NomadicJosh Posted April 17, 2012 Share Posted April 17, 2012 I've just implemented PHPass into an application that I am working on, and I am seeing a strange inconsistency. The issue is, the application is installed on one site, and it works perfectly. But the same application works on another site, and the login nor registration works. Does anyone know what might be the issue that registration and login works on one site but not the other with PHPass? Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/ Share on other sites More sharing options...
QuickOldCar Posted April 17, 2012 Share Posted April 17, 2012 Make a phpinfo page each site and compare to see what is different. <?php phpinfo();?> Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1337985 Share on other sites More sharing options...
NomadicJosh Posted April 17, 2012 Author Share Posted April 17, 2012 Make a phpinfo page each site and compare to see what is different. <?php phpinfo();?> Thanks for responding, they are on the same server and use the same PHP.ini, so there shouldn't be that big of a difference between the two. I don't see anything that stands out under PHP Variables. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1337989 Share on other sites More sharing options...
PFMaBiSmAd Posted April 17, 2012 Share Posted April 17, 2012 You are going to need to troubleshoot exactly at what point the code and data are doing what you expect and at what point they are not in order to pin down what is causing the problem. In any case, we cannot help you without seeing the code needed to reproduce the problem (less any database credentials) and a description or picture of the error or symptom you are getting that makes you believe that the code does not work. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1337991 Share on other sites More sharing options...
NomadicJosh Posted April 17, 2012 Author Share Posted April 17, 2012 You are going to need to troubleshoot exactly at what point the code and data are doing what you expect and at what point they are not in order to pin down what is causing the problem. In any case, we cannot help you without seeing the code needed to reproduce the problem (less any database credentials) and a description or picture of the error or symptom you are getting that makes you believe that the code does not work. I just wanted to start off with a question to see if this was something that has come up before posting long lines of code. Below is the function that is called when the login form is submitted. The registration form is a little more involved, so I will spare posting it, but I am 100% sure that the registration process works. Thanks again for helping to troubleshoot with me. function pm_login($username, $password, $remember = NULL) { $hasher = new PasswordHash(8, FALSE); $user = strtolower(pmdb::connect()->escape($username)); $pass = pmdb::connect()->escape($password); $results = pmdb::connect()->get_row( "SELECT * FROM ". DB ."members WHERE username = '$user'" ); // Use to set cookie session for domain. $cookiedomain = $_SERVER['SERVER_NAME']; $cookiedomain = str_replace('www.', '', $cookiedomain); if(isset($_POST['login'])) { if($hasher->CheckPassword($pass, $results->password)) { do_action( 'pm_login_form_script' ); $_SESSION['logged'] = 1; // Sets the session. $_SESSION['username'] = $results->username; // Sets the username session. $_SESSION['userID'] = $results->user_id; $_SESSION['remember_me'] = $_POST['remember_me']; // Sets a remember me cookie if remember me is checked. if(isset($remember)){ setcookie("pm_cookname", $user, time()+60*60*24*120, "/", $cookiedomain); setcookie("pm_cookpass", md5($pass), time()+60*60*24*120, "/", $cookiedomain); } pm_redirect(PM_URI . "/index.php"); } else { setcookie("pm_cookname", $user, time()+3600*24); setcookie("pm_cookpass", md5($pass), time()+3600*24); } pm_redirect(PM_URI . "/index.php"); } return apply_filter( 'login', $username, $password, $remember ); } Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1337994 Share on other sites More sharing options...
Psycho Posted April 17, 2012 Share Posted April 17, 2012 When you state that the login works on one site but not another, can you provide some more information. Are the two sites sharing the same database? I'm not taking about the same database server, but the exact same tables? Or did you, by chance, copy the database from one site into the other? Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1337996 Share on other sites More sharing options...
NomadicJosh Posted April 17, 2012 Author Share Posted April 17, 2012 No, there was nothing copied over. One is a development instance where all fixes, changes, and updates occur. It is not a new install, but it is where updates will be pulled from when updates are pushed to the server and everything works well on the development instance. The second site is where I did a new installation by running the installer which created new tables in a new database and new admin account. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1337997 Share on other sites More sharing options...
NomadicJosh Posted April 17, 2012 Author Share Posted April 17, 2012 Ok, now I have a new issue that is probably related to my previous issue. On the site where the login is somewhat working, if I go to login as a different user, when I visit a different page, I then become a different user. Is there anything in my code above that needs to change to correct this issue? Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338222 Share on other sites More sharing options...
xyph Posted April 17, 2012 Share Posted April 17, 2012 pmdb::connect()->escape($username) Does pmdb::connect() return a new instance of a database class? Or is it a singleton, that returns the same instance? Why not follow the article they provide? http://www.openwall.com/articles/PHP-Users-Passwords It covers a LOT, including securing your script beyond simply using PHPass. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338227 Share on other sites More sharing options...
batwimp Posted April 17, 2012 Share Posted April 17, 2012 Stupid question, but are you sure both your installations are the same version? Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338228 Share on other sites More sharing options...
NomadicJosh Posted April 17, 2012 Author Share Posted April 17, 2012 pmdb::connect()->escape($username) Does pmdb::connect() return a new instance of a database class? Or is it a singleton, that returns the same instance? Why not follow the article they provide? http://www.openwall.com/articles/PHP-Users-Passwords It covers a LOT, including securing your script beyond simply using PHPass. It is a singleton. I've read through it over and over, but I don't see anything about inconsistency and becoming a different user after login. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338230 Share on other sites More sharing options...
NomadicJosh Posted April 17, 2012 Author Share Posted April 17, 2012 Stupid question, but are you sure both your installations are the same version? Yes, they are the same versions. The code was copied from development into another site including the installer. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338233 Share on other sites More sharing options...
PFMaBiSmAd Posted April 17, 2012 Share Posted April 17, 2012 I'm not exactly sure what you mean in reply #7, but if it seems like you have more than set of session values and navigating between different pages, perhaps some with and some without the www. on the URL or with different paths, switches back and forth between logged in users, check what a phpinfo statement shows for the session.cookie_path and session.cookie_domain settings on both systems. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338238 Share on other sites More sharing options...
xyph Posted April 17, 2012 Share Posted April 17, 2012 Well, you've set it up way differently than they suggest. We can't really help much though. Most of your scripts workload is through functions we have no access to. I can post you a working implementation of PHPass that I use. This is rough, and quite a bit of database structure is hard-coded into the login class. It's all attached. example.php - The file to run. It's a VERY ROUGH implementation of the classes exception.php - The exception class. It's simply an extension of PHP's default Exception handler, I just use my own to make changing it later less of a hassle login.php - The login class. Does the work specific to tracking a user login.phpass.php - The PHPass class sql.php - The SQL class. A raw extension of the MySQLi class. Used to make changing later easier. token.php - Abstract token class. I use this when building any class that needs state in some form. Requires mcrypt, and if running on Windows, requires PHP5.3 or later Your issues seem to stem from how you're handling/destroying sessions. PFMaBiSmAd's advice will help you find out if those are cookie issues. 18095_.zip Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338265 Share on other sites More sharing options...
NomadicJosh Posted April 17, 2012 Author Share Posted April 17, 2012 @xyph, thank you for this. I will check it out and see where I am failing. If I had to guess, I think my issue is with the way sessions is implemented. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338266 Share on other sites More sharing options...
NomadicJosh Posted April 18, 2012 Author Share Posted April 18, 2012 Thanks everyone for your help. I found out what the problem was. It wasn't my code, it was my database. Since I was going form md5 to something more secure, the password field was set at varchar(60), so the characters were being truncated. Quote Link to comment https://forums.phpfreaks.com/topic/261075-question-for-phpass-expert/#findComment-1338397 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.