Authentication for administration only pages

Get help developing your code

Authentication for administration only pages

Postby arcanine » Fri Jan 13, 2012 6:24 pm

This PHP script checks the accounts table and the character tables to check that the account exists in the database and that the character associated with the characters are sRank 1 (a GM character) whatever functions you put inside index.php is up to you but you should be safe in the knowledge that no one without your GM account details should be able to access the page, so you can safely put administration functions on pages that are protected

login.php:
Code: Select all
<html>
<head></head>
<body>


<form method="post" action="checklogin.php">
<input name="username" type="text" id="username">
<input name="password" type="password" id="password">
<input type="submit" name="submit" Value="login">
</form>

</body>

checklogin.php
Code: Select all
<?php 
include("conf.php");
$username=$_POST['username'];
$password=$_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);

if(!preg_match('/^[\w@\.\- ]+$/',"$username.$password"))

{
   header("location:login.php");      
}


$sql = "select * from [chars] c
inner join ngscuser n on n.strUserId = c.strAccount
inner join gameuser g on g.strUserId in (c.strChar01, c.strChar02, c.strChar03)
where n.strUserId='$username' and n.strPasswd='$password' and g.sRank = '1'";
$result = mssql_query($sql, $conn);
$count=mssql_num_rows($result);

if($count > 0){
   session_register("username");
   session_register("password");
   header("location:index.php");
   }
   else{
   header("location:login.php");   
   }
  ?>

Index.php
Code: Select all
<?php
session_start();
if(!session_is_registered(username)){
header("location:login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>

All protected pages must have:
Code: Select all
<?php
session_start();
if(!session_is_registered(username)){
header("location:login.php");
}
?>

as seen in index.php at the top
Put these scripts inside your xampp htdocs directory because they require the conf.php file to access your database
If you've seen any problems with the script or think it could be done in a better way please post so that this can be improved.
User avatar
arcanine
SD Pro 5 Star
SD Pro 5 Star
 
Posts: 1056
Joined: Mon Apr 21, 2008 2:53 pm

Re: Authentication for administration only pages

Postby savate » Sat Jan 14, 2012 6:20 am

I have a feeling why you have posted this! Lol and I'm going for a shot in the dark you have your remote server functions working? Like restart server through website? And stuff :P,

Maybe you could add a security code on the login script so even if they know the login on the server they can only get access if they know the security code aswell, which can be held in any of the useless fields in Ngsuser table or in one of the serverside pvp scripts as a variable so it is not only stored in the database, I no its too much protection but last thing you want is someone guessing your account details then running havok with the Server at 3am lol

Example:

Username - Savate
Password - 12345
Security code - test1234

Not much of an idea but something that could be an option I suppose lol it's 5 am don't judge my ideas I'm knackard and can't sleep lol

Savate
savate
SD Four Star
SD Four Star
 
Posts: 208
Joined: Fri Sep 12, 2008 9:54 am

Re: Authentication for administration only pages

Postby arcanine » Sat Jan 14, 2012 3:57 pm

You'd be right currently working on the second stage authentication for a Web Sockets implementation, need to do the authentication inside the C# application as the client side is Javascript web sockets which can easily be taken out of the PHP security scope, using the PHP session to input the logins into the Javascript which automatically send across to the server to be authenticated so users only see one authentication going on
User avatar
arcanine
SD Pro 5 Star
SD Pro 5 Star
 
Posts: 1056
Joined: Mon Apr 21, 2008 2:53 pm

Re: Authentication for administration only pages

Postby iSylver » Fri Jan 27, 2012 8:06 am

Alternatively you could have a specific IP access for further security linked to the username.

With our MoS site for the admin side of things we have an admin lookup table. This way in the event that someone gets our details they wont be able to access admin functionality.
Image

Contact ingame:
@iSylver
SOMADEV
iSylver
SomaDev Staff
 
Posts: 1692
Joined: Fri Jan 11, 2008 6:21 pm

Re: Authentication for administration only pages

Postby arcanine » Fri Jan 27, 2012 5:49 pm

Oh that's cool, I'm not sure I would implement something similar because the use case is a little different expecting administrators using their mobiles that may be on different IPs I can imagine a lot of frustrated mobile users being shut down because they've been allocated a new IP, though an IP record of some kind may be an idea based off your own idea
User avatar
arcanine
SD Pro 5 Star
SD Pro 5 Star
 
Posts: 1056
Joined: Mon Apr 21, 2008 2:53 pm

Re: Authentication for administration only pages

Postby savate » Fri Jan 27, 2012 6:34 pm

Have a rule set similar to a firewall,

Allow 163.131.3.78
Allow 231.34.122.63
Deny all

This will unless an ip matches will deny all connections ops are just randomly made up, problem is mobiles ip will be dynamic so maybe a security code which leases you access for 10 mins? Harder to implant but safe I suppose and obvisously an access log will be essential

Savate
savate
SD Four Star
SD Four Star
 
Posts: 208
Joined: Fri Sep 12, 2008 9:54 am

Re: Authentication for administration only pages

Postby arcanine » Fri Jan 27, 2012 6:42 pm

Could set that up directly on a firewall, the reason why I probably won't go beyond a username and password checking is because if you were a 'hacker' if you have the GM's username and password you don't need this script to cause problems you could just log into the game and start abusing the admin functions and shut it down.

What I meant by security was things like session hijacking XSS, the PHP wouldn't be the only security in my own implementation but if someone wanted to run this to protect their own functions I want to know that those server owners are protected from intrusion I've got SQL injection protection there but there might be something else that I'm not aware of or protecting adequately against
User avatar
arcanine
SD Pro 5 Star
SD Pro 5 Star
 
Posts: 1056
Joined: Mon Apr 21, 2008 2:53 pm


Return to Programming

Who is online

Users browsing this forum: No registered users and 1 guest

cron