-2

is it safe to use this code publicly?

<?php 
    session_start();
    if($_POST['name'] == "user" && $_POST['password'] == "password")
    {
        $_SESSION['auth'] = 412;
        $_SESSION["password"] = $_POST['password'];
        header('Location: login.php');
        exit();
    }
?>

In login.php

<?php
session_start();
if(!isset($_SESSION['auth']) || $_SESSION['auth'] != 412 || !isset($_SESSION["password"]) || empty($_SESSION["password"]))
{
    header('Location: index.php');
    exit();
}
?>

I just need some verification to enter login.php...

f1Ow
  • 1
  • 1
    Nope. Not safe at all. Credentials should never be stored in session variables. You're not managing user input. – Jay Blanchard Sep 10 '20 at 17:05
  • not if the username and password is user and password :/ – Lawrence Cherone Sep 10 '20 at 17:05
  • Why would you store a password in the session? Why would you have authentication and then redirect to a login page? I think the short answer to this is no. How hard do you think it would be for someone to guess these session names and values? – imposterSyndrome Sep 10 '20 at 17:08

1 Answers1

-1

CSRF and stuff aside, no. This code is a very poor approach.

Why?

  1. Passwords should never be stored in plaintext, use a secure hash algorithm to ensure that it can't be easily read from the source code.
  2. The password doesn't belong in the session in any way.

Just take a look at password_hash.

maio290
  • 6,440
  • 1
  • 21
  • 38
  • 3
    Not my DV, but you probably got downvoted because there are duplicates and the question shows little effort to determine the answers. Keep in mind that downvotes are not personal, only an indication of the usefulness of an answer. It doesn't matter 'who' did it. The discussion of requirements to comment on downvotes has gone on ad nauseum for years on Meta. – Jay Blanchard Sep 10 '20 at 17:12