andybriggs Posted July 31, 2014 Share Posted July 31, 2014 Hi Guys, Here is the code, once logged in using known credentials it should display the content "welcome..." but it doesn't, instead it is showing "you are not authorized..." as if the session['username']); isn't being taken? <?php ini_set('display_errors',1); error_reporting(E_ALL); include_once 'includes/db_connect.php'; include_once 'includes/functions.php'; sec_session_start(); ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Secure Login: Protected Page</title> <link rel="stylesheet" href="styles/main.css" /> </head> <body> <?php if (login_check($mysqli) == true) : ?> <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p> <p> This is an example protected page. To access this page, users must be logged in. At some stage, we'll also check the role of the user, so pages will be able to determine the type of user authorised to access the page. </p> <p>Return to <a href="index.php">login page</a></p> <?php else : ?> <p> <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login or register</a>. </p> <?php endif; ?> </body> </html> I am using WAMP and have made sure the username and password is in the database correctly, how do i debug this? the error reporting has been switched on but it doesn't help me is the problem with: <?php if (login_check($mysqli) == true) : ?> I am trying to follow this guide: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL Please could i get some help on how to make the login "detect" the username from my MySQL database and display the username Thanks Quote Link to comment Share on other sites More sharing options...
requinix Posted July 31, 2014 Share Posted July 31, 2014 login_check() is returning false, however function login_check($mysqli) { // Check if all session variables are set if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) { $user_id = $_SESSION['user_id']; $login_string = $_SESSION['login_string']; $username = $_SESSION['username']; // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; if ($stmt = $mysqli->prepare("SELECT password FROM members WHERE id = ? LIMIT 1")) { // Bind "$user_id" to parameter. $stmt->bind_param('i', $user_id); $stmt->execute(); // Execute the prepared query. $stmt->store_result(); if ($stmt->num_rows == 1) { // If the user exists get variables from result. $stmt->bind_result($password); $stmt->fetch(); $login_check = hash('sha512', $password . $user_browser); if ($login_check == $login_string) { // Logged In!!!! return true; } else { // Not logged in return false; } } else { // Not logged in return false; } } else { // Not logged in return false; } } else { // Not logged in return false; } }there are four different reasons it might do that. Insert some debugging code (like using error_log() or trigger_error()) in there to see what it is doing. Then you'll know why it's failing and thus what needs to be fixed. Quote Link to comment Share on other sites More sharing options...
andybriggs Posted July 31, 2014 Author Share Posted July 31, 2014 Hey requinix, Thanks, i just tried to report back errors as suggested but nothing came back in the browser, except the same "not authorized" message. for reference i am using php documentation and have tried error_log() like this: <?php if (login_check($mysqli) == true) : { error_log() ?> And trigger_error like this: <?php if (login_check($mysqli) == true) : { trigger_error("A custom error has been triggered"); }?> This might be correct but nothing is reported back so I don't understand why login_check() is returning false yet, Thanks again Quote Link to comment Share on other sites More sharing options...
requinix Posted August 1, 2014 Share Posted August 1, 2014 (edited) You need to put that inside login_check(). Like in the places where it returns false: just before each, log why. For example, if ($login_check == $login_string) { // Logged In!!!! return true; } else { // Not logged in error_log("Not logged in: password hashes do not match"); return false; } Edited August 1, 2014 by requinix Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 1, 2014 Share Posted August 1, 2014 On a side note: Andy, you should be aware that this so-called “secure login script” has several major security issues. In fact, it's little more than a fancy version of the usual bullshit. If you have any PHP skills whatsoever, you're better off doing some research about security and then writing your own code. It's generally not the best idea to blindly copy and paste stuff you found somewhere on the Internet. This “wikiHow” site may be great for sharing recipes, but it doesn't have any credibility whatsoever with regard to web security. Quote Link to comment Share on other sites More sharing options...
andybriggs Posted August 1, 2014 Author Share Posted August 1, 2014 it seems whatever's "out there" for security, there will be exploit points and most if not all attempts so far have ended in the same answer or similar yours Jacques1. This seems better than nothing at the moment i have tried using bcrypt, mcrypt but i'm missing something because it's not very straight-forward to me and doesn't seem to work for me, once i get this working i'll try to figure out a "better" way. requinixthanks, but nothing happens when i add error_log() into the code like this (by nothing happens i mean only a blank page is displayed in the browser) doesn't trigger_error() do the same thing? Quote Link to comment Share on other sites More sharing options...
requinix Posted August 1, 2014 Share Posted August 1, 2014 thanks, but nothing happens when i add error_log() into the code like this (by nothing happens i mean only a blank page is displayed in the browser)Did you add those messages to all four locations? A blank page now when you weren't getting it earlier sounds like a parse error. Check your error log. doesn't trigger_error() do the same thing? trigger_error error_log Quote Link to comment Share on other sites More sharing options...
andybriggs Posted August 1, 2014 Author Share Posted August 1, 2014 <?php error_reporting(E_ALL); ini_set("display_errors", 1); include("file_with_errors.php"); ?> creates attached image "1" my php.ini for error reporting has: ; display_errors ; Default Value: On ; Development Value: On ; Production Value: on ; display_startup_errors ; Default Value: Off ; Development Value: On ; Production Value: on ; error_reporting ; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED ; Development Value: E_ALL ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT ; html_errors ; Default Value: On ; Development Value: On ; Production value: On ; log_errors ; Default Value: on ; Development Value: On ; Production Value: On Quote Link to comment Share on other sites More sharing options...
requinix Posted August 2, 2014 Share Posted August 2, 2014 (edited) creates attached image "1"Sure doesn't look like a blank page to me: it's giving you the access denied message. I still haven't gotten a straight answer on whether you added the stuff I told you to. So, what does the code for login_check() look like now? And have. you. checked. the. error. log. lately? Edited August 2, 2014 by requinix Quote Link to comment Share on other sites More sharing options...
andybriggs Posted August 2, 2014 Author Share Posted August 2, 2014 The code for login check looks like this: <?php if ($login_check == $login_string) { // Logged In!!!! return true; } else { // Not logged in error_log("Not logged in: password hashes do not match"); return false; }?> <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p> <p> This is an example protected page. To access this page, users must be logged in. At some stage, we'll also check the role of the user, so pages will be able to determine the type of user authorised to access the page. </p> the browser looks like attached. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted August 2, 2014 Share Posted August 2, 2014 the login_check(){} function definition. the current focus of this thread, is defined in the functions.php file. you should not have any code referencing $login_check == $login_string in your login_success2.php code (as indicated by the last image of php error messages attached.) Quote Link to comment Share on other sites More sharing options...
andybriggs Posted August 3, 2014 Author Share Posted August 3, 2014 mac_gyverI am keeping login_success.php and have created login_success2.php to keep them separated as a test. I noticed in the log: [02-Aug-2014 18:50:36 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_ldap.dll' - The specified module could not be found. in Unknown on line 0 [02-Aug-2014 18:50:37 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_intl.dll' - The specified module could not be found. in Unknown on line 0 [02-Aug-2014 18:50:37 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_ldap.dll' - The specified module could not be found. in Unknown on line 0 [02-Aug-2014 20:51:09 Europe/Paris] PHP Warning: include(file_with_errors.php): failed to open stream: No such file or directory in C:\wamp\www\login_success.php on line 4 [02-Aug-2014 20:51:09 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:51:09 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success.php:0 [02-Aug-2014 20:51:09 Europe/Paris] PHP Warning: include(): Failed opening 'file_with_errors.php' for inclusion (include_path='.;C:\php\pear') in C:\wamp\www\login_success.php on line 4 [02-Aug-2014 20:51:09 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:51:09 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success.php:0 [02-Aug-2014 20:55:05 Europe/Paris] PHP Parse error: syntax error, unexpected 'else' (T_ELSE) in C:\wamp\www\login_success.php on line 42 [02-Aug-2014 20:57:17 Europe/Paris] PHP Parse error: syntax error, unexpected 'endif' (T_ENDIF) in C:\wamp\www\login_success2.php on line 43 [02-Aug-2014 20:57:26 Europe/Paris] PHP Notice: Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 20:57:26 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:57:26 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 20:57:26 Europe/Paris] PHP Notice: Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 20:57:26 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:57:26 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 20:59:46 Europe/Paris] PHP Notice: Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 20:59:46 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:59:46 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 20:59:46 Europe/Paris] PHP Notice: Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 20:59:46 Europe/Paris] PHP Stack trace: [02-Aug-2014 20:59:46 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 21:03:42 Europe/Paris] PHP Notice: Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 21:03:42 Europe/Paris] PHP Stack trace: [02-Aug-2014 21:03:42 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 [02-Aug-2014 21:03:42 Europe/Paris] PHP Notice: Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23 [02-Aug-2014 21:03:42 Europe/Paris] PHP Stack trace: [02-Aug-2014 21:03:42 Europe/Paris] PHP 1. {main}() C:\wamp\www\login_success2.php:0 --------------------------------------------------------------------- Quote Link to comment Share on other sites More sharing options...
andybriggs Posted August 6, 2014 Author Share Posted August 6, 2014 Hello post-contributors, Please could you suggest a starting point to get a secure (non-bullshit) login system with php? - which areas to consider - what to research on the matter - possibly some links - what do you guys personally use OR what would you use if you needed a secure login system please Thanks Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 7, 2014 Share Posted August 7, 2014 Start with standard web security: prepared statements, HTML-escaping, proper session handling, secure random numbers etc. There's an excellent online book which explains the basics. You don't have to understand every detail, but you should know the most common risks and how to deal with them. This is simply part of being a web developer. Then take care of the parts which are specific to user management. For example: How should passwords be stored? Any competent developer will be able to tell you that we use bcrypt and that PHP has a native bcrypt implementation as well as a compatbility library in case you're running some older PHP version. If you get this right, your code will already be better than most of the stuff floating around on the Internet. But what's much more important is that you're actually becoming a programmer. You don't just copy code from other people. You write your own code and use your own abilities. The last step (which really never ends) is that you deepen your knowledge and keep up-to-date. How do the security techniques actually work? Which other ideas do people come up with? What about more exotic attacks? This is a long journey of reading, thinking, playing around and discussing. Either way, it's great that you want to take this route, and I'm sure everybody will gladly help you with your questions. People who actually want to learn something and get better are always welcome. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.