Login Session is a basic PHP-based login and registration system designed to protect existing pages from direct access. It uses a flat-file database to store data, and this is generally considered an inherent security vulnerability. Here are a few tips you can use to secure your Login Session installation.
The first few lines of code are user-defined variables. By changing these variables, you can achieve a higher level of security than if you simply use the default values. The first variable is the data file, shown as:
$data = "users.txt";
Most users will leave this value as-is. Since this is a default value and the script is open-source, it is well-known. The first step in securing your installation is to change the default file. I recommend changing it to a random string of alphanumeric characters with a php extension so that code can be placed at the top of the file to secure it from direct access.
We now have a data file that has been renamed. Make sure that you also physically rename the file to match what you have used in your variable:
$data = "Nj16s0J3gEm9.php";
This step alone offers a tremendous improvement in terms of security, as potential hackers no longer know what your data file is named. To take it a step further, open the file in a text editor and add the following line to the top of the file. Make sure and leave an empty line below it, as data entries will be added there.
<?php exit(); ?>
The next variable you should change is $keyCode. This variable changes the hash used to encode user names and email addresses.
$keyCode = "vsnut34fhfvavh8vaj4japamc8793bdfa9kemhj0uqxmw90tuy7mirewh0984a";
If you are running the script on a Linux host with Apache web server, you can take another step to secure your data file with .htaccess. An .htaccess file is already provided by default, and contains the following data:
Options -Indexes
<FilesMatch "^(.*)\.txt$">
Order deny,allow
Deny from all
</FilesMatch>
Change the default .htaccess data to reflect the changes to your data file:
Options -Indexes
<Files "Nj16s0J3gEm9.php">
Order deny,allow
Deny from all
</Files>
The final step is to place the data file in a directory that is not directly accessible from the web and change the path variable to reflect that change.
Change from:
$path = "/home/username/public_html/loginsession/";
To:
$path = "/home/username/loginsession/";
That's it! Your Login Session installation has been secured.
Thanks for using my script. If you have questions or comments, feel free to post on the discussion boards.
Scott