The best way for login system

[eluser]frrose[/eluser]
Hello every body

i need to know the best way for login
i need the best security



i did something but i think it is not that good
my code here

Code:

<?php

class Login extends Controller {

    function Login()
    {
        parent::Controller();
        $this->load->helper(array('form', 'url'));
        $this->load->library('session');
        $this->load->database();
    }
    
    
    
    function index()
    {
        $this->load->library('form_validation');
        $this->form_validation->set_rules('email','Email','requierd');
        $this->form_validation->set_rules('password','Password','requierd');
        
        if($this->form_validation->run == FALSE)
        {
            $this->load->view('login_form');
            
        }else{
        
            $data['email']     = $this->input->post('email');
            $data['password'] = $this->input->post('password');
            $sql = "SELECT * from admin WHERE email=? AND password=?";
            $query = $this->db->query($sql, array($data['email'],$data['password']));
            
            if($query->num_rows() > 0 ){
            
                foreach($query->resutl() as $row){
                        $sessions = array('id' => $row->id ,'email' => $row->email , 'name' => $row->name);
                        $this->session->set_userdata($sessions);
                        redirect('home');
                }
                
            }else{
                $this->load->view('wrong');
            }
        }
    }
    
}

and this to check if loged in

Code:

if(!$this->session->userdata('id'))
        {
            redirect('form');
        }else{
            $data['myname'] = $this->session->userdata('username');
        }

[eluser]Phil Sturgeon[/eluser]
You need to encrypt your passwords. Right now they are stored in plain text which is no good.

Take a look at the Encryption Class and store your passwords with md5 or sha1. Then just encrypt the post variable the same and compare the two.

[eluser]frrose[/eluser]
yes i know that
i will do it before to put it in the database

but i mean is it good way for session and login or it can be hacered ?

[eluser]oddman[/eluser]
[quote author="frrose" date="1240424425"]yes i know that
i will do it before to put it in the database

but i mean is it good way for session and login or it can be hacered ?[/quote]

There isn't much to it, but what I would do is probably encrypt the id, as well. This would ensure that anyone who hijacks the session and is trying to alter the ID, is going to have an incredibly hard time doing so. Also, a session variable that is encrypted is far less to be guessed what it's used for than one that isn't. my 2c.

[eluser]Dam1an[/eluser]
[quote author="Phil Sturgeon" date="1240424267"]You need to encrypt your passwords. Right now they are stored in plain text which is no good.[/quote]

As well as just encrypting them, I sould salt them as well, so you encrypt once using md5/sha1, and then concat that with a random string, and then encrypt that again
It gives another laeve of security above standard encryption

[eluser]frrose[/eluser]
thanks all

but please can you help me with code ?

[eluser]Dam1an[/eluser]
Which part of the code do you need help with, cause its pretty much already there

[eluser]frrose[/eluser]
i need help with the encrypt

[eluser]guidorossi[/eluser]
for the encrypt part:

First you need to store the password in the database encrypted the same way to have the match.

taking this from your code is really simple:

Code:

$data['email']     = $this->input->post('email');
$data['password'] = sha1($this->input->post('password')); //encrypt the pass with sha1
$sql = "SELECT * from admin WHERE email=? AND password=?";
$query = $this->db->query($sql, array($data['email'],$data['password']));

I think that's OK, but if you want something more secure you can "salt" the hash like this:

Code:

$salt = "some secret string";

$data['email']     = $this->input->post('email');
$data['password'] = sha1($this->input->post('password').$salt);
$sql = "SELECT * from admin WHERE email=? AND password=?";
$query = $this->db->query($sql, array($data['email'],$data['password']));

the salt can be static like this example or can be generated in a random way. If you generate a random salt you need to save it in the database.

You can find an article about this at http://phpsec.org/articles/2005/password-hashing.html

[eluser]louis w[/eluser]
For the authentication of my cms I store the username and encrypted password in the session after a successful login. Then on every request (in my base controller) I authenticate every request. That way I am sure that cms action is from a valid user. This also allows me to deactivate a user and they will immediately be denied access, instead of when their session expires.