Jump to content

Recommended Posts

/* process_login.php*/
2. 
3.<?php
4.include_once 'db_connect.php';
5.include_once 'functions.php';
6. 
7.sec_session_start(); // Our custom secure way of starting a PHP session.
8. 
9.if (isset($_POST['email'], $_POST['p'])) {
10.    $email = $_POST['email'];
11.    $password = $_POST['p']; // The hashed password.
12. 
13.    if (login($email, $password, $mysqli) == true) {
14.        // Login success 
15.        header('Location: ../protected_page.php');
16.    } else {
17.        // Login failed 
18.        header('Location: ../index.php?error=1');
19.    }
20.} else {
21.    // The correct POST variables were not sent to this page. 
22.    echo 'Invalid Request';
23.}

/*INDEX>PHP*/
2. 
3.<?php
4.error_reporting(E_ALL);
5.ini_set("display_errors",1);
6. 
7.include_once 'includes/db_connect.php';
8.include_once 'includes/functions.php';
9. 
10.sec_session_start();
11. 
12.if (login_check($mysqli) == true) {
13.    $logged = 'in';
14.} else {
15.    $logged = 'out';
16.}
17.?>
18.<!DOCTYPE html>
19.<html>
20.    <head>
21.        <title>Secure Login: Log In</title>
22.        <link rel="stylesheet" href="styles/main.css" />
23.        <script type="text/JavaScript" src="js/sha512.js"></script> 
24.        <script type="text/JavaScript" src="js/forms.js"></script> 
25.    </head>
26.    <body>
27.        <?php
28.        if (isset($_GET['error'])) {
29.            echo '<p class="error">Error Logging In!</p>';
30.        }
31.        ?> 
32.        <form action="includes/process_login.php" method="post" name="login_form">                      
33.            Email: <input type="text" name="email" />
34.            Password: <input type="password" 
35.                             name="password" 
36.                             id="password"/>
37.            <input type="button" 
38.                   value="Login" 
39.                   onclick="formhash(this.form, this.form.password);" /> 
40.        </form>
41. 
42.<?php
43.        if (login_check($mysqli) == true) {
44.                        echo '<p>Currently logged ' . $logged . ' as ' . htmlentities($_SESSION['username']) . '.</p>';
45. 
46.            echo '<p>Do you want to change user? <a href="includes/logout.php">Log out</a>.</p>';
47.        } else {
48.                        echo '<p>Currently logged ' . $logged . '.</p>';
49.                        echo "<p>If you don't have a login, please <a href='register.php'>register</a></p>";
50.                }
51.?>      
52.    </body>
53.</html>

hi I have been building this secure login system but for some reson the submit button on my index page juust is not working once an email and password is entered and you click on submit absolutely nothing happens no form reset no login no errors nothing can anyone see why at all please........

Which script is not responding? Turn on php error checking. Do some debugging like add an echo at the top of your problem script to see if it is getting there. Add an echo to output the contents of the POST array as in:

 

echo "<pre>",print_r($_POST,true),"</pre>";

 

to see what you are receiving. Focus on one script to make sure everything is correct then move to the next so you don't get confused.

I have error reporting on the top of index.php and the process_login.php is only an include file to index.php,

as for what data is been sent and echo'ing this data or printing it on a page,

No data is been sent at all when you click on the submit button nothing happens at all that's the whole problem that's why I cant fix this myself I don't understand the nothing,

feel free to view this page on my domain: mnvb.co.uk/secure_login/

that will go to the index.php page as above

I don't see any submit button. I see a 'button', but it is not a submit. Now if you are doing some kind of submit in your JS code, that's a whole other situation.

 

1 - eliminate the blank line at line 2. Could be a problem later on.

2 - Do you get the input form displayed?

3 - Does your browser indicate any errors in your JS code?

4 - Since you have your own session process do you rely on any session vars in the included files prior to turning on your sessions?

the reason your form isn't working is because of your formhash js function

 

if you open console in your browser you will see it says

 

 

ReferenceError: hex_sha512 is not defined

 

which point to this line here:

p.value = hex_sha512(password.value);

once you sort out you js error the form should submit as intended by your js function

Edited by Destramic

Whatever your problem, you are missing a closing bracket here in sha512.js:

//Same, except with 5 addends
function int64add5(dst, a, b, c, d, e)
{
   var w0 = (a.l & 0xffff) + (b.l & 0xffff) + (c.l & 0xffff) + (d.l & 0xffff) + (e.l & 0xffff);
   var w1 = (a.l >>> 16) + (b.l >>> 16) + (c.l >>> 16) + (d.l >>> 16) + (e.l >>> 16) + (w0 >>> 16);
   var w2 = (a.h & 0xffff) + (b.h & 0xffff) + (c.h & 0xffff) + (d.h & 0xffff) + (e.h & 0xffff) + (w1 >>> 16);
   var w3 = (a.h >>> 16) + (b.h >>> 16) + (c.h >>> 16) + (d.h >>> 16) + (e.h >>> 16) + (w2 >>> 16);
   dst.l = (w0 & 0xffff) | (w1 << 16);
   dst.h = (w2 & 0xffff) | (w3 << 16);
Edited by benanamen

although looking further into your script i would leave the encryption of passwords to server side (behind closed doors)

 

your want to be using

 

http://php.net/manual/en/function.password-verify.php and http://php.net/manual/en/function.password-hash.php on your passwords and possibly encrypt the password using aes also before-hand

The password does get hashed with password_hash(). The code above is copied and pasted from wikiHow.

 

Personally, I'd get rid of all the JavaScript magic and use a plain old form. I have no idea what the client-side hashing is supposed to do. Maybe it's some kind of  poor man's HTTPS, in which case you should replace it with the actual HTTPS protocol. Maybe it's supposed to obfuscate the original password, in which case SHA-512 is far too weak. Either way, it only bloats the code and leads to problems (as you can see).

ok so there was my really bad idea

so now you have all given me enough to think about and research to go away a re look at this and start over,

design all of it using my own codes and ideas to fit what I need,

maybe I will have more success this way

I am curious here as far as I am aware there is no remote access to the MySQL system on my cpanel so how safe is the information in my database's

 

Why do you ask?

 

In reality, a database without professional management is not safe, even if can only be accessed locally. There are simply too many ways to screw up: SQL injection vulnerabilities, configuration errors, inappropriate permissions, weak passwords etc.

 

Of course you have to make your database as safe as possible, but do prepare for the case that an attacker manages to bypass your security nonetheless. That means:

  • Don't store any sensitive data unless you absolutely need it.
  • Make sure all passwords are hashed with a strong algorithm like bcrypt. Also encourage your users to generate purely random passwords with a password manager.
  • Consider using encryption.

for this project that I am working on the most sensitive data types I need to store is the user passwords and their personal profile data,

ok I am going to give you a quick run down of this,

I am involved in an online gaming community of volunteers,

they host tournaments on a gaming site in games like back gammon, cribbage, Euchre, spades and pachisi

this site I am making is a place where they can go for information sharing and later to store their files for their macro pushing tools also they post all tournament results and points to a forum I put on,

 

So I want them to go to my home page and log in

firstly of course I want all members to register and create a profile with rankings systems to allow me to set moderation abilities

I am putting this site together for them but as a learning experience for me so that I can later go on and improve upon this codes and make something bigger and better

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.