1

I'm looking at doing a very basic authentication script as follows:

<?php
   // admin.php
   session_start();

   if($_GET['login'] == 'adminLoginWord')
   {
       $_SESSION['auth'] = true;
   }

   if($_SESSION['auth'])
   {
       // code to show Admin control panel
   }
   else
   {
       echo 'Please login.';
   }

Therefore, to login, someone would need to know to navigate to the URL 

admin.php?login=adminLoginWord

Is this a safe way of authentication?

Nasreddine
  • 36,610
  • 17
  • 75
  • 94
Dave Salomon
  • 3,287
  • 1
  • 17
  • 29
  • You might benefit from the comments on a related question from 10 minutes ago: http://stackoverflow.com/questions/9854559/is-there-any-possible-way-a-visitor-can-access-what-is-sent-by-post –  Mar 24 '12 at 19:07
  • you should try build something with database where the password can reach only you. – riso Mar 24 '12 at 19:07
  • Happy days. I'll use a form to Post the variable, and use sha1 or md5. It's only really so if someone happens to go to admin.php, they're not given access... thanks all! – Dave Salomon Mar 24 '12 at 19:19

7 Answers7

3

It's not safe at all, you would leave the "password" in the computer's history, it would be very vulnerable to anyone sniffing... etc

This said, safe always depends on the application, but if you want a safer approach, use a POST variable and compare it like so:

if($_POST['pass'] == 'password123'){
    echo 'Login OK';
}

(Which still isn't the best approach, but it's better than a GET variable)

aurbano
  • 3,324
  • 1
  • 25
  • 39
  • Lovely - thanks for the answer. The computers this URL will be accessed on are all within the same building, used by the same people. So, other than it being in the computer History, are there any other concerns? As best practice, I'll change it to a POST anyway - just curious! Thanks again. – Dave Salomon Mar 24 '12 at 19:10
  • POST is always best practice for sensitive information, although both will be visible in the request headers of course. – aurbano Mar 24 '12 at 19:11
  • Well you should always hash your login, and if security is an important concern, use SSL connection at least when doing the login. – aurbano Mar 24 '12 at 19:13
  • Radu, that's useful, thank you. The page can be accessed externally, by visitors (if they happen to go to admin.php). But, the 'login' portion will only be accessed by computers on a secure network.. if that makes sense. Thanks again! – Dave Salomon Mar 24 '12 at 19:37
1

In this case in particular, I was just being thick, and making it more complicated than needs be.

A .htaccess file was more than sufficient for this... woops!

Dave Salomon
  • 3,287
  • 1
  • 17
  • 29
0

No it's not safe. You can hash your special login with sha1 and test if that sha1 is equal to the sha1 of 'adminLoginWord'.

Furthemore, in your case, you should use a POST.

Vodun
  • 1,377
  • 1
  • 10
  • 12
0

You have to be aware that, if you use this system, your password will be stored in any browser saving history. One can even add this as a bookmark...

haltabush
  • 4,508
  • 2
  • 24
  • 41
0

No it's not safe.

You should instead use POST and also use HTTPS

sdjuan
  • 709
  • 6
  • 15
0

I understand your wanting to do easy basic authentication and everyone here has had valid security suggestions. If you really don't mind security but want it more secure than having credentials passed in the URL, you could try something like this (of course you could add a lot more HTML in the form/page area):

/* admin.php */
<?php

$username = "adminLoginWord";
$password = "adminLoginWordPassword";
$msg = "";

if ($_POST['mySiteUsername'] == $username && $_POST['mySitePassword'] == $password){
  $_SESSION['auth'] = true;
} else {
  $msg = "Invalid Username/Password Combination";
}

if(!$_SESSION['auto']){
  $html = "<html>
  <body>
    <div class='error'>$msg</div>
    <form action='admin.php' method='POST'>
       <label for='mySiteUsername'>Username:</label>
       <input type='text' name='mySiteUsername' />
       <label for='mySitePassword'>Password:</label>
       <input type='password' name='mySitePassword' />
    </form>
  </body>
  </html>";
} else {
  // Authorized
}
?>
SuperRod
  • 557
  • 3
  • 8
-1

Encrypt your password and then send it over GET or use POST

Pramod
  • 1
  • 2
  • 5