Help with Secure Login System

[spacepoet]

Hello:

 

I am using this tutorial to make a secure login system (if there is a "better" way, please let me know):

 

http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/

 

I am having a problem with the login form - it keeps moving to the "a_Home.php" page (the one that is suppose to be password protected) without any login information being entered.

 

This is the mmLogin.php page:

<?php

include('../include/myConn.php');
include('include/myAdminCodeLib.php');

session_start();
$username = $_POST['username'];
$password = $_POST['password'];

$username = mysql_real_escape_string($username);
$query = "SELECT password, salt
        FROM users
        WHERE username = '$username';";
$result = mysql_query($query);
if(mysql_num_rows($result) < 1)
{
    header('Location: mmLogin.php');
    die();
}
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password'])
{
    header('Location: mmLogin.php');
    die();
}
else
{
    validateUser();
    header('Location: a_Home.php');
}

?>

<html>

<head></head>

<body>
<form name="login" action="mmLogin.php" method="post">
    Username: <input type="text" name="username" />
    Password: <input type="password" name="password" />
    <input type="submit" value="Login" />
</form>
</body>

</html>

 

This is the a_Home.php page:

<?php

include('include/myAdminCodeLib.php');
include('include/myCheckLogin.php');

?>

<html>

<head></head>

<body>

<a href="mmLogin.php">Log Off</a>

</body>

</html>

 

This is the myCheckLogin.php page:

<?php
session_start();
if(!isLoggedIn())
{
    header('Location: mmLogin.php');
    die();
}
?>

 

This is the myAdminCodeLib.php page:

<?php

function validateUser()
{
    session_regenerate_id ();
    $_SESSION['valid'] = 1;
    $_SESSION['userid'] = $userid;
}

function isLoggedIn()
{
    if(isset($_SESSION['valid']) && $_SESSION['valid'])
        return true;
    return false;
}

function logout()
{
    $_SESSION = array();
    session_destroy();
}

?>

 

 

Can anyone tell me why this is not working?

 

And, am I calling the functions properly?

 

Thanks.

[Proletarian]

You need to validate your input to make sure the form has data in the fields before posting. If there are no data in the fields, don't post.

[spacepoet]

Hi:

 

Not sure I understand what you mean...

 

The database has a "test" username and password.

 

Is that what you mean?

[PFMaBiSmAd]

If you used the registration script from that tutorial, you likely have an entry in your database table that corresponds to an empty username and an empty password.

 

That tutorial should not have the words 'the Right Way' in its title because that code is crap. The form processing code is not even checking if a form has been submitted and it is not checking if the form fields have anything in them before using the form data.

[spacepoet]

Hi:

 

OK, thanks for pointing this out .. lol ..

 

I was beginning to wonder how "good" the script is, since I'm having great difficulty getting it to work.

 

So, may I ask you:

 

Are there any scripts you can show me or point me to that would be considered "solid" and "modern" in terms off secure login? I am not sure what to look for.

 

What I really need is a password protected page system - no need to register or any of that.

 

Just a way to let 1 admin login securely and view password protected pages.

 

The way I current do it when setting up a site is to create a "myAdmins" SQL table via phpMyAdmin that contains a pre-defined username and password (I use "test" and "test"), and I have a single-page login form. And of course, a small bit of code on top of each password-protected page to make sure the user has logged-in properly.

 

That's really all I need.

 

I didn't think finding a more modern, encrypted solution was going to be so frustrating.

 

Can you help me with that?

[scootstah]

If you only need one username/password, it's a waste to use the database. Just keep it in a php file.

[spacepoet]

Well, I do allow the user to be able to update their username / password, so I do need it in a database for that reason ... (I don't want to use a flat file - if it can be done that way).

 

Any ideas where to find a script like this?

 

This is what I am currently using:

Login.php

<?php

include('../include/myConn.php');
include('include/myAdminNav.php');

session_start();
session_destroy();

$message="";

$Login=$_POST['Login'];
if($Login){
$myUserName=$_POST['myUserName'];
$myPassword=$_POST['myPassword'];

$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'");
if(mysql_num_rows($result)!='0'){
session_register("myUserName");
header("location:a_Home.php");
exit;
}else{
$message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>";
}

}
?>

...

<html>

<form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>">

<? echo $message; ?>

User Name:

Password:

<input name="myUserName" type="text" id="myUserName" size="40" />

<input name="myPassword" type="password" id="myPassword" size="40" />

<input name="Login" type="submit" id="Login" value="Login" />

</form>

</html>

 

a_Home.php

<?
session_start();
if(!session_is_registered(myUserName)){
//setcookie("TestCookie", $value, time()+1200);
header("location:Login.php");
}
?>

<html>
...
</html>

 

a_Admins.php (to update the username / password, if desired):

<?php

include('../include/myConn.php');

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
$myUserName = mysql_real_escape_string($_POST['myUserName']);
$myPassword = mysql_real_escape_string($_POST['myPassword']);

$sql = "

UPDATE myAdmins
   SET
      myUserName = '$myUserName',
      myPassword = '$myPassword'
  ";
mysql_query($sql) && mysql_affected_rows()

?>

<?php
}

$query=mysql_query("SELECT * FROM myAdmins") or die("Could not get data from db: ".mysql_error());

while($result=mysql_fetch_array($query))

{
  $myUserName=$result['myUserName'];
  $myPassword=$result['myPassword'];
}

?>

<html>
...

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST')
echo "<span class=\"textError\">Section successfully updated!</span>"
?>
         
<form method="post" action="<?php echo $PHP_SELF;?>">
<input type="hidden" name="POSTBACK" value="EDIT">
         
User Name:

<input type="text" size="60" maxlength="60" name="myUserName" value="<?php echo $myUserName; ?>">

Password:

<input type="password" size="60" maxlength="60" name="myPassword" value="<?php echo $myPassword; ?>">

<input type="submit" value="Submit" />
         
</form>
...
</html>

 

Maybe my original question should have been - "how do I make this login method more secure / better ..."

 

???

[Proletarian]

Validate input and "sanitize" input. Don't just take some user input and assume it's safe to put straight into your database. Make sure it's the right type of data you are expecting to use and not some malicious database injection.

[spacepoet]

Is there an example you can show me, based upon the code I just posted?

 

I add the table to the database via the phpMyAdmin panel:

CREATE TABLE `myAdmins` (
  `id` int(4) NOT NULL auto_increment,
  `myUserName` varchar(65) NOT NULL default '',
  `myPassword` varchar(65) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;

INSERT INTO myAdmins VALUES("1","abc","123");

 

And then that's it.

 

Ideas on how to improve what I'm using?

 

Thanks!

[scootstah]

In your Login.php you need to use mysql_real_escape_string() on the username and password. Currently you are putting $_POST variables directly in your query, which means you are susceptible to SQL injection.

 

You needn't worry about sanitizing though on the Login.php. That will just make it easier for hackers.

[PFMaBiSmAd]

@spacepoet

 

The last code you posted (reply #6) is even worse crap and more out of date and inconsistent then the original code you were using at the start of this thread.

 

You appear to be using a programming method called throw-a-way coding. You try something, it does not work. Instead of learning what it means and what it is doing, what is wrong with it, and how to fix it, you throw it away and try something else. All this does is waste a huge amount of time. It will literally take you 100's of times longer to arrive at working code by proceeding this way. This is not programming.

 

You must learn what each line of code means and how it contributes to the goal you are trying to accomplish in order to be able to write code yourself or even to adapt code that someone else wrote to something that you want to accomplish.

[spacepoet]

Well, can you show me 1 tutorial you would recommend that you would consider to be a secure way of doing this? So I can go through it and learn from it ..

 

That's the problem I'm having - everyone's solution is the "best" one until another programmer sees it and says it's "crap."

 

I don't know what direction I am suppose to focus one ..

[scootstah]

Well, can you show me 1 tutorial you would recommend that you would consider to be a secure way of doing this? So I can go through it and learn from it ..

 

That's the problem I'm having - everyone's solution is the "best" one until another programmer sees it and says it's "crap."

 

I don't know what direction I am suppose to focus one ..

 

Instead of trying to take in the entire script at once, break it down line by line. Do you understand what all of the code in the script does? You should be able to decide on your own which tutorials are crap.

 

Sounds like you are trying to walk before you crawl.