Login not working - Information not kept across pages?

[sikuneh]

On my login page when a user tries to login it takes them to the next page but nothing shows up and on the source code it shows I have some errors that shouldn't be there. It seems it loses the information when it goes to validate the information.

login page

HTML Code:

<form action="includes/users/validateLogin.php" method="POST">
	<table border="0">
    	<tr>
        	<td id="user">Username:</td>
            <td><input type="text" name="username" size="10" /></td>
        </tr>
        <tr>
        	<td id="pass">Password:</td>
            <td><input type="password" name="password" size="10" /></td>
        </tr>
        <tr>
        	<td colspan="2"><input type="submit" value="Login" /></td>
        </tr>
	</table>
</form>

Validation

PHP Code:

$vars = array(
'name'=>$_POST['username'],
'pass'=>$_POST['password']);

$errors = array();

foreach($vars as $values){
    if(empty($values)) {
        $errors[]="Invalid Value";
    }
}

$checkForm = $dbh->prepare("SELECT username,password FROM users WHERE username = :name && password = :pass");
    $checkForm->bindValue(":name",
        $_POST['username']);
    $checkForm->bindValue(":pass",
        md5($_POST['password']));
$checkForm->execute();

if($checkForm->rowcount()===0) {$errors[]="Invalid Username or Password";}

if($errors) {userError($errors);} 


If you need a live link Here.

test login
Username: test
Password: test

[bunny.invasion76]

I'm testing...

You don't use session_start() ...
If you want an example you can ask me ... :P

---------- Post added at 12:26 PM ---------- Previous post was at 12:20 PM ----------

Try this maybe...

PHP Code:

<?php
session_start();


$vars = array( 
'name'=>$_POST['username'], 
'pass'=>$_POST['password']); 

$errors = array(); 

foreach($vars as $values){ 
    if(empty($values)) { 
        $errors[]="Invalid Value"; 
    } 
} 

$checkForm = $dbh->prepare("SELECT username,password FROM users WHERE username = " . $vars['name'] ." AND password =  " . $vars['pass'] .""); 
    $checkForm->bindValue("" . $vars['name'] ."", 
        $_POST['username']); 
    $checkForm->bindValue("" . $vars['pass'] ."", 
        md5($_POST['password'])); 
$checkForm->execute(); 

if($checkForm->rowcount()===0) {$errors[]="Invalid Username or Password";} 

if($errors) {userError($errors);}  

?>

PS: I just edited one thing but I can give you also a full edited ... I use another way to log in ...

[misson]

On my login page when a user tries to login it takes them to the next page but nothing shows up and on the source code it shows I have some errors that shouldn't be there. It seems it loses the information when it goes to validate the information.

The test authentication page generates no content on successful login, which is why you see none. The error messages show up in the source view because the page is re-retrieved with a GET. Use your browser's DOM inspector to view the live page structure rather than view source.

In short, the code you posted does what it's supposed to: authenticate a user. However, it has other problems. Don't use MD5 to hash, as it's considered broken by security professionals. Use a newer cryptographic hash function, such as Whirlpool or something in the SHA2 family (SHA1 is also considered broken, though attacks are still more complex than for MD5). You need to salt the hashes, else they're vulnerable to rainbow tables.

login page

HTML Code:

<form action="includes/users/validateLogin.php" method="POST">
	<table border="0">
        ...

Don't use tables for layout, use styling ([2]).

Good problem write-up, by the way.

Try this maybe...

PHP Code:

<?php
...
$checkForm = $dbh->prepare("SELECT username,password FROM users WHERE username = " . $vars['name'] ." AND password =  " . $vars['pass'] .""); 
    $checkForm->bindValue("" . $vars['name'] ."", 
        $_POST['username']); 
    $checkForm->bindValue("" . $vars['pass'] ."", 
        md5($_POST['password']));

This would be a big step backwards. The whole point of prepared statements is you don't have to interpolate values directly into a statement. As it is, your rewrite is vulnerable to SQL injection and the calls to PDOStatement::bindValue are superfluous. Also, concatenating an empty string with another string will have no affect. You need to read up on PDO. If you need a tutorial, try "Writing MySQL Scripts with PHP and PDO"

[mandy0]

Use session global variable. Set up the session when user is authorised. for example
$_SESSION['logged']=1 If successfully logged in.
and then for LOG IN required pages just do

Code:

if($_SESSION['logged']!=1)
{
header("location: login.php"); //  IF USER IS NOT LOGGED REDIRECT HIM TO LOG IN PAGE
}

and don't forget to use

Code:

<?php
session_start();
?>

It should be first statement before anything else i.e. even <html> should start after above tag. all the best ;)

and whenever you take input from user firstly if you are going to use it in a query do this first.

Code:

$_POST['textboxetcname']=mysql_real_escape_string($_POST['textboxetcname']);

and another thing if log in is validated then use redirection to take him to index page or whatever using
header("location:filename.php");

Hope it would help you

[sikuneh]

That was my bad, I thought I copied everything. I included the session_start() and the header(). However, it still doesn't work, I looked in the DOM inspector and there's nothing there either.

[misson]

However, it still doesn't work, I looked in the DOM inspector and there's nothing there either.

That's because

The test authentication page generates no content on successful login, which is why you see none.

Add a login-successful notice to see that it's working. Here's a minor rewrite with support for salt (you'll also need to alter the database), though many of the tasks (authorization, db↔user mapping, password security requirements) should be refactored into separate classes (password security requirements should be advice rather than a class or class method, but PHP doesn't support aspect oriented programming at the language level).

PHP Code:

<?php
/***** this section should be broken up into other scripts. *****/
// file to log errors
$logfile='...';
define('ERRLOG_SYS', 0);
define('ERRLOG_EMAIL', 1);
define('ERRLOG_FILE', 3);
define('ERRLOG_SAPI', 4);

define('ASCII_UPPERCASE', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ');
define('ASCII_LOWERCASE', 'abcdefghijklmnopqrstuvwxyz');
define('ASCII_DECIMAL', '0123456789');
define('ASCII_HEXADECIMAL', '0123456789ABCDEFabcdef');
define('ASCII_ALPHABETIC', ASCII_UPPERCASE . ASCII_LOWERCASE);
define('ASCII_ALPHANUMERIC', ASCII_DECIMAL . ASCII_UPPERCASE . ASCII_LOWERCASE);
define('ASCII_PUNCTUATION', ' !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}');
define('ASCII_PRINTABLE', ASCII_ALPHANUMERIC . ASCII_PUNCTUATION);

function nonce($len=32, $chars=ASCII_PRINTABLE) 
{
    $nonce = '';
    $chlen = strlen($chars);
    while (strlen($nonce) < $len) {
        $r = mt_rand();
        while ($r) {
            $nonce .= $chars[$r % $chlen];
            $r = (int)($r / $chlen);
        }
    }
    return $nonce;
}

/* You can use ensure_password_requirements to update passwords
  when security requirements change. If it's not possible to fulfill 
  the requirements automatically (such as if you have complexity 
  requirements that have changed for passwords), you can have 
  this function output a form or redirect the user to a page to enter 
  a new password.
 */
function ensure_password_requirements($dbh, &$authInfo, $pw) {
    static $brokenHashes = array('md5'=>1, 'sha1'=>1);
    if (! $authInfo['salt']) {
        $authInfo['salt'] = nonce();
        $rehash = true;
    }
    if (array_key_exists($authInfo['hasher'], $brokenHashes)) {
        $authInfo['hasher'] = 'sha256';
        $rehash = true;
    }
    if ($rehash) {
        $authInfo['password'] = hash($authInfo['hash'], $authInfo['salt'] . $pw);
        $setAuthInfo = $dbh->prepare(
            "UPDATE users 
             SET password=:password, salt=:salt, hasher=:hasher 
             WHERE id = :id"
        );
        $setAuthInfo->execute($authInfo);  
    }
}

/***** We now return you to your regularly scheduled script, already in progress. *****/
session_start();

$dbh = LocalDB::connect(); // or however you do it.

$fields = array('username' => 'Username', 'password' => 'Password');
$errors = array(); 

foreach($fields as $name => $label){ 
    if(empty($_POST[$name])) { 
        $errors[$name]="$label field is empty."; 
    } 
}

if (! $errors) {
  try {
    $getAuthInfo = $dbh->prepare("SELECT id, password, salt, hasher FROM users WHERE username = ?");  
    $getAuthInfo->execute(array($_POST['username'])); 
    if (($authInfo = $getAuthInfo->fetch(PDO::FETCH_ASSOC))
        && $authInfo['password'] == hash($authInfo['hasher'], $authInfo['salt'] . $_POST['password'])) 
    {
        // prevent session fixation
        session_regenerate_id();
        $_SESSION['uid'] = $authInfo['id'];
        ensure_password_requirements($dbh, $authInfo, $_POST['password']);
        ?>
        <p>Login successful.</p>
        <?php
    } else {
        $errors[]="Invalid Username or Password";
    }
  } catch (PDOException $exc) {
      // log error so admin can look into it later. 
      $entryID=uniqid();
      error_log("Entry $entryID: $exc", ERRLOG_FILE, $logfile);
      $errors[] = "There was an internal error when trying to log you in. Please try again
later. Should you wish to <a href='/contact'>contact us</a> about this, the error was
logged as entry $entryID; please include this ID in any communication.";
  }
}

if($errors) {userError($errors);}

To update the user table:

Code:

ALTER TABLE users ADD salt VARCHAR(32) NOT NULL DEFAULT '';
ALTER TABLE users ADD hasher VARCHAR(16) NOT NULL DEFAULT 'md5';

If the password column is less than 64 characters, you also need to update it:

Code:

ALTER TABLE users MODIFY password CHAR(64) NOT NULL;

[callumacrae]

Use session global variable. Set up the session when user is authorised. for example
$_SESSION['logged']=1 If successfully logged in.
and then for LOG IN required pages just do

Code:

if($_SESSION['logged']!=1)
{
header("location: login.php"); //  IF USER IS NOT LOGGED REDIRECT HIM TO LOG IN PAGE
}

Would that be vulnerable to session hacking? They can just change $_SESSION['logged'] to 1 and then they'll be able to access your hidden content. Don't quote me on that though, I don't really know anything about session hacking.

and whenever you take input from user firstly if you are going to use it in a query do this first.

Code:

$_POST['textboxetcname']=mysql_real_escape_string($_POST['textboxetcname']);

nononononononono

Don't use mysql_*. Ever.

Using prepared statements will mean that you don't have to use mysql_real_escape_string, either follow Misson's link about PDO or read my article here.

~Callum

[atlanis]

Would that be vulnerable to session hacking? They can just change $_SESSION['logged'] to 1 and then they'll be able to access your hidden content. Don't quote me on that though, I don't really know anything about session hacking.

Yes it would. The way I usually do my session variables is something likes this.

On login:

Code:

$validation_string = hash('sha512', $username . $salt . $password_hash);
$validation_string = $validation_string . 'x32' . tostring(strlen($validation_string . $salt) * intval($user_id));
$_SESSION['validation'] = base64_encode($validation_string);

I, of course, use different formulas on different sites. 'x32' is just a short random string to allow my script to separate the two parts of the validation. The 'x' character does not occur in a hexadecimal hash, so to someone with knowledge that will become apparent rather quickly.

Yes, I know strlen($validation_string . $salt) will always be the same number. However, if you ALWAYS keep $user_id hidden from the user, that is: it is never ever sent from server to client, then the potential hacker has a lot of guessing to do to come up with the right one. And that's AFTER they figure out that after x32 is the length times the user_id. I change the formula for each site and on certain sites change the session formula once every month or two.

To check login:

Code:

$logged_in = false;
$validation_original = base64_decode($_SESSION['validation']);
$v_array = explode('x32', $validation_original);
$user_id = mysql_real_escape_string($v_array[1] / strlen($v_array[0] . $salt)); //Use mysql_real_escape_string just in case someone session hacks in an attempt to SQL inject.
$q = "SELECT username, password FROM users WHERE id = '${user_id}' LIMIT 0,1;";
$result = mysql_query($q);
while($row = mysql_fetch_assoc($result))
{
    if($v_array[0] == hash('sha512', $row['username'] . $salt . $row['password'])
        $logged_in = true;
}

The $logged_in variable represents whatever you use in your script on a single page to determine what information should be shown. I normally use a user access level instead of a boolean, because if the access level doesn't match one of my specified ones, the user gets the boot. I gave 15 minute IP bans a try once, as well. It worked fairly well, but had enough issues that I didn't leave it in any production code.

Just a quick note, this code is not guaranteed to work. It's modified versions of my own code (my own code DOES work), but I haven't actually tested it. It's just here to give you some ideas on how to add extra security to your session-based login checks. Also, you should use prepared strings as per Alex Mac. This is an example and I'm too lazy to write it all here. Alex covered it well enough in his article, theres no reason for me to rehash it.


EDIT: Added note about prepared strings.

[sikuneh]

Thanks for the interesting trick to auto-update security, however my problem still stands.

Here are the errors in the source:
Username field is empty
Password field is empty

Here is the [updated] validation script:

PHP Code:

<?php
/***** this section should be broken up into other scripts. *****/
// file to log errors
$logfile='...';
define('ERRLOG_SYS', 0);
define('ERRLOG_EMAIL', 1);
define('ERRLOG_FILE', 3);
define('ERRLOG_SAPI', 4);

define('ASCII_UPPERCASE', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ');
define('ASCII_LOWERCASE', 'abcdefghijklmnopqrstuvwxyz');
define('ASCII_DECIMAL', '0123456789');
define('ASCII_HEXADECIMAL', '0123456789ABCDEFabcdef');
define('ASCII_ALPHABETIC', ASCII_UPPERCASE . ASCII_LOWERCASE);
define('ASCII_ALPHANUMERIC', ASCII_DECIMAL . ASCII_UPPERCASE . ASCII_LOWERCASE);
define('ASCII_PUNCTUATION', ' !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}');
define('ASCII_PRINTABLE', ASCII_ALPHANUMERIC . ASCII_PUNCTUATION);

function nonce($len=32, $chars=ASCII_PRINTABLE) 
{
    $nonce = '';
    $chlen = strlen($chars);
    while (strlen($nonce) < $len) {
        $r = mt_rand();
        while ($r) {
            $nonce .= $chars[$r % $chlen];
            $r = (int)($r / $chlen);
        }
    }
    return $nonce;
}

/* You can use ensure_password_requirements to update passwords
  when security requirements change. If it's not possible to fulfill 
  the requirements automatically (such as if you have complexity 
  requirements that have changed for passwords), you can have 
  this function output a form or redirect the user to a page to enter 
  a new password.
 */
function ensure_password_requirements($dbh, &$authInfo, $pw) {
    static $brokenHashes = array('md5'=>1, 'sha1'=>1);
    if (! $authInfo['salt']) {
        $authInfo['salt'] = nonce();
        $rehash = true;
    }
    if (array_key_exists($authInfo['hasher'], $brokenHashes)) {
        $authInfo['hasher'] = 'sha256';
        $rehash = true;
    }
    if ($rehash) {
        $authInfo['password'] = hash($authInfo['hash'], $authInfo['salt'] . $pw);
        $setAuthInfo = $dbh->prepare(
            "UPDATE users 
             SET password=:password, salt=:salt, hasher=:hasher 
             WHERE id = :id"
        );
        $setAuthInfo->execute($authInfo);  
    }
}

/***** We now return you to your regularly scheduled script, already in progress. *****/
session_start();

include("../../scripts/modules.php");

$fields = array('username' => 'username', 'password' => 'password');
$errors = array(); 

foreach($fields as $name => $label){ 
    if(empty($_POST[$name])) { 
        $errors[$name]="$label field is empty."; 
    } 
}

if (! $errors) {
  try {
    $getAuthInfo = $dbh->prepare("SELECT id, password, salt, hasher FROM users WHERE username = ?");  
    $getAuthInfo->execute(array($_POST['username'])); 
    if (($authInfo = $getAuthInfo->fetch(PDO::FETCH_ASSOC))
        && $authInfo['password'] == hash($authInfo['hasher'], $authInfo['salt'] . $_POST['password'])) 
    {
        // prevent session fixation
        session_regenerate_id();
        $_SESSION['loggedin'] = $authInfo['id'];
        ensure_password_requirements($dbh, $authInfo, $_POST['password']);
        $getPerms = $dbh->prepare("SELECT perms FROM users WHERE username = ?");
        $getPerms->execute(array($_POST['username']));
        $perms = $getPerms->fetch();
        $_SESSION['permissions'] = $perms;
        ?>
        <p>Login successful.</p>
        <?php
    } else {
        $errors[]="Invalid Username or Password";
    }
  } catch (PDOException $exc) {$entryID = uniqid(); reportError($exc,"There was an internal error when trying to log you in. Please try again
later. Should you wish to <a href='/contact'>contact us</a> about this, the error was
logged as entry $entryID; please include this ID in any communication.",'../../logs/errors.log','Adduser.php',$entryID);
  }
}

else {userError($errors);}

Here is the modules page (in case you need it):

PHP Code:

function reportError($error,$message,$logfile,$page,$entryID) {
    $log = "Error: $entryID | Error on page - $page. Error: $error. @ ".date("d/m/y h:i:s")."\n";
    $fp = fopen($logfile,"w");
    fwrite($fp,$log);
    fclose($fp);
    echo $message;
    return false;
}

function userError($errorArray) {
    echo "There were errors:\n";
    echo "<ul>\n<li>";
    echo implode("</li>\n<li>",$errorArray);
    echo "</li>\n</ul>";
} 


The link is still valid.

[misson]

There is an error in my original ensure_password_requirements. The line:

PHP Code:

$authInfo['password'] = hash($authInfo['hash'], $authInfo['salt'] . $pw); 


should be:

PHP Code:

$authInfo['password'] = hash($authInfo['hasher'], $authInfo['salt'] . $pw); 


Note the key 'hash' should be 'hasher'.

Other than that, the sample code doesn't produce the error I'm seeing on your sample page:

Parse error: syntax error, unexpected $end in /home/sikuneh/public_html/includes/users/validateLogin.php on line 42

That error could be caused by a missing close curly bracket, or by improper use of short tags (mostly, using them when short tags are disabled, which they aren't on the free servers). Please post the block of code (up to the outermost "{}") that contains line 42 and mark that line with a comment. Better still, use an editor that supports auto-indenting and paren highlighting (e.g. emacs, Notepad++, Eclipse) to figure out where the missing token might be.

Would that be vulnerable to session hacking? They can just change $_SESSION['logged'] to 1 and then they'll be able to access your hidden content.

Yes it would.

As far as I've seen, only the session ID is vulnerable, since it's the one thing that is supplied by (and available to) clients. A hacker can try to steal a user's session ID or pick one at random and send that as their own ID, or try to force a user to use a particular ID. All other session data is only accessible to server processes, which means other local users could potentially read it, but not web users under normal circumstances. Local users shouldn't have read access on a properly secured server, but if they do, session data can be stored in a DB. Web users could only access session data if some script has appropriate vulnerabilities (file read or write, script injection), at which point the only way to prevent attacks is to close those vulnerabilities. Do you know of a way web users can read or write session data, or are you coding defensively against unknown vulnerabilities in the server or web scripts?

I, of course, use different formulas on different sites. 'x32' is just a short random string to allow my script to separate the two parts of the validation. The 'x' character does not occur in a hexadecimal hash, so to someone with knowledge that will become apparent rather quickly.

Since hash functions have fixed length output, you could do away with the separator.

PHP Code:

//shared
$hashLen = array(
    'sha256' => 64, 'sha224' => 64,
    'sha512' => 128, 'sha384' => 128,
    'whirlpool' => 256,
    'tiger192,4', => 64,
    //...
);

// exception codes
define('EXC_DB_ERROR', 1);

// so that the default hasher can be defined in exactly one place:
define('HASHER_DFLT', 'sha512');


function auth_hash($user, $salt, $pw, $hasher=HASHER_DFLT) {
    return hash($hasher, $user . $salt . $pw);
}

/* creation & parsing of authentication data refactored as functions
 rather than spread across multiple scripts to increase cohesion.
 */
function pack_authorization($username, $user_id, $password_hash, $salt, $hasher=HASHER_DFLT) {
    $auth_hash = auth_hash($username, $salt, $password_hash, $hasher);
    $auth_product = strlen($auth_hash . $salt) * intval($user_id);
    return base64_encode($auth_hash . tostring($auth_product));
}

function unpack_authorization($data, $salt, $hasher=HASHER_DFLT) {
    global $hashLen;
    $validation_original = base64_decode($data);
    /* 
    str_split below will split $validation_original into two pieces as long as:
       digits(user_id)+digits(strlen(auth_hash . salt)) <= hashLen(hasher)
    where digits(x) = floor(log10(x))+1 is the number of digits in x. Even with 
    64 bit integers, log(x, 10) < 21. Moreover, if there's overflow, PHP should
    switch to floating point, in which case the length of the product as a string
    will be limited by the precision, and the str_split should still work fine. Of 
    course, if there's overflow, then the $user_id calculation will be incorrect.
    */
    list($auth_info['auth_hash'], $auth_product)= str_split($validation_original, $hashLen[$hasher]);
    $auth_info['uid'] = $auth_product / strlen($auth_info['auth_hash'] . $salt);
    return $auth_info;
}

function check_authorization($data, $salt, $hasher=HASHER_DFLT) {
    $logged_in = false;
    $auth_info = unpack_authorization($data, $salt, $hasher);
    try {
        $q = $db->prepare("SELECT username, password FROM users WHERE id = ? LIMIT 0,1;");
        $q->execute(array($auth_info['uid']));
        $row = $q->fetch(PDO::FETCH_ASSOC);
        if ($auth_info['auth_hash'] == auth_hash($row['username'], $salt, $row['password'], $hasher)) {
            $logged_in = true;
        }
    } catch (PDOException $exc) {
        throw new RuntimeException("Internal database error.", EXC_DB_ERROR, $exc);
    }
    return $logged_in;
} 


PHP Code:

// on successful login:
$_SESSION['validation'] = pack_authorization($username, $user_id, $password_hash, $salt)); 


PHP Code:

// to check login:
try {
    $logged_in = check_authorization($_SESSION['validation'], $salt);
} catch (Exception $exc) {
    switch ($exc->getCode()) {
    case EXC_DB_ERROR:
        // inform user & log error 
        ...
        break;
    default:
        // unknown/generic error
        ...
        break;
    }
} 


The salt used in creating the authentication data better not be the same as that used for hashing passwords, as that would imply every password was hashed with the same salt (unless you also use the username as salt for the password hashes).

Still, this relies an awful lot on security through obscurity, which historically hasn't been very secure. If someone has access to session data, they probably have access to your script source.

Moreover, the above doesn't seem terribly useful. If an attacker has read-write access to session data, they can simply copy someone's authorization validation data (it doesn't even need to be the same). If they don't have write access, they won't be able to forge the data, so there's no point in checking that it's valid. Only if an attacker has write but not read access will it stymy them for a bit, in which case obscuring the user ID doesn't accomplish anything. It could be useful in reducing the possibility of an attacker successfully picking a valid random ID. Is that what you use it for?