Jump to content

Search the Community

Showing results for tags 'authentication'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Welcome to PHP Freaks
    • Announcements
    • Introductions
  • PHP Coding
    • PHP Coding Help
    • Regex Help
    • Third Party Scripts
    • FAQ/Code Snippet Repository
  • SQL / Database
    • MySQL Help
    • PostgreSQL
    • Microsoft SQL - MSSQL
    • Other RDBMS and SQL dialects
  • Client Side
    • HTML Help
    • CSS Help
    • Javascript Help
    • Other
  • Applications and Frameworks
    • Applications
    • Frameworks
    • Other Libraries
  • Web Server Administration
    • PHP Installation and Configuration
    • Linux
    • Apache HTTP Server
    • Microsoft IIS
    • Other Web Server Software
  • Other
    • Application Design
    • Other Programming Languages
    • Editor Help (Dreamweaver, Zend, etc)
    • Website Critique
    • Beta Test Your Stuff!
  • Freelance, Contracts, Employment, etc.
    • Services Offered
    • Job Offerings
  • General Discussion
    • PHPFreaks.com Website Feedback
    • Miscellaneous

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Age


Donation Link

Found 3 results

  1. Hello there, I have this as login in function for an application. function login($username, $password) { $db =& $this->db; Kit::ClassLoader('userdata'); if (Config::Version('DBVersion') < 62) { // We can't do CSPRNG because the field doesn't exist, so we need to do standard user login // This can ONLY happen during an upgrade. $dbh = PDOConnect::init(); $sth = $dbh->prepare('SELECT UserID, UserName, UserPassword, UserTypeID FROM `user` WHERE UserName = :userName'); $sth->execute(array('userName' => $username)); $rows = $sth->fetchAll(); if (count($rows) != 1) { setMessage(__('Username or Password incorrect')); return false; } $userInfo = $rows[0]; // Check the password using a MD5 if ($userInfo['UserPassword'] != md5($password)) { setMessage(__('Username or Password incorrect')); return false; } } else { // Get the SALT for this username if (!$userInfo = $db->GetSingleRow(sprintf("SELECT UserID, UserName, UserPassword, UserTypeID, CSPRNG FROM `user` WHERE UserName = '%s'", $db->escape_string($username)))) { setMessage(__('Username or Password incorrect')); return false; } // User Data Object to check the password $userData = new Userdata($db); // Is SALT empty if ($userInfo['CSPRNG'] == 0) { // Check the password using a MD5 if ($userInfo['UserPassword'] != md5($password)) { setMessage(__('Username or Password incorrect')); return false; } // Now that we are validated, generate a new SALT and set the users password. $userData->ChangePassword(Kit::ValidateParam($userInfo['UserID'], _INT), null, $password, $password, true /* Force Change */); } else { // Check the users password using the random SALTED password if ($userData->validate_password($password, $userInfo['UserPassword']) === false) { setMessage(__('Username or Password incorrect')); return false; } } } // there is a result so we store the userID in the session variable $_SESSION['userid'] = Kit::ValidateParam($userInfo['UserID'], _INT); $_SESSION['username'] = Kit::ValidateParam($userInfo['UserName'], _USERNAME); $_SESSION['usertype'] = Kit::ValidateParam($userInfo['UserTypeID'], _INT); // Set the User Object $this->usertypeid = $_SESSION['usertype']; $this->userid = $_SESSION['userid']; // update the db // write out to the db that the logged in user has accessed the page $SQL = sprintf("UPDATE user SET lastaccessed = '" . date("Y-m-d H:i:s") . "', loggedin = 1 WHERE userid = %d", $_SESSION['userid']); $db->query($SQL) or trigger_error(__('Can not write last accessed info.'), E_USER_ERROR); // Switch Session ID's global $session; $session->setIsExpired(0); $session->RegenerateSessionID(session_id()); return true; } i am trying to squeeze in an alternative authentication for users on ldap as such if local authentication fails // alternativelly validate against Tivoli Directory server $ldap_host = "www.zflexldap.com:389"; $password = "password"; // Tivoli Directory DN $ldap_dn = "ou=users,ou=guests,dc=zflexsoftware,dc=com"; // connect to active directory $ldap = ldap_connect($ldap_host) or die("Couldn't connect to LDAP Server"); //username specified on post form is from TDS server // $dn = "uid=".$username.","; $dn = "uid=guest1,ou=users,ou=guests,dc=zflexsoftware,dc=com"; ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // verify user and password if($bind = @ldap_bind($ldap, $dn, $password)) all attempts thou has been breaking the application. thanks
  2. mds1256

    Access Tokens

    Hi I have a question about generating a unique access token. I have read a lot on the internet about just using the php 'random_bytes' function. However I have found a scenario (although highly unlikely) where a session could potentially be hijacked. User 1 logs in and gets an access token of 'abcdef' (simplifying things). User 1 uses the system for a period of time but the token expires but doesn't get refreshed yet (as user 1 is idle) (so client still has access token stored on client). In the mean time User 1 decides to use a different device to login to their account which generates a new access token 'zxcvbn'. But then User 2 logs in and they get an access token of 'abcdef' as it is unique (like I say highly unlikely but still possible). Then User 1 goes back to their original device and tries to resume session (client still has 'abcdef' as an access token so it sends that to the server which then it finds it but is actually now against a different user), and then hijacks User 2's session unknowingly. What is the best way around this, what about always adding the internal user ID number to the token to make sure it will always be against the same user (and always truly unique for that user)? So we would end up with 'abcdef1' for user 1 and User 2s access token would be 'abcdef2' if the above scenario was to occur so we would never get a potential hijack of sessions? I know this sounds convoluted but just wanted peoples thoughts?
  3. Andrew12313413

    need help with a login in php

    <?php /*** begin the session ***/ session_start(); if(!isset($_SESSION['user_id'])) { $message = 'You must be logged in to access this page'; } else { try { /*** connect to database ***/ /*** mysql hostname ***/ $mysql_hostname = 'localhost'; /*** mysql username ***/ $mysql_username = 'root'; /*** mysql password ***/ $mysql_password = 'root'; /*** database name ***/ $mysql_dbname = 'login'; /*** select the users name from the database ***/ $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); /*** $message = a message saying we have connected ***/ /*** set the error mode to excptions ***/ $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); /*** prepare the insert ***/ $stmt = $dbh->prepare("SELECT phpro_username FROM phpro_users WHERE phpro_user_id = :phpro_user_id"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_user_id', $_SESSION['user_id'], PDO::PARAM_INT); /*** execute the prepared statement ***/ $stmt->execute(); /*** check for a result ***/ $phpro_username = $stmt->fetchColumn(); /*** if we have no something is wrong ***/ if($phpro_username == false) { $message = 'Access Error'; } else { $message = 'Welcome '.$phpro_username; } } catch (Exception $e) { /*** Error!! ***/ $message = 'We are unable to process your request. Please try again later"'; } } ?> <html> <head> <title>My Account</title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> <body> <h3><?php echo $message; ?></h3> </body> </html> members.php <html> <head> <title>Log in</title> </head> <body> <h2>Login Here</h2> <form action="login_submit.php" method="post"> <fieldset> <p> <label for="phpro_username">Username</label> <input type="text" id="phpro_username" name="phpro_username" value="" maxlength="20" /> </p> <p> <label for="phpro_password">Password</label> <input type="text" id="phpro_password" name="phpro_password" value="" maxlength="20" /> </p> <p> <input type="submit" value="Login" /> </p> </fieldset> </form> </body> </html> login.php <?php /*** begin our session ***/ session_start(); /*** check if the users is already logged in ***/ if(isset( $_SESSION['user_id'] )) { $message = 'Users is already logged in'; } /*** check that both the username, password have been submitted ***/ if(!isset( $_POST['phpro_username'], $_POST['phpro_password'])) { $message = 'Please enter a valid username and password'; } /*** check the username is the correct length ***/ elseif (strlen( $_POST['phpro_username']) > 20 || strlen($_POST['phpro_username']) < 4) { $message = 'Incorrect Length for Username'; } /*** check the password is the correct length ***/ elseif (strlen( $_POST['phpro_password']) > 20 || strlen($_POST['phpro_password']) < 4) { $message = 'Incorrect Length for Password'; } /*** check the username has only alpha numeric characters ***/ elseif (ctype_alnum($_POST['phpro_username']) != true) { /*** if there is no match ***/ $message = "Username must be alpha numeric"; } /*** check the password has only alpha numeric characters ***/ elseif (ctype_alnum($_POST['phpro_password']) != true) { /*** if there is no match ***/ $message = "Password must be alpha numeric"; } else { /*** if we are here the data is valid and we can insert it into database ***/ $phpro_username = filter_var($_POST['phpro_username'], FILTER_SANITIZE_STRING); $phpro_password = filter_var($_POST['phpro_password'], FILTER_SANITIZE_STRING); /*** now we can encrypt the password ***/ $phpro_password = sha1( $phpro_password ); /*** connect to database ***/ /*** mysql hostname ***/ $mysql_hostname = 'localhost'; /*** mysql username ***/ $mysql_username = 'root'; /*** mysql password ***/ $mysql_password = 'root'; /*** database name ***/ $mysql_dbname = 'login'; try { $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); /*** $message = a message saying we have connected ***/ /*** set the error mode to excptions ***/ $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); /*** prepare the select statement ***/ $stmt = $dbh->prepare("SELECT phpro_user_id, phpro_username, phpro_password FROM phpro_users WHERE phpro_username = :phpro_username AND phpro_password = :phpro_password"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_username', $phpro_username, PDO::PARAM_STR); $stmt->bindParam(':phpro_password', $phpro_password, PDO::PARAM_STR, 40); /*** execute the prepared statement ***/ $stmt->execute(); /*** check for a result ***/ $user_id = $stmt->fetchColumn(); /*** if we have no result then fail boat ***/ if($user_id == false) { $message = 'Login Failed'; } /*** if we do have a result, all is well ***/ else { /*** set the session user_id variable ***/ $_SESSION['user_id'] = $user_id; /*** tell the user we are logged in ***/ $message = 'You are now logged in'; } } catch(Exception $e) { /*** if we are here, something has gone wrong with the database ***/ $message = 'We are unable to process your request. Please try again later"'; } } ?> <html> <head> </head> <body> <p><?php echo $message; ?> </body> </html> login_sumbit.php I am unable to see the $message = 'Welcome '.$phpro_username; that the successful login should be generating
×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.