login form

[mforan]

User fills log in form on another page, but is then presented with "Your username cannot be found or password doesnt match" untill they press F5.... any ideas anyone?

 
<?php
mysql_connect("localhost","ambroid_mike","347610");
@mysql_select_db("ambroid_findapart") or die( "Unable to select database");

$user = $_POST['user'];
$pass = $_POST['pass'];

$mysqluser = ereg_replace("_", "\_", $user);
$query = "SELECT password FROM users WHERE username LIKE BINARY '$mysqluser'";
$result = mysql_query($query) or die("Error: ".mysql_error());
$row = mysql_fetch_array($result, MYSQL_NUM);
$foundpass = $row[0];


if ($foundpass == $pass) {
setcookie("FAPusername", $user);
setcookie("FAPpassword", sha1($foundpass));
$user = $_COOKIE['FAPusername'];
$pass = $_COOKIE['FAPpassword'];
}

$query = "SELECT * FROM users WHERE username='$user'";
$result = mysql_query($query) or die("Error: ".mysql_error());
$info = array();
$info = mysql_fetch_array($result, MYSQL_NUM);
$original = array();
$original = $info;

if (sha1($info[2]) != $pass) {
    mysql_close();
    die("<br><br><center><body bgcolor='#FFFFFF'><b><font face='Verdana' size='2pt'>Your username cannot be found or password doesnt match</font></b></center></body></html>");
}

?>

[Pikachu2000]

Cookie data isn't available until the next page load, so this block of code that assigns the values to the variables based on the cookie values will assign empty or null values the first time around. When the page is refreshed with F5, the values are available, assigned and the script functions as expected.

 

 

if ($foundpass == $pass) {setcookie("FAPusername", $user);setcookie("FAPpassword", sha1($foundpass));$user = $_COOKIE['FAPusername'];$pass = $_COOKIE['FAPpassword'];}

 

[mforan]

I had an inklin that mighta been the case, is there anyway around that?

[Pikachu2000]

Sure, just assign the variables their values the same way you're assigning the values to the cookies, since the end result is they'll have the same values anyhow. Actually, since $user already has a value, there's no need to reassign it a value . . .

 

Also note that storing password data in a cookie isn't necessarily the best thing you can do security-wise. You'd be better off to either store it in a SESSION var, or just query the db for it in the event it's needed again (probably the best option).

 

 

if ($foundpass == $pass) {setcookie("FAPusername", $user);setcookie("FAPpassword", sha1($foundpass));$pass = sha1($foundpass);}

 

[Miss_Rebelx]

I noticed that at the end, your comparison seems to be wrong:

 

 

if (sha1($info[2]) != $pass) {    mysql_close();    die("<br><br><center><body bgcolor='#FFFFFF'><b><font face='Verdana' size='2pt'>Your username cannot be found or password doesnt match</font></b></center></body></html>");}

 

 

You never transformed $pass with sha1(), so how is the comparison going to work? If you had originally encrypted the value before putting it in the database with sha1(), as far as I can tell and test, doing sha1() to it again, like you're doing, won't decrypt it. Best to compare it by encrypting $pass and then seeing if they equate.

[PFMaBiSmAd]

Storing fixed/static values in cookies for login purposes is not secure. Once someone gets a hold of those values, the can send those to your server and appear to be the actual person they belong to as long as they remain the same fixed/static values.

 

You should generate a unique id (see: uniqid) per visitor and save it in the cookie and in their row in your user table. The cookie will only identify the visitor. Its existence alone won't cause that visitor to be logged in. You would then only store a value on the server that determines if the matching visitor is logged in or not.

[mforan]

I noticed that at the end, your comparison seems to be wrong:

 

 

if (sha1($info[2]) != $pass) {    mysql_close();    die("<br><br><center><body bgcolor='#FFFFFF'><b><font face='Verdana' size='2pt'>Your username cannot be found or password doesnt match</font></b></center></body></html>");}

 

 

You never transformed $pass with sha1(), so how is the comparison going to work? If you had originally encrypted the value before putting it in the database with sha1(), as far as I can tell and test, doing sha1() to it again, like you're doing, won't decrypt it. Best to compare it by encrypting $pass and then seeing if they equate.

 

 

not sure what you mean??

[mforan]

Sure, just assign the variables their values the same way you're assigning the values to the cookies, since the end result is they'll have the same values anyhow. Actually, since $user already has a value, there's no need to reassign it a value . . .

 

Also note that storing password data in a cookie isn't necessarily the best thing you can do security-wise. You'd be better off to either store it in a SESSION var, or just query the db for it in the event it's needed again (probably the best option).

 

 

if ($foundpass == $pass) {setcookie("FAPusername", $user);setcookie("FAPpassword", sha1($foundpass));$pass = sha1($foundpass);}

 

 

 

do sessions work if the person simply presses "go" on their browser again (not f5), will it keep them logged in???