Php login - Best practice

Question

When using login functionalty i in a webpage, what is the best practice for validating the inputed data?

I'm not talking about a big scale of users but just a single admin role. The webpage is not using any databases and therefore I don't want to include the funtionallity for just one account.

At the moment I just use an If-statement with the inputed data and a hardcoded password and this somehow feels unsafe but at the same time the users can't see the php-code as long as they don't get to the server, or am I wrong?

if($password == 'myPassword123')

By the way, is there any way of downloading the actual .php file from the server (from a user perspective).

Answer 1

Hash the password! never store in plaintext.

And to stop a misconfiguration from revealing your password store the password outside of web root so if PHP was to reveal your code, then the client/attacker could not access the actual hash/file. Here is a simple example using the crypt() function inside a simple user function to check pass.

<?php
function check_pass($password){
    $chkpass = file_get_contents(dirname(__FILE__).'/../path_outside/webroot/adminpass.txt');
    if(crypt($password, $chkpass) == $chkpass){
        return true;
    }else{
        return false;
    }
}

/* The file adminpass.txt contains the hash 
   $1$MH0.l.1.$aNx9btlqPfGpkAxK4Bdym. 
   which is mypassword in plaintext */
if (check_pass($_POST['password'])) {
   echo "ok!";
}else{
    echo "fail!";
}
?>

Answer 2

In normal practice there is no way to just download a copy of the php file without there being some error or misconfiguration on your server.

That being said, you should probably just store the hash of the password rather than the plain text version http://php.net/manual/en/faq.passwords.php

Answer 3

The only way a user will gain access to your PHP code is if:

1. They hack into your server, at which point, them finding your admin password is the least of your worries.
2. A server mis-configuration dumps the PHP code out in plain text (this happened to Facebook a few years ago).

Answer 4

I would create a dynamically generated string and AND it with my password and probably do something like capturing number of attempts. Lock user until session expires. :D

<?php //login.php
$_SESSION['xrf'] = hash('sha512');
$myPassword = 'password';
?>

<input type="hidden" name="_xrf_" />
<input type="password" name="password" />

<?php
$password = $_POST['password'];
if(isset($password) && $_SESSION['attempt'] != 3):
  $xrf = $_POST['_xrf_'];
  if($password === $myPassword  && $_SESSION['xrf'] === $xrf):
    echo 'Hell Yeah';
  else:
    header("Cache-Control: private, must-revalidate, max-age=0");
    header("Pragma: no-cache");
    header("Expires: Sat, 27 Jan 1997 05:00:00 GMT");
    header("Location:login.php");
  endif;
else:
  $_SESSION['attempt'] += 1;
endif;
?>