Simple login

divalento

New member
My clients need easy admin panel often. I used this code. Is it correct?

PHP:
<?php
/*
https://addtrc20.net/
user: admin
pass: mhNnOK
*/
session_start();

$correct_username = 'admin';
$correct_password = 'mhNnOK';
$error = false;


if (isset($_POST['username'], $_POST['password'])) {
    if ($_POST['username'] == $correct_username && $_POST['password'] == $correct_password) {
        $_SESSION['loggedin'] = true;
        header('Location: /');
        exit;
    } else {
        $error = true;
    }
}
?>
 
In a properly coded form, all fields, save for check boxes are ALWAYS isset, therefor checking for isset is pointless. What you need to do is check the REQUEST METHOD, then trim the entire POST array at once, then check for empty on your required fields. The else is not necessary since the if exits.


PHP:
if($_SERVER['REQUEST_METHOD'] == 'POST'){

//trim post array
//check for empty
    if ($_POST['username'] == $correct_username && $_POST['password'] == $correct_password) {
        $_SESSION['loggedin'] = true;
header('Location: /');
exit;
}
$error = true;
}
 
Your code is a simple authentication system using PHP. However, there are some security issues and improvements that can be made:

  1. Storing Passwords: Storing passwords in plaintext is highly insecure. You should hash passwords before storing them in the database and compare the hashed values during authentication.
  2. Session Management: While you're using sessions, you're not checking the session variable upon subsequent requests. This means that someone can bypass the login page by directly accessing the admin page without logging in.
  3. Redirect after Login: When redirecting after successful login, it's generally safer to use an absolute URL instead of a relative one to prevent potential open redirect vulnerabilities.
  4. Preventing Timing Attacks: To mitigate timing attacks, it's good practice to use a constant-time string comparison function like hash_equals() instead of ==.
  5. Error Handling: It's a good practice to provide specific error messages for failed login attempts to help users understand what went wrong.
Here's a revised version of your code addressing some of these issues:


PHP:
<?php
session_start();


$correct_username = 'admin';
$correct_password_hash = '$2y$10$YfkhP1Q6pl4mh72T2KVz5uhW6eGyOZDl5mHWb9f7E2zXx2hbjCUzK'; // Hashed password
$error = '';


if (isset($_POST['username'], $_POST['password'])) {
    $input_username = $_POST['username'];
    $input_password = $_POST['password'];


    // Perform constant-time string comparison
    if ($input_username === $correct_username && password_verify($input_password, $correct_password_hash)) {
        $_SESSION['loggedin'] = true;
        header('Location: /dashboard.php');
        exit;
    } else {
        $error = 'Incorrect username or password.';
    }
}
?>

HTML:
<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
</head>
<body>
    <h2>Login</h2>
    <?php if ($error): ?>
        <p><?php echo $error; ?></p>
    <?php endif; ?>
    <form method="post" action="">
        <label for="username">Username:</label>
        <input type="text" id="username" name="username" required><br><br>
        <label for="password">Password:</label>
        <input type="password" id="password" name="password" required><br><br>
        <button type="submit">Login</button>
    </form>
</body>
</html>
 
Back
Top