patternphpMinor
PHP Authentication Security
Viewed 0 times
phpsecurityauthentication
Problem
Can someone look over this? This is the entire authentication file. It's referenced at the beginning of all my catalog editing files to make sure only the specified user is logged in. I want to make sure it's secure.
I just need to authenticate for one user. I don't need to go into databases or anything, so I thought PHP_AUTH would be a good solution.
Hey! You can\'t be here!
Try logging in first!';
exit;
}elseif(md5($_SERVER['PHP_AUTH_USER']) != "04b2f0a4ad7772ca864aa569917b2d2d"){
echo 'Wrong Username!
Only the admin username and password are accepted.';
exit;
}elseif(md5($_SERVER['PHP_AUTH_PW']) != "ed972411dfcca5313ab151694af01da8"){
echo 'Wrong Password!
For obvious reasons, we need a correct password!';
exit;
}else{
session_start();
$_SESSION['logged_in'] = 1;
}
}
?>I just need to authenticate for one user. I don't need to go into databases or anything, so I thought PHP_AUTH would be a good solution.
Solution
md5 usage may be okay on small projects, but it's generally considered weak and shouldn't be used. As of the MD5 wikipedia page:
The security of the MD5 hash function is severely compromised.
and https://www.php.net/md5
It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm.
So perhaps you should look into PHP's other hashing methods, say
Important Edit:
I read a little bit more and I am incorrect! The hash method is okay. It's not great like bcrypt! I highly suggest you read both of these and understand them, I'm sure it will come in handy later on! https://security.stackexchange.com/questions/17421/how-to-store-salt and https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords. And directly relating to PHP, https://www.php.net/manual/en/function.password-hash.php
The security of the MD5 hash function is severely compromised.
and https://www.php.net/md5
It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm.
So perhaps you should look into PHP's other hashing methods, say
hash() itself. You can read more here: https://www.php.net/manual/en/function.hash.phpImportant Edit:
I read a little bit more and I am incorrect! The hash method is okay. It's not great like bcrypt! I highly suggest you read both of these and understand them, I'm sure it will come in handy later on! https://security.stackexchange.com/questions/17421/how-to-store-salt and https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords. And directly relating to PHP, https://www.php.net/manual/en/function.password-hash.php
Context
StackExchange Code Review Q#40073, answer score: 5
Revisions (0)
No revisions yet.