Need help with session variable problem

[andybriggs]

Hi Guys, 

 

 

 

Here is the code, once logged in using known credentials it should display the content "welcome..." but it doesn't, instead it is showing "you are not authorized..." as if the session['username']); isn't being taken? 

<?php 	
ini_set('display_errors',1); 
 error_reporting(E_ALL);
		

		

include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
 
sec_session_start();
?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Secure Login: Protected Page</title>
        <link rel="stylesheet" href="styles/main.css" />
    </head>
    <body>
        <?php if (login_check($mysqli) == true) : ?>
            <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
            <p>
                This is an example protected page.  To access this page, users
                must be logged in.  At some stage, we'll also check the role of
                the user, so pages will be able to determine the type of user
                authorised to access the page.
            </p>
            <p>Return to <a href="index.php">login page</a></p>
        <?php else : ?>
            <p>
                <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login or register</a>.
            </p>
        <?php endif; ?>
        
    </body>
</html>

I am using WAMP and have made sure the username and password is in the database correctly, how do i debug this? 

 

the error reporting has been switched on but it doesn't help me 

 

is the problem with: 

 <?php if (login_check($mysqli) == true) : ?>

I am trying to follow this guide: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

 

Please could i get some help on how to make the login "detect" the username from my MySQL database and display the username

 

Thanks

 

[requinix]

login_check() is returning false, however

function login_check($mysqli) {
    // Check if all session variables are set 
    if (isset($_SESSION['user_id'], 
                        $_SESSION['username'], 
                        $_SESSION['login_string'])) {
 
        $user_id = $_SESSION['user_id'];
        $login_string = $_SESSION['login_string'];
        $username = $_SESSION['username'];
 
        // Get the user-agent string of the user.
        $user_browser = $_SERVER['HTTP_USER_AGENT'];
 
        if ($stmt = $mysqli->prepare("SELECT password 
                                      FROM members 
                                      WHERE id = ? LIMIT 1")) {
            // Bind "$user_id" to parameter. 
            $stmt->bind_param('i', $user_id);
            $stmt->execute();   // Execute the prepared query.
            $stmt->store_result();
 
            if ($stmt->num_rows == 1) {
                // If the user exists get variables from result.
                $stmt->bind_result($password);
                $stmt->fetch();
                $login_check = hash('sha512', $password . $user_browser);
 
                if ($login_check == $login_string) {
                    // Logged In!!!! 
                    return true;
                } else {
                    // Not logged in 
                    return false;
                }
            } else {
                // Not logged in 
                return false;
            }
        } else {
            // Not logged in 
            return false;
        }
    } else {
        // Not logged in 
        return false;
    }
}

there are four different reasons it might do that.

 

Insert some debugging code (like using error_log() or trigger_error()) in there to see what it is doing. Then you'll know why it's failing and thus what needs to be fixed.

[andybriggs]

Hey requinix,

 

Thanks, i just tried to report back errors as suggested but nothing came back in the browser, except the same "not authorized" message. 

 

for reference i am using php documentation and have tried error_log() like this: 

<?php if (login_check($mysqli) == true) : 
		{
error_log() ?>

And trigger_error like this: 

<?php if (login_check($mysqli) == true) : 
		{
trigger_error("A custom error has been triggered");
}?>

This might be correct but nothing is reported back so I don't understand why login_check() is returning false yet, 

 

Thanks again 

[requinix]

You need to put that inside login_check(). Like in the places where it returns false: just before each, log why. For example,

                if ($login_check == $login_string) {
                    // Logged In!!!! 
                    return true;
                } else {
                    // Not logged in 
                    error_log("Not logged in: password hashes do not match");
                    return false;
                }

Edited August 1, 2014 by requinix

[Jacques1]

On a side note:

 

Andy, you should be aware that this so-called “secure login script” has several major security issues. In fact, it's little more than a fancy version of the usual bullshit. 

 

If you have any PHP skills whatsoever, you're better off doing some research about security and then writing your own code. It's generally not the best idea to blindly copy and paste stuff you found somewhere on the Internet. This “wikiHow” site may be great for sharing recipes, but it doesn't have any credibility whatsoever with regard to web security.

[andybriggs]

it seems whatever's "out there" for security, there will be exploit points and most if not all attempts so far have ended in the same answer or similar yours Jacques1.

This seems better than nothing at the moment 

 

i have tried using bcrypt, mcrypt but i'm missing something because it's not very straight-forward to me and doesn't seem to work for me, once i get this working i'll try to figure out a "better" way.

 

requinix

thanks, but nothing happens when i add error_log() into the code like this (by nothing happens i mean only a blank page is displayed in the browser) 

 

doesn't trigger_error() do  the same thing? 

[requinix]

thanks, but nothing happens when i add error_log() into the code like this (by nothing happens i mean only a blank page is displayed in the browser)

Did you add those messages to all four locations?

A blank page now when you weren't getting it earlier sounds like a parse error. Check your error log.

 

doesn't trigger_error() do  the same thing?

trigger_error

error_log

[andybriggs]

<?php 
error_reporting(E_ALL); 
ini_set("display_errors", 1); 
include("file_with_errors.php"); 
?> 

creates attached image "1"  

 

my php.ini for error reporting has: 

 

; display_errors

;   Default Value: On

;   Development Value: On

;   Production Value: on

 

; display_startup_errors

;   Default Value: Off

;   Development Value: On

;   Production Value: on

 

; error_reporting

;   Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED

;   Development Value: E_ALL

;   Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT

 

; html_errors

;   Default Value: On

;   Development Value: On

;   Production value: On

 

; log_errors

;   Default Value: on

;   Development Value: On

;   Production Value: On

[requinix]

creates attached image "1"

Sure doesn't look like a blank page to me: it's giving you the access denied message.

 

I still haven't gotten a straight answer on whether you added the stuff I told you to. So, what does the code for login_check() look like now?

And have. you. checked. the. error. log. lately?

Edited August 2, 2014 by requinix

[andybriggs]

The code for login check looks like this: 

<?php if ($login_check == $login_string) {
                    // Logged In!!!! 
                    return true;
                } else {
                    // Not logged in 
                    error_log("Not logged in: password hashes do not match");
                    return false;
                }?>
            <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
            <p>
                This is an example protected page.  To access this page, users
                must be logged in.  At some stage, we'll also check the role of
                the user, so pages will be able to determine the type of user
                authorised to access the page.
            </p>

the browser looks like attached.

 

 

[mac_gyver]

the login_check(){} function definition. the current focus of this thread, is defined in the functions.php file. you should not have any code referencing $login_check == $login_string in your login_success2.php code (as indicated by the last image of php error messages attached.)

[andybriggs]

mac_gyver

I am keeping login_success.php and have created login_success2.php to keep them separated as a test. 

 

I noticed in the log: 

 

[02-Aug-2014 18:50:36 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_ldap.dll' - The specified module could not be found.

 

 in Unknown on line 0

 

[02-Aug-2014 18:50:37 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_intl.dll' - The specified module could not be found.

 

 in Unknown on line 0

 

[02-Aug-2014 18:50:37 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library 'c:/wamp/bin/php/php5.5.12/ext/php_ldap.dll' - The specified module could not be found.

 

 in Unknown on line 0

 

[02-Aug-2014 20:51:09 Europe/Paris] PHP Warning:  include(file_with_errors.php): failed to open stream: No such file or directory in C:\wamp\www\login_success.php on line 4

 

[02-Aug-2014 20:51:09 Europe/Paris] PHP Stack trace:

 

[02-Aug-2014 20:51:09 Europe/Paris] PHP   1. {main}() C:\wamp\www\login_success.php:0

 

[02-Aug-2014 20:51:09 Europe/Paris] PHP Warning:  include(): Failed opening 'file_with_errors.php' for inclusion (include_path='.;C:\php\pear') in C:\wamp\www\login_success.php on line 4

 

[02-Aug-2014 20:51:09 Europe/Paris] PHP Stack trace:

 

[02-Aug-2014 20:51:09 Europe/Paris] PHP   1. {main}() C:\wamp\www\login_success.php:0

 

[02-Aug-2014 20:55:05 Europe/Paris] PHP Parse error:  syntax error, unexpected 'else' (T_ELSE) in C:\wamp\www\login_success.php on line 42

 

[02-Aug-2014 20:57:17 Europe/Paris] PHP Parse error:  syntax error, unexpected 'endif' (T_ENDIF) in C:\wamp\www\login_success2.php on line 43

 

[02-Aug-2014 20:57:26 Europe/Paris] PHP Notice:  Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23

 

[02-Aug-2014 20:57:26 Europe/Paris] PHP Stack trace:

 

[02-Aug-2014 20:57:26 Europe/Paris] PHP   1. {main}() C:\wamp\www\login_success2.php:0

 

[02-Aug-2014 20:57:26 Europe/Paris] PHP Notice:  Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23

 

[02-Aug-2014 20:57:26 Europe/Paris] PHP Stack trace:

 

[02-Aug-2014 20:57:26 Europe/Paris] PHP   1. {main}() C:\wamp\www\login_success2.php:0

 

[02-Aug-2014 20:59:46 Europe/Paris] PHP Notice:  Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23

 

[02-Aug-2014 20:59:46 Europe/Paris] PHP Stack trace:

 

[02-Aug-2014 20:59:46 Europe/Paris] PHP   1. {main}() C:\wamp\www\login_success2.php:0

 

[02-Aug-2014 20:59:46 Europe/Paris] PHP Notice:  Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23

 

[02-Aug-2014 20:59:46 Europe/Paris] PHP Stack trace:

 

[02-Aug-2014 20:59:46 Europe/Paris] PHP   1. {main}() C:\wamp\www\login_success2.php:0

 

[02-Aug-2014 21:03:42 Europe/Paris] PHP Notice:  Undefined variable: login_string in C:\wamp\www\login_success2.php on line 23

 

[02-Aug-2014 21:03:42 Europe/Paris] PHP Stack trace:

 

[02-Aug-2014 21:03:42 Europe/Paris] PHP   1. {main}() C:\wamp\www\login_success2.php:0

 

[02-Aug-2014 21:03:42 Europe/Paris] PHP Notice:  Undefined variable: login_check in C:\wamp\www\login_success2.php on line 23

 

[02-Aug-2014 21:03:42 Europe/Paris] PHP Stack trace:

 

[02-Aug-2014 21:03:42 Europe/Paris] PHP   1. {main}() C:\wamp\www\login_success2.php:0

 

 

 

---------------------------------------------------------------------

 

 

[andybriggs]

Hello post-contributors, 

 

Please could you suggest a starting point to get a secure (non-bullshit) login system with php? 

 

- which areas to consider

- what to research on the matter 

- possibly some links 

- what do you guys personally use OR what would you use if you needed a secure login system

 

please 

 

Thanks

[Jacques1]

Start with standard web security: prepared statements, HTML-escaping, proper session handling, secure random numbers etc. There's an excellent online book which explains the basics. You don't have to understand every detail, but you should know the most common risks and how to deal with them. This is simply part of being a web developer.

 

Then take care of the parts which are specific to user management. For example: How should passwords be stored? Any competent developer will be able to tell you that we use bcrypt and that PHP has a native bcrypt implementation as well as a compatbility library in case you're running some older PHP version.

 

If you get this right, your code will already be better than most of the stuff floating around on the Internet. But what's much more important is that you're actually becoming a programmer. You don't just copy code from other people. You write your own code and use your own abilities.

 

The last step (which really never ends) is that you deepen your knowledge and keep up-to-date. How do the security techniques actually work? Which other ideas do people come up with? What about more exotic attacks? This is a long journey of reading, thinking, playing around and discussing.

 

Either way, it's great that you want to take this route, and I'm sure everybody will gladly help you with your questions. People who actually want to learn something and get better are always welcome.