" id="password" /><br /><p /><input type="submit" value="Login" /></form>

THE LOGIN CHECK

<?phpob_start();session_start();// Include login_config.php   include("login_config.php");// Get user details   $username=$_POST['username'];   $password=$_POST['password'];// Protect MySQL from injection   $username=stripslashes($username);   $password=stripslashes($password);   $username=mysql_real_escape_string($username);   $password=mysql_real_escape_string($password);// Table selection and query   $sql = "SELECT * FROM $table WHERE username='$username' and password='$password'";   $result = mysql_query($sql);echo"<div id='wrap'>";// Counting table rows   $count=mysql_num_rows($result);	  // If result matched $myusername and $mypassword, table row must be 1 row		 if($count==1){		 	// Register the user in session		 	  session_register($username);		 	  session_register($password);		 	  header("location:login_success.php");		 } else{			echo "<b style='color:red'>Login failed</b> <p><a href=https://news-tunnel.com/anonymous-proxy.php/Oi8vdzNzY2hvb2xzLmludmlzaW9uem9uZS5jb20vJg_3D_3D/b3/#39;../index.php'>Try again</a> </div>";			} ?>

THE LOGIN SUCCESS

<?phpsession_start();ob_start();if(!session_is_registered($username)){	header("location:../db/db_index.php");}echo "Login success.";?>

THE LOGOUT

include("../config/header.php");echo "<title>Log out</title>" . "<div id='wrap'>";ob_end_flush();echo "<b>Log out successful.</b>" . "<br />" . "<p><a href=https://news-tunnel.com/anonymous-proxy.php/Oi8vdzNzY2hvb2xzLmludmlzaW9uem9uZS5jb20vJg_3D_3D/b3/#39;../index.php'>Back to database/Login again</a></p>" . "</div>" ?>

What am I doing wrong?Please help.

[Synook]

Well, do you have some sort of check on the admin page itself to see if people are logged in?P.S.: session_register() is out-dated, just assign to the $_SESSION array directly. Also, you're missing a quote for the action attribute on the login form.

[sunziun]

Well, do you have some sort of check on the admin page itself to see if people are logged in?

No I haven't and don't know to create it. Maybe thats the issue.PS: $_SESSION works fine.

[Skemcin]

A couple side notes:I'd make sure your log in for is being loaded in a secure socket (SSL). If you do not already have it written, include a condition on the login form page that checks the port or the URL to be sure the form is loaded securely. I see your form is posting to a secure page, just make sure your form is secure too, otherwise its pointless.Also, to achieve a higher level of security, your passwords should not be stored as the raw plain text ASCII it was when it was submitted. The best practice is to encrypt the password value submitted and insert that into the database. Then, you you check against that (log someone in) you take the value they submitted and encrypt that and add it to your SQL - so you are checking against encrypted values not plain text values. This does a number of things, mainly makes it so no one can get passwords directly from the database should that system be compromised.

[Synook]

Well, you can access the admin page without being logged in, therefore not having checks on that page is likely to be the problem, right? :)You are writing some session values when you successfully login, so you could check to see whether those values were set on the admin page.

[sunziun]

I am a newbie in this things (especially PHP/MySQL).What do I need to do more so the other pages are secure too?Would you guys give any ideas, please?

[xoshbin]

You have to add some Code like that to check if its logged in or not:

<?PHPsession_start();if (!(isset($_SESSION['username']) && $_SESSION['password'] != '')) {header ("Location: login_page.php");}?>

[sunziun]

thanks xoshbin,but where do I put this - on the login or all pages which needs access control?

<?PHPsession_start();if (!(isset($_SESSION['username']) && $_SESSION['password'] != '')) {header ("Location: login_page.php");}?>

[birbal]

but where do I put this - on the login or all pages which needs access control?

You are writing some session values when you successfully login, so you could check to see whether those values were set on the admin page.

where you will need to give access to authenticated user , you should put that therehow do you recongnising a admin now? you need to put a flag in your db ,on a user who is admin. when user logged in you need to check the flag that particular user has admin credential or not. if he is an admin make a session flag for admin. now wehn you need only access to admin you need to check that session flag. if its match tgive access else dont give.