Website Security - How to avoid using session variables for logged in users

Hi,

It is a very common practice of storing logged in user details such as username, first name, last name, user id etc in session variables. But even session variables can be vulnerable and easily hacked. I have come up with a strategy of storing user details in runtime without using session variables or cookies. You will find a sample source code at the end of the post.

The idea is very simple. Assuming I have a user table with the following schema and data:

Now when the user is logging in through login.php, first the data is validated with the above table. If user has entered correct credentials, instead of storing the user data in session variables, I am storing them in a separate log table as follows:

with the code:


$is_user=mysql_fetch_array(mysql_query("select * from users where username='".mysql_real_escape_string($_POST['username'])."' and password='".mysql_real_escape_string($_POST['password'])."'"));
if(empty($is_user)){
$message="Incorrect username or password";
}
if(!mysql_fetch_array(mysql_query("select * from user_log where sessid='".session_id()."'"))){
mysql_query("insert into user_log set userid=".$is_user['id'].",sessid='".session_id()."',dt='".date("Y-m-d",time())."'");
}


In the above, after user logs in the session id and the user details along with the current date is stored in the log table as above. In this case I am just storing the userid, but you can add more fields, such as first name, last name etc.

(note: I am not using any encryption for storing password, but it is highly recommended)

This was just half the job. Next is to check whether user is logged in or not. During this checking we will run a query to check whether there are any records with the current session ID. If a match is found the user is valid. This is done by:

Website Security - 2(SQL Injection & Spamming)

Hi,

This is a continuation of my previous post on website security. In this I will be discussing about SQL injection and spamming web forms. So coming to SQL injection.

1. SQL Injection

SQL Injection is possibly one of the easiest way for a professional hacker to tamper your database. The idea is to customize the internal SQL query according to the hackers choice. This happens when the users input from textbox/textarea are not filtered before executing them in a SQL query. This might sound a little complicated, but the solution to it is not. Consider the following query:

mysql_query("SELECT * from employees where username='".$_POST['user_name']."'");

The above statement simply takes the input entered in a text box, "user_name" and binds it in a SQL query. Now in case of SQL Injection, assume the value of $_POST['user_name'] is entered as:
' or '1'='1

So the final query becomes:

Website Security

Hi,

Developing a website is not as easy as it may look or sound. Every time you write a code you need to keep two things in mind. Most important performance and security. In my earlier posts(also see compression and caching) I had discussed about performance. In this I will explain the most common security failures in a life of a programmer.

To start with, no one or nothing can teach you how to create a hack proof system. Here is the fact. Everything is hackable, every security can be breached. But what best you can do is to mislead the hacker. There is always someone somewhere who knows more than you, and can break into your system. So the best plan is to stick to few basic rules.

HTACCESS - Security

1. Never use actual URL's. 

Always try to mask the URL using htaccess. For example you have an image:
<img src="img/logo.jpg" /> now, instead of "img", keep the "logo.jpg" in some other directory with a name not easily identifiable, such as "assets/image_lib", where assets is a directory and images_lib the subdirectory. Now to make "images/logo.jpg" point to "assets/image_lib/logo.jpg", create a .htaccess in root directory with the following URL rewrite:

RewriteEngine on
RewriteRule ^img/(.*).(jpg|png|gif|jpeg)$ assets/image_lib/$1.$2 [L]

2. Forbid Directory

Even if someone gets to know the actual directory, prevent from seeing the content of the directory, for this create a new .htaccess file inside the directory whose access you want to forbid with the following: