tags:

views:

901

answers:

8

How do i create an easy login script that does not require a database. I would like it to be safe.

Alright, what about this script, i just made it by my knowledges in php.

<?php 
// startar sessionen
session_start(); 

// username and password
$anvandarID = "ditt_namn";
$losenord = "ditt_password";

if (isset($_POST["anvandarID"]) && isset($_POST["losenord"])) { 

    if ($_POST["anvandarID"] === $anvandarID && $_POST["losenord"] === $losenord) { 
    /
    $_SESSION["inloggning"] = true; 

    header("Location: safe_site.php"); 
    exit; 
    } 
        // wrong login - message
        else {$felmeddelande = "Du har angivit fel användarnamn eller lösenord!";} 
}
?>

The safe_site.php contains this and some content:

session_start();

if (!isset($_SESSION["inloggning"]) || $_SESSION["inloggning"] !== true) {
header("Location: login.php");
exit;
}
A: 

if you dont have a database, you will have to hardcode the login details in your code, or read it from a flat file on disk.

mkoryak
Can't I store login details in variables?
You can, that's what he means by "hardcode the login details in your code."
jimyi
+1  A: 

Save the username and password hashes in array in a php file instead of db.

When you need to authenticate the user, compute hashes of his credentials and then compare them to hashes in array.

If you use safe hash function (see hash function and hash algos in PHP documentation), it should be pretty safe (you may consider using salted hash) and also add some protections to the form itself.

tomp
+2  A: 

If you don't have a database, where will the PERMANENT record of your users' login data be stored? Sure, while the user is logged in, the minimal user information required for your site to work can be stored in a session or cookie. But after they log out, then what? The session goes away, the cookie can be hacked.

So your user comes back to your site. He tries to log in. What trustworthy thing does your site compare his login info to?

dnagirl
+6  A: 

FacebookConnect or OpenID are two great options.

Basically, your users login to other sites they are already members of (Facebook, or Google), and then you get confirmation from that site telling you the user is trustworthy - start a session, and they're logged in. No database needed (unless you want to associate more data to their account).

Jonathan Sampson
+2  A: 

It's not an ideal solution but here's a quick and dirty example that shows how you could store login info in the PHP code:

<?php
session_start();

$userinfo = array(
                'user1'=>'password1',
                'user2'=>'password2'
                );

if(isset($_GET['logout'])) {
    $_SESSION['username'] = '';
    header('Location:  ' . $_SERVER['PHP_SELF']);
}

if(isset($_POST['username'])) {
    if($userinfo[$_POST['username']] == $_POST['password']) {
        $_SESSION['username'] = $_POST['username'];
    }else {
        //Invalid Login
    }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
<html xmlns="http://www.w3.org/1999/xhtml"&gt;
    <head>
        <title>Login</title>
    </head>
    <body>
        <?php if($_SESSION['username']): ?>
            <p>You are logged in as <?=$_SESSION['username']?></p>
            <p><a href="?logout=1">Logout</a></p>
        <?php endif; ?>
        <form name="login" action="" method="post">
            Username:  <input type="text" name="username" value="" /><br />
            Password:  <input type="password" name="password" value="" /><br />
            <input type="submit" name="submit" value="Submit" />
        </form>
    </body>
</html>
Mark Biek
Thank you! That's maybe better than mine.
That's not safe at all.
tomp
How about some details?
Mark Biek
Storing passwords in plain text is generally considered to be unsafe.
tomp
The only way anyone is going to see those passwords is if the web server stops parsing PHP. And then you'll have a larger problem on your hands :) He's just looking for something quick and easy.
Mark Biek
Server doesn't have to stop parsing PHP, when there is other vulnerability in application (there is always at least one :) ), than the attacker will be able to read other people passwords without anybody knowing and that is a large problem as you said. Few sha1 function calls won't kill anybody and it'll be safer.
tomp
A: 

You can do the access control at the Web server level using HTTP Basic authentication and htpasswd. There are a number of problems with this:

  1. It's not very secure (username and password are trivially encoded on the wire)
  2. It's difficult to maintain (you have to log into the server to add or remove users)
  3. You have no control over the login dialog box presented by the browser
  4. There is no way of logging out, short of restarting the browser.

Unless you're building a site for internal use with few users, I wouldn't really recommend it.

Ken Keenan
A: 

There's no reason for not using database for login implementation, the very least you can do is to download and install SQLite if your hosting company does not provide you with enough DB.

Helen Neely
+1  A: 

I would use a two file setup like this:

index.php

<?php 
session_start(); 

define('DS',  TRUE); // used to protect includes
define('USERNAME', $_SESSION['username']);
define('SELF',  $_SERVER['PHP_SELF'] );

if (!USERNAME or isset($_GET['logout']))
 include('login.php');

// everything below will show after correct login 
?>

login.php

<?php defined('DS') OR die('No direct access allowed.');

$users = array(
 "user" => "userpass"
);

if(isset($_GET['logout'])) {
    $_SESSION['username'] = '';
    header('Location:  ' . $_SERVER['PHP_SELF']);
}

if(isset($_POST['username'])) {
    if($users[$_POST['username']] !== NULL && $users[$_POST['username']] == $_POST['password']) {
  $_SESSION['username'] = $_POST['username'];
  header('Location:  ' . $_SERVER['PHP_SELF']);
    }else {
        //invalid login
  echo "<p>error logging in</p>";
    }
}

echo '<form method="post" action="'.SELF.'">
  <h2>Login</h2>
  <p><label for="username">Username</label> <input type="text" id="username" name="username" value="" /></p>
  <p><label for="password">Password</label> <input type="password" id="password" name="password" value="" /></p>
  <p><input type="submit" name="submit" value="Login" class="button"/></p>
  </form>';
exit; 
?>
Andres