[kkttt87]

Hey guys,

I've been messing around with this one for a while now and finally decided to return to the tried and true CTF for some answers.

I just started a web site for an organization and part of it is devoted to a database which contains dozens of records that the board members would like to be able to access online. Naturally, some of these records contain confidential information and I would like to be able to setup a simple system that lets these members log in and out with their own accounts and uses cookies so that they do not have to log in for every page in the database, but cannot get to any of them without first being logged in. Are there some scripts somewhere I could get to implement this? My host is GoDaddy. I was surprised to find that they did not have a tool that would allow me to do this.

[TheHeadFL]

Easiest way would be to write a few simple PHP scripts.

Do you have any programming experience?

[kkttt87]

Of course not. If I did, I wouldn't be looking to you guys for help. I only know the very most basic VB, just enough to write a few pieces of my ASP pages for the database. Most of it I got out of tutorials. If you think it would be simple with PHP, though, and it's not too different from all the other programming languages, I could hunt for a few tutorials, though they usually never directly address exactly what I need...

[TheHeadFL]

Well, even people with lots of programming experience have to ask questions.

Anyway, if you're knowledgeable about databases and are willing to learn, I can help you with some simple PHP that would allow for a login script.

[kkttt87]

Always willing to learn! I wouldn't call myself knowledgeable about databases in any sense, but I catch on pretty quick. I'll give it a go!

[TheHeadFL]

Well, you'll need to read up on some databases... theres not really much I can do for you if you're not really familiar with database use.

Maybe you can find some ready made PHP scripts on the web somewhere that do this?

The gist of it is, you'll need a table in a SQL server of some kind that would hold user id, user name, and an encrypted user password.

Then, you would need a PHP page that was basically just an HTML form that posted back login info, and then you take the password, send it to the built-in PHP function md5() to get the MD5 hash.

Then you insert a row into the database containing user id, username, and the hashed password.

Then you have another page for login to the secure area. This page is basically the same, except it takes username and password and hashes the password (again using MD5) and queries the database for any row where the stored username equals the provided username. Then, you compare the MD5 hash you computed from the provided password with the stored MD5 hash on the SQL server.

If they are equal, then you allow the user to login. Essentially, you can redirect them using an HTTP meta-refresh to your secure page. You would append "?uid=joeuser&md5=1fa44acd3498fdb43934" (where joeuser and the string of chars represent your hashed info)

Now, in every secured page, you again query the database with those credentials as you did in the login page. If they match, you display the page normally. If they do not match, you bump the user back to the login page.

This is an oversimplified description of whats involved. There are actually much better ways to handle this, and this is by NO means perfectly secure, but it is basic and it provides a reasonable level of security. By re-checking the hash in every page, you waste a little performance but you gain a little security. The MD5 is not a reversible encryption (its actually a hash which is different but very secure).

A better way to handle this would be to use cookies (more complicated if you're unfamiliar) instead of posting the variables using the GET method, or to create a sessions table in the database, and use the sessions feature of PHP to keep the user logged in and pass the credentials via session variables.

Look up any of the topics I listed above on Google for some more assistance.

[kkttt87]

Hey, guys...

I came in here to inquire about this and, in searching to make sure my questions hadn't been answered elsewhere, came upon my first inquiry, which I'd forgotten about. Go figure.

Anyway, believe it or not, I've still not come up with a solution. I've downloaded script after script and none of them come even close to working. What I really need is something in ASP. My server doesn't support SQL or PHP. All of my database pages are done in ASP anyway (VBScript). Basically just what TheHeadFL there was describing earlier. Something really simple. A user can login and, using queries... cookies... whatever... each page they visit will make sure they are A-Okay and they can move freely around the database until they logout. I tried a system based on IP address, but not everyone is static, so that didn't work. What am I missing here? There are thousands of sites that use simple login systems like this. Surely it can't be that difficult to setup...?