Is this login system secure?

I am just wondering for the sake of knowledge if this login system is secure, because i had planned on using it as a learning tool. I don't want to use anything that will teach me the wrong way. Can anyone help?

https://gi开发者_运维百科thub.com/ivannovak/jpmaster77-s-Login-System-

When skimming code quick I don't think you should use this code, because it could be compromised.

P.S: I also don't think you should be learning that stuff(if you want to learn openid specifications/libraries, but leave it to the security experts. You should use openid/facebook connect/etc. I use rpxnow.com with much pleasure.

Old codebase

first of the code base is old. Last commit is August 11, 2009. I would look at a loginsystem which is more maintained(newer). For example it does not use the newer/safer PDO to access your database. I also find the codebase a little bit messy. no MVC?

SSL

Not sure if this codebase enforces SSL. If not than your passwords will be transmitted in plain-text.

Mysql Injection

This code might be unsafe because of mysql injection =>
https://github.com/ivannovak/jpmaster77-s-Login-System-/blob/master/mail.php#L118

$q = "SELECT * FROM mail WHERE UserTo = '$user' ORDER BY SentDate DESC";

If session->username has been comprimised(have not looked at all references) than your system is unsafe. A decent(modern) system uses PDO.

No salt

I don't believe the system does use salt so with a Rainbow table all password can be discovered when your database is compromised. =>
https://github.com/ivannovak/jpmaster77-s-Login-System-/blob/master/include/session.php#L157

$result = $database->confirmUserPass($subuser, md5($subpass));

Other things you should consider

• CSRF
• XSS attacks

localhost?

Also this is line is strange(not unsafe) =>
https://github.com/ivannovak/jpmaster77-s-Login-System-/blob/master/include/mailer.php#L34
You can't reach localhost from the internet.

Some points you may want to consider:

1) Does it use md5 encryption or sha1 (sha1 is better).

2) Does it use salting or not?

3) Does it ensure that only https access is allowed? (ideally the http:// login/password page should redirect to https:// version).

4) How does forgot-password work? The password reset link should ideally be sent to registered email id instead of being accessible directly online. If there are some inbuilt security questions - are they tough enough? Are the security question answers themselves properly encrypted?

regards,

JP

Looking at your code it seems you are storing username and userid in 3 locations, session (quite ok, but prone to session hijacking depending on your server), and 2 cookies ( looks very wrong as the username is already half of the work done for compromising a system.

• password are not salted, which makes password easier to guess.
• username are check with the database before scrubbing (remember bobby table, xkcd)
• don't ever trust addslash or any magic quote function use placeholders to transmit variables to query (always !!!!)
• Having any modification to the user table outside admin purpose is bad (security wise because you cannot separate dbusers for the different purpose) (performance wise because I know that writing a table requires table or line locking if you are lucky )
• perform your read and update query preferably with different users.
• try not to use code where the comment tells you where is the cool part, any sane coder would not put this kind of stuff in their comment.
• the database layer has one function to check username+userid , but the session include makes a direct query to check the username in the login function ?

my advice would be to use something else.

I'll assume that you really want to learn and not just use the code.

I fear that if you ask this question here, and someone answers yes or no, you will learn nothing. Just look at the code, ask yourself what is the code doing on every step. Search for common security issues on login systems online, then check if the code has some.

There is no such thing as "teach me the wrong way". If you find out, by your own means, that the code is bad, you learn something. If you find out that the code is good, also, you learn something.

If you assume that the code is good or bad without looking at it in depth, you learn nothing.