PHP Password Login

[dinoroger]

So I am attempting to create a very simple password only login page to navigate to secure PHP file (admin.php). When I mean simple it does not require a username and does not use a database in any way. It is of course as secure as the password you create. Currently my main protection is PHP itself as it does not render to the browser and unless the server breaks and treats a PHP file as an ASCII file I am under the impression that PHP is fairly safe because of this. Please correct me if I am wrong as I am new to the security proofing side of PHP. Below is an example and flow chart of the process I am thinking about. The password is stored in a PHP variable and is never transferred to the client side. Also the admin.php file has a variable set check so it could not be browsed to directly. Please poke as many holes as you want as I am learning and anything you can teach would be appreciated.



LOGIN.PHP FILE

Code: Select all

<!DOCTYPE html>
<?php
/*This file conatins the password.
The reason it is in a different files is because
this file will hold all settings (PHP variables)
for storing saved settings. No client side code. */
include('settings.php');
?>
<HTML>
	<HEAD>
		<script type='text/javascript'>
			function openWindowWithPost(url, params, newWin){
				//Changes page URL with POST parameters
				var form = document.createElement('form');
				form.setAttribute('method', "post");
				form.setAttribute('action', url);
				form.setAttribute('target', '_self');
				for (var i in params){
					if (params.hasOwnProperty(i)){
						var input = document.createElement('input');
						input.type = 'hidden';
						input.name = i;
						input.value = params[i];
						form.appendChild(input);
						if (newWin != undefined){
							form.target = '_blank';
						}
					}
				}
				document.body.appendChild(form);
				form.submit();
			}
			
			function login(){
				//Reloads the page with the POST parameter "letmein" set as password
				var params = {};
				params['letmein'] = document.getElementById('pswd').value;
				openWindowWithPost('Login.php', params);
			}
		</script>
	</HEAD>
	<BODY>
		<?php
		if (@$_POST['letmein'] != $securityWord){
			//No password or invalid password
			if (@$_POST['letmein'] != ''){
				//If password was invalid
				echo "<script type='text/javascript'>alert('Incorrect password');</script>".PHP_EOL;
			}
			?>
			<!-- Login HTML -->
			Password:
			<input type='password' id='pswd' />
			<button onclick='login();'>LOGIN</button>
		<?php
		} else {
			//Password was correct. Include page that is secure.
			include ('admin.php');
		}
		?>
	</BODY>
</HTML>

SETTINGS.PHP FILE

Code: Select all

<?php
$securityWord = 'password';

/*This page would contain more settings but 
for this example I am keeping it as basic as
possible. */
?>

ADMIN.PHP

Code: Select all

<?php
if (!isset($securityWord)){die('This is a secure site. Please use the login file (Login.php).');}
?>
You made it to the secure page!!!

[AdoptiveSolution]

This looks cleaner :

Code: Select all

<?php
include('settings.php');

$login = NULL;

if ( isset( $_POST['letmein'] ) ) {
	if( $_POST['letmein'] == $securityWord ) {
		$login = TRUE;
	} else {
		$login = FALSE;
	}
}
?>
<!DOCTYPE html>
<html>
	<head>
		<title><?php echo ( $login === TRUE ? 'Admin' : 'Login' ); ?></title>
	</head>
	<body>
		<?php
		if ( $login === TRUE ){
			//Password was correct. Include page that is secure.
			include ('admin.php');
		} else {
			//No password or invalid password
			if ( $login === FALSE ) {
				echo "<script>alert('Incorrect password');</script>".PHP_EOL;
			}
			?>
			<!-- Login HTML -->
			<form method="POST">
			Password:
			<input type='password' id='pswd' name='letmein' autofocus />
			<input type="submit" name="submit" value="LOGIN" />
			</form>
		<?php
		}
		?>
	</body>
</html>

[dinoroger]

Thanks yeah I got lazy and was used to using my function openWindowWithPost for a quick form for mainly POSTing to a new window browser. In this example yeah the function is not needed.

Getting back to the question on hand. Is the security method sound? I know the strength relies on a good password. What other things should I do to protect it. Some ideas I was thinking include:

• Limit the # of attempts somehow

• Put a captcha system in to prevent bot login attempts

• Create a username field also even though there is no user management system

Any suggestions like this or areas of the code you could see are completly unsecure?

[Strider64]

Code: Select all

include('settings.php');

$login = NULL;

if ( isset( $_POST['letmein'] ) ) {
	if( $_POST['letmein'] == $securityWord ) {
		$login = TRUE;
	} else {
		$login = FALSE;
	}
}
?>

even cleaner

Code: Select all

include('settings.php');

$login = NULL;

if ( isset( $_POST['letmein'] )  && $_POST['letmein'] === $securityWord) {
   $login = TRUE;
} else {
    $login = FALSE;
}
?>

and instead of a variable why not use a constant? Like this:

Code: Select all

  define('PASSWORD', 'your_db_password');

and by obfuscating variables is basically meaningless and in my opinion having variables (or constants) stand for something meaningful. Just my .02 cents.

[dinoroger]

The constant makes allot of sense. Yes I will try to use cleaner code but I just quickly put together this example with no real though other that the functionality. I guess I am glad that no one has spoken of a huge design flaw as of yet. Other than the method of coding any thoughts about the overall concept. Is it secure enough or should I take it to the next step and add a username constant, captcha, or other things?