Jump to content

Search the Community

Showing results for tags 'authentication'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Welcome to PHP Freaks
    • Announcements
    • Introductions
  • PHP Coding
    • PHP Coding Help
    • Regex Help
    • Third Party Scripts
    • FAQ/Code Snippet Repository
  • SQL / Database
    • MySQL Help
    • PostgreSQL
    • Microsoft SQL - MSSQL
    • Other RDBMS and SQL dialects
  • Client Side
    • HTML Help
    • CSS Help
    • Javascript Help
    • Other
  • Applications and Frameworks
    • Applications
    • Frameworks
    • Other Libraries
  • Web Server Administration
    • PHP Installation and Configuration
    • Linux
    • Apache HTTP Server
    • Microsoft IIS
    • Other Web Server Software
  • Other
    • Application Design
    • Other Programming Languages
    • Editor Help (Dreamweaver, Zend, etc)
    • Website Critique
    • Beta Test Your Stuff!
  • Freelance, Contracts, Employment, etc.
    • Services Offered
    • Job Offerings
  • General Discussion
    • PHPFreaks.com Website Feedback
    • Miscellaneous

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Age


Donation Link

Found 14 results

  1. Hi I have a question about generating a unique access token. I have read a lot on the internet about just using the php 'random_bytes' function. However I have found a scenario (although highly unlikely) where a session could potentially be hijacked. User 1 logs in and gets an access token of 'abcdef' (simplifying things). User 1 uses the system for a period of time but the token expires but doesn't get refreshed yet (as user 1 is idle) (so client still has access token stored on client). In the mean time User 1 decides to use a different device to login to their account which generates a new access token 'zxcvbn'. But then User 2 logs in and they get an access token of 'abcdef' as it is unique (like I say highly unlikely but still possible). Then User 1 goes back to their original device and tries to resume session (client still has 'abcdef' as an access token so it sends that to the server which then it finds it but is actually now against a different user), and then hijacks User 2's session unknowingly. What is the best way around this, what about always adding the internal user ID number to the token to make sure it will always be against the same user (and always truly unique for that user)? So we would end up with 'abcdef1' for user 1 and User 2s access token would be 'abcdef2' if the above scenario was to occur so we would never get a potential hijack of sessions? I know this sounds convoluted but just wanted peoples thoughts?
  2. Hello there, I have this as login in function for an application. function login($username, $password) { $db =& $this->db; Kit::ClassLoader('userdata'); if (Config::Version('DBVersion') < 62) { // We can't do CSPRNG because the field doesn't exist, so we need to do standard user login // This can ONLY happen during an upgrade. $dbh = PDOConnect::init(); $sth = $dbh->prepare('SELECT UserID, UserName, UserPassword, UserTypeID FROM `user` WHERE UserName = :userName'); $sth->execute(array('userName' => $username)); $rows = $sth->fetchAll(); if (count($rows) != 1) { setMessage(__('Username or Password incorrect')); return false; } $userInfo = $rows[0]; // Check the password using a MD5 if ($userInfo['UserPassword'] != md5($password)) { setMessage(__('Username or Password incorrect')); return false; } } else { // Get the SALT for this username if (!$userInfo = $db->GetSingleRow(sprintf("SELECT UserID, UserName, UserPassword, UserTypeID, CSPRNG FROM `user` WHERE UserName = '%s'", $db->escape_string($username)))) { setMessage(__('Username or Password incorrect')); return false; } // User Data Object to check the password $userData = new Userdata($db); // Is SALT empty if ($userInfo['CSPRNG'] == 0) { // Check the password using a MD5 if ($userInfo['UserPassword'] != md5($password)) { setMessage(__('Username or Password incorrect')); return false; } // Now that we are validated, generate a new SALT and set the users password. $userData->ChangePassword(Kit::ValidateParam($userInfo['UserID'], _INT), null, $password, $password, true /* Force Change */); } else { // Check the users password using the random SALTED password if ($userData->validate_password($password, $userInfo['UserPassword']) === false) { setMessage(__('Username or Password incorrect')); return false; } } } // there is a result so we store the userID in the session variable $_SESSION['userid'] = Kit::ValidateParam($userInfo['UserID'], _INT); $_SESSION['username'] = Kit::ValidateParam($userInfo['UserName'], _USERNAME); $_SESSION['usertype'] = Kit::ValidateParam($userInfo['UserTypeID'], _INT); // Set the User Object $this->usertypeid = $_SESSION['usertype']; $this->userid = $_SESSION['userid']; // update the db // write out to the db that the logged in user has accessed the page $SQL = sprintf("UPDATE user SET lastaccessed = '" . date("Y-m-d H:i:s") . "', loggedin = 1 WHERE userid = %d", $_SESSION['userid']); $db->query($SQL) or trigger_error(__('Can not write last accessed info.'), E_USER_ERROR); // Switch Session ID's global $session; $session->setIsExpired(0); $session->RegenerateSessionID(session_id()); return true; } i am trying to squeeze in an alternative authentication for users on ldap as such if local authentication fails // alternativelly validate against Tivoli Directory server $ldap_host = "www.zflexldap.com:389"; $password = "password"; // Tivoli Directory DN $ldap_dn = "ou=users,ou=guests,dc=zflexsoftware,dc=com"; // connect to active directory $ldap = ldap_connect($ldap_host) or die("Couldn't connect to LDAP Server"); //username specified on post form is from TDS server // $dn = "uid=".$username.","; $dn = "uid=guest1,ou=users,ou=guests,dc=zflexsoftware,dc=com"; ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // verify user and password if($bind = @ldap_bind($ldap, $dn, $password)) all attempts thou has been breaking the application. thanks
  3. <?php /*** begin the session ***/ session_start(); if(!isset($_SESSION['user_id'])) { $message = 'You must be logged in to access this page'; } else { try { /*** connect to database ***/ /*** mysql hostname ***/ $mysql_hostname = 'localhost'; /*** mysql username ***/ $mysql_username = 'root'; /*** mysql password ***/ $mysql_password = 'root'; /*** database name ***/ $mysql_dbname = 'login'; /*** select the users name from the database ***/ $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); /*** $message = a message saying we have connected ***/ /*** set the error mode to excptions ***/ $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); /*** prepare the insert ***/ $stmt = $dbh->prepare("SELECT phpro_username FROM phpro_users WHERE phpro_user_id = :phpro_user_id"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_user_id', $_SESSION['user_id'], PDO::PARAM_INT); /*** execute the prepared statement ***/ $stmt->execute(); /*** check for a result ***/ $phpro_username = $stmt->fetchColumn(); /*** if we have no something is wrong ***/ if($phpro_username == false) { $message = 'Access Error'; } else { $message = 'Welcome '.$phpro_username; } } catch (Exception $e) { /*** Error!! ***/ $message = 'We are unable to process your request. Please try again later"'; } } ?> <html> <head> <title>My Account</title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> <body> <h3><?php echo $message; ?></h3> </body> </html> members.php <html> <head> <title>Log in</title> </head> <body> <h2>Login Here</h2> <form action="login_submit.php" method="post"> <fieldset> <p> <label for="phpro_username">Username</label> <input type="text" id="phpro_username" name="phpro_username" value="" maxlength="20" /> </p> <p> <label for="phpro_password">Password</label> <input type="text" id="phpro_password" name="phpro_password" value="" maxlength="20" /> </p> <p> <input type="submit" value="Login" /> </p> </fieldset> </form> </body> </html> login.php <?php /*** begin our session ***/ session_start(); /*** check if the users is already logged in ***/ if(isset( $_SESSION['user_id'] )) { $message = 'Users is already logged in'; } /*** check that both the username, password have been submitted ***/ if(!isset( $_POST['phpro_username'], $_POST['phpro_password'])) { $message = 'Please enter a valid username and password'; } /*** check the username is the correct length ***/ elseif (strlen( $_POST['phpro_username']) > 20 || strlen($_POST['phpro_username']) < 4) { $message = 'Incorrect Length for Username'; } /*** check the password is the correct length ***/ elseif (strlen( $_POST['phpro_password']) > 20 || strlen($_POST['phpro_password']) < 4) { $message = 'Incorrect Length for Password'; } /*** check the username has only alpha numeric characters ***/ elseif (ctype_alnum($_POST['phpro_username']) != true) { /*** if there is no match ***/ $message = "Username must be alpha numeric"; } /*** check the password has only alpha numeric characters ***/ elseif (ctype_alnum($_POST['phpro_password']) != true) { /*** if there is no match ***/ $message = "Password must be alpha numeric"; } else { /*** if we are here the data is valid and we can insert it into database ***/ $phpro_username = filter_var($_POST['phpro_username'], FILTER_SANITIZE_STRING); $phpro_password = filter_var($_POST['phpro_password'], FILTER_SANITIZE_STRING); /*** now we can encrypt the password ***/ $phpro_password = sha1( $phpro_password ); /*** connect to database ***/ /*** mysql hostname ***/ $mysql_hostname = 'localhost'; /*** mysql username ***/ $mysql_username = 'root'; /*** mysql password ***/ $mysql_password = 'root'; /*** database name ***/ $mysql_dbname = 'login'; try { $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); /*** $message = a message saying we have connected ***/ /*** set the error mode to excptions ***/ $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); /*** prepare the select statement ***/ $stmt = $dbh->prepare("SELECT phpro_user_id, phpro_username, phpro_password FROM phpro_users WHERE phpro_username = :phpro_username AND phpro_password = :phpro_password"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_username', $phpro_username, PDO::PARAM_STR); $stmt->bindParam(':phpro_password', $phpro_password, PDO::PARAM_STR, 40); /*** execute the prepared statement ***/ $stmt->execute(); /*** check for a result ***/ $user_id = $stmt->fetchColumn(); /*** if we have no result then fail boat ***/ if($user_id == false) { $message = 'Login Failed'; } /*** if we do have a result, all is well ***/ else { /*** set the session user_id variable ***/ $_SESSION['user_id'] = $user_id; /*** tell the user we are logged in ***/ $message = 'You are now logged in'; } } catch(Exception $e) { /*** if we are here, something has gone wrong with the database ***/ $message = 'We are unable to process your request. Please try again later"'; } } ?> <html> <head> </head> <body> <p><?php echo $message; ?> </body> </html> login_sumbit.php I am unable to see the $message = 'Welcome '.$phpro_username; that the successful login should be generating
  4. Hi, I am trying to set up a PIN protected area of my website. What I mean by that would be a simple pop up window similar to the usual php authentication pop-up window by most browser however where only a password is necessary to access the website - no username required. Would any of you know if this will be possible to do in php or any other language? Thank you. John
  5. Dear pals, I really love your REST based library , from URL :https://github.com/deepeshmalviya/simple-rest simple and understandable . But I need an authentication mechanism in it. I plan to use api for User based access . I need to take data we must use GET method . Passing username/password as GET (or even as POST) is not safe . Do you can suggest a good solution for this library . I am waiting for your fast reply. Thanks, Anes
  6. I need to create a main portal/front page that allows user to login into the main page. Then from there they can login into other system automatically. All the other system are in php but might be using different frameworks. I'm sure whether I conveyed what I needed, but an example is like Google, I set Google Search as my main page. When I sign in to the page, from there I can go into GMail, GPlus, Youtube, Maps etc without signing in again So basically I need a system/portal where I can 1) manage user logins 2) single login/authentication to other system module (something like Google) 3) have basic functions like a notice board and form submissions 4) and of cource in PHP I'm currently looking at Joomla (first time exploring it), but I'm not sure whether this or other CMS can handle this. Or maybe not CMS but other kind of system for this kind of need.
  7. I need to create a main portal/front page that allows user to login into the main page. Then from there they can login into other system automatically. All the other system are in php but might be using different frameworks. I'm sure whether I conveyed what I needed, but an example is like Google, I set Google Search as my main page. When I sign in to the page, from there I can go into GMail, GPlus, Youtube, Maps etc without signing in again So basically I need a system/portal where I can 1) manage user logins 2) single login/authentication to other system module (something like Google) 3) have basic functions like a notice board and form submissions 4) and of cource in PHP I'm currently looking at Joomla (first time exploring it), but I'm not sure whether this or other CMS can handle this. Or maybe not CMS but other kind of system for this kind of need.
  8. I was just wondering what people think, and what are your reasons why redirecting to a login page, or showing the login page instead of authenticated content is the right way. To be clear, lets say that a site visitor requests a page that requires authentication, and that site visitor is not logged in. 1) Should they be redirected to a login page? 2) Should the login page magically appear without redirect, replacing the content that would have been showed if they were logged in? Does it really matter which way login is handled? I have not been using redirects, and not experienced any problems with showing the login page instead of the authenticated content. It's actually very convenient to do login this way (at least for me). Are there any issues to be concerned with?
  9. I have coded a couple of applications and for logging in users, I do the following: ask the user for a username create a password salt and encrypt the password store the username and encrypted password in a database e-mail the user his password on a login page, ask the user for his username/password pair salt and encrypt the password provided by the user compare the encrypted password value to the one stored in my database if the encrypted value matches I do a session_start() and store the user_id in a session variable. on every page I do session_start() and check the session variable for the user_id if the user_id is not found redirect to the login page if it is give them access to whatever they should have access to. Now, I have inheritted a program that I did not write and it handles authentication using the PEAR:Auth module. I had a user complain that he was being repeatedly redirected tot he login page. I could not replicate his problem and closing and re-opening his browser solved the problem on his end, but I'm assuming he's not insane so I am tempted to rip out the existing PEAR:Auth methodology of tracking users and replace it with what I am used to. However, PEAR:Auth must do more than php sessions or nobody would use it so I worry that if I replace it I will eaither be making things less secure or losing some functionality. Try as I might, I can't see what I'd lose by replacing PEAR with something simpler. What am I missing? What does PEAR:Auth give me that php sessions doesn't? Thanks, David
  10. hello all, first post here. im fairly new to php and am still trying to really get a hold of what im doing. right now im just trying to build a simple login function for my site and am completely stuck. here is what i have so far. in function authuser im trying to create a query, return the result, compare it with those that were posted on index.php and if it matches the database i would like the login function. to start the session. i hope that makes sense. and if there is a better way to do this or something im missing please let me know index.php if($_SERVER['REQUEST_METHOD'] === 'POST') { $username = $_POST['username']; $password = md5($_POST['password']); if(empty($username) || empty($password)){ $data['status'] = 'Please fill out both inputs'; } else { // login authuser($username,$password); } } functions.php function login($username,$password) { session_start(); } function authuser($username,$password) { $sql = "SELECT * FROM users WHERE username='$username' and password='$password'"; $results = mysql_query($sql); $rows = mysql_num_rows($results); if($rows==1) { session_register("admin"); } else { echo "Wrong Username or Password"; } }
  11. I'm building my first ever page tab app for a facebook fan page. It's mostly static HTML with a gallery of user submitted images. The users will be able to vote for the images and the picture with the most votes wins. SImple enough, but I'm struggling here. I'm currently facing 2 problems - the first one is related to authentication inside the app and the other to app flow. 1. authentication In order to know who uploaded the picture, I need to get some unique user info + name. I found out that this is impossible without user authentication, so I'm trying to get the user to authenticate and let me use their ID/name. I created a login link using the getLoginUrl method of the php SDK. This login link works fine when used outside the context of facebook, but doesn't do anything when clicked inside the page tab. How else do I get the desired user data ? 2. app flow I'm trying to split the app into 3 main modules for now - main page, pre-like and upload form. Which one is displayed would be determined by a post variable. My index page looks like this: <?php include( 'head.php' ); if ( $is_liked ) { switch( $_GET['c'] ) { case 'upload' : include( 'pages/upload-form.php' ); break; default : include( 'pages/main.php' ); break; } } else { include( 'pages/pre-like.php' ); } include( 'foot.php' ); ?> The head file initializes the FB Object and creates a variable to say if the user like the page or not. $signed_requrest = $fb->getSignedRequest(); $is_liked = $signed_requrest['page']['liked']; This works fine, but when I'm on some other page (with a URL parameter), then the FB object will not be created correctly, therefore I'm not able to get the 'liked' state of the current user. Does anyone have any idea what's wrong with this ? I hope someone will be able to help me, as the documentation is not too clear about these things...
  12. Hey. I'm having some troubles with a php script I got a while ago for form to email on a website i'm currently working on. The client has recently switched to a different hosting server and they require SMTP authentication for the new cloudsites....I have about 5 different pretty detailed forms that i need to have the SMTP authentications placed into, but i have no idea what i'm doing. below is my current coding. i'm just not sure how to place the SMTP into the coding correctly. i've seen that i need to download swift or pear and i have no clue where to start. any help or direction would be greatly appreciated...thanks. the current PHP script for my form to email: <?php $my_email = "studio@roharikproductions.com"; /* Enter the continue link to offer the user after the form is sent. If you do not change this, your visitor will be given a continue link to your homepage. If you do change it, remove the "/" symbol below and replace with the name of the page to link to, eg: "mypage.htm" or "http://www.elsewhere.com/page.htm" */ $continue = "index.html"; /* Step 3: Save this file (FormToEmail.php) and upload it together with your webpage containing the form to your webspace. IMPORTANT - The file name is case sensitive! You must save it exactly as it is named above! Do not put this script in your cgi-bin directory (folder) it may not work from there. THAT'S IT, FINISHED! You do not need to make any changes below this line. */ $errors = array(); // Remove $_COOKIE elements from $_REQUEST. if(count($_COOKIE)){foreach(array_keys($_COOKIE) as $value){unset($_REQUEST[$value]);}} // Check all fields for an email header. function recursive_array_check_header($element_value) { global $set; if(!is_array($element_value)){if(preg_match("/(%0A|%0D|\n+|\r+)(content-type:|to:|cc:|bcc:)/i",$element_value)){$set = 1;}} else { foreach($element_value as $value){if($set){break;} recursive_array_check_header($value);} } } recursive_array_check_header($_REQUEST); if($set){$errors[] = "You cannot send an email header";} unset($set); // Validate email field. if(isset($_REQUEST['email']) && !empty($_REQUEST['email'])) { if (empty($_POST['email2']) || $_POST['email2'] != $_POST['email']){$errors[] = "Email addresses do not match.";} if(preg_match("/(%0A|%0D|\n+|\r+|:)/i",$_REQUEST['email'])){$errors[] = "Email address may not contain a new line or a colon";} $_REQUEST['email'] = trim($_REQUEST['email']); if(substr_count($_REQUEST['email'],"@") != 1 || stristr($_REQUEST['email']," ")){$errors[] = "Email address is invalid";}else{$exploded_email = explode("@",$_REQUEST['email']);if(empty($exploded_email[0]) || strlen($exploded_email[0]) > 64 || empty($exploded_email[1])){$errors[] = "Email address is invalid";}else{if(substr_count($exploded_email[1],".") == 0){$errors[] = "Email address is invalid";}else{$exploded_domain = explode(".",$exploded_email[1]);if(in_array("",$exploded_domain)){$errors[] = "Email address is invalid";}else{foreach($exploded_domain as $value){if(strlen($value) > 63 || !preg_match('/^[a-z0-9-]+$/i',$value)){$errors[] = "Email address is invalid"; break;}}}}}} } // Check referrer is from same site. if(!(isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER']) && stristr($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST']))){$errors[] = "You must enable referrer logging to use the form";} // Check for a blank form. function recursive_array_check_blank($element_value) { global $set; if(!is_array($element_value)){if(!empty($element_value)){$set = 1;}} else { foreach($element_value as $value){if($set){break;} recursive_array_check_blank($value);} } } recursive_array_check_blank($_REQUEST); if(!$set){$errors[] = "You cannot send a blank form";} unset($set); // Display any errors and exit if errors exist. if(count($errors)){foreach($errors as $value){print "$value<br>";} exit;} if(!defined("PHP_EOL")){define("PHP_EOL", strtoupper(substr(PHP_OS,0,3) == "WIN") ? "\r\n" : "\n");} // Build message. function build_message($request_input){if(!isset($message_output)){$message_output ="";}if(!is_array($request_input)){$message_output = $request_input;}else{foreach($request_input as $key => $value){if(!empty($value)){if(!is_numeric($key)){$message_output .= str_replace("_"," ",ucfirst($key)).": ".build_message($value).PHP_EOL.PHP_EOL;}else{$message_output .= build_message($value).", ";}}}}return rtrim($message_output,", ");} $message = build_message($_REQUEST); $message = $message . PHP_EOL.PHP_EOL."-- ".PHP_EOL.""; $message = stripslashes($message); $subject = "Business Headshot Booking Form"; $headers = "From: " . $_REQUEST['email']; mail($my_email,$subject,$message,$headers); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"> body,td,th { color: #7F7F7F; font-family: inheirit; } a:link { color: #7F7F7F; text-decoration: none; } a:visited { text-decoration: none; color: #7F7F7F; } a:hover { text-decoration: underline; color: #7F7F7F; } a:active { text-decoration: none; color: #7F7F7F; } body p { font-size: 16px; } body p { font-size: 24px; } body p { text-align: center; } </style> </head> <body bgcolor="#e2e2e2" text="#7F7F7F" link="#7F7F7F" vlink="#7F7F7F" alink="#7F7F7F"> <div> <center> <b>Thank you <?php print stripslashes($_REQUEST['name']); ?></b> <br>Your message has been sent <p><a href="http://columbusbusinessheadshots.com/">Click here to continue</a></p> </center> </div> </body> </html> i tried to add this into the code in hopes of a quick fix but that made the form not work at all: $host = "host@host.com"; $username = "email@host.com"; $password = "emailpassword"; $smtp = Mail::factory('smtp', array ('host' => $host, 'auth' => true, 'username' => $username, 'password' => $password)); i'm not sure if i add that just anywhere into the php script or if it needs to be in a certain area? also not sure what exactly i'll need to install or download onto the server as well. thanks.
  13. Hi I use "Ubuntu 12.04.1" in my VPS. I have a directory password protected . But i need another script to access the directory for my work . But it wont access as it is password protected . Now what i want to do is add some codes to the script so that it would login automatically. Guys need help with the code . Cant decide how to do it Thx in advance
  14. My user authentication code -- <?php $useremail = $_POST['emailfield'] ; $userpassword = $_POST['pwfield'] ; require ('sqlauth2.php') ; mysql_select_db($database, $con); $sql = "SELECT * FROM userregistry WHERE email='".$useremail."' AND password='".$userpassword."'" ; $run = mysql_query($sql) ; $row = mysql_fetch_array($run) ; if(mysql_num_rows($run) == 1) { echo "SUCCESS <br>" ; } else { echo "No login for you " ; } ?> Looks perfect, but I keep getting this error Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in D:\xampp\htdocs\bullet2\logincheck.php on line 10 Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in D:\xampp\htdocs\bullet2\logincheck.php on line 12 No login for you Any idea ? Searched everywhere, couldn't find anything proper. I know there is something wrong somewhere, can't seem to find it. Help me out people, thanks !!!
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.