I am just wondering for the sake of knowledge if this login system is secure, because i had planned on using it as a learning tool. I don't want to use anything that will teach me the wrong way. Can anyone help?
https://github.com/ivannovak/jpmaster77-s-Login-System-
When skimming code quick I don't think you should use this code, because it could be compromised.
P.S: I also don't think you should be learning that stuff(if you want to learn openid specifications/libraries, but leave it to the security experts. You should use openid/facebook connect/etc. I use rpxnow.com with much pleasure.
first of the code base is old. Last commit is August 11, 2009
. I would look at a loginsystem which is more maintained(newer). For example it does not use the newer/safer PDO to access your database. I also find the codebase a little bit messy. no MVC?
Not sure if this codebase enforces SSL. If not than your passwords will be transmitted in plain-text.
This code might be unsafe because of mysql injection =>
https://github.com/ivannovak/jpmaster77-s-Login-System-/blob/master/mail.php#L118
$q = "SELECT * FROM mail WHERE UserTo = '$user' ORDER BY SentDate DESC";
If session->username
has been comprimised(have not looked at all references) than your system is unsafe. A decent(modern) system uses PDO.
I don't believe the system does use salt so with a Rainbow table all password can be discovered when your database is compromised. =>
https://github.com/ivannovak/jpmaster77-s-Login-System-/blob/master/include/session.php#L157
$result = $database->confirmUserPass($subuser, md5($subpass));
Also this is line is strange(not unsafe) =>
https://github.com/ivannovak/jpmaster77-s-Login-System-/blob/master/include/mailer.php#L34
You can't reach localhost from the internet.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With