Jump to content

Adding a "Remember Me" to Justin Hagstrom AutoIndexer

pocahontas13jb

By pocahontas13jb
in Third Party Scripts

 Share

Recommended Posts

pocahontas13jb Newbie

pocahontas13jb

Posted
Posted

My company has use Justin Hagstrom AutoIndexer for years but it was mention that a "Remember Me" function would be handy. I of course took on the task thinking a simple tutorial would be a teaching element and I could help solve the problem. I think I bit off more than I can chew.

 

    $log_login = false;
    if (USE_LOGIN_SYSTEM && isset($_POST['username'], $_POST['password'])
        && $_POST['username'] != '' && $_POST['password'] != '')
    {
        $you = new UserLoggedIn($_POST['username'], sha1($_POST['password']));
        $log_login = true;
        $_SESSION['password'] = sha1($_POST['password']);
        unset($_POST['password']);
        $_SESSION['username'] = $_POST['username'];
        
    }
    else if(USE_LOGIN_SYSTEM && isset($_SESSION['username'], $_SESSION['password']))
    {
        $you = new UserLoggedIn($_SESSION['username'], $_SESSION['password']);
    }
    else if (USE_LOGIN_SYSTEM && isset($_COOKIE['username'], $_COOKIE['password']))
    {
        $you = new UserLoggedIn($_COOKIE['username'], $_COOKIE['password']);
    }
    else
    {
        $you = new User();
        if (MUST_LOGIN_TO_DOWNLOAD && USE_LOGIN_SYSTEM)
        {
            $str = '<p>You must login to view and download files. </p>'
            . '<table border="0" cellpadding="8" cellspacing="0">'
            . '<tr class="paragraph"><td class="autoindex_td">'
            . $you -> login_box() . '</td></tr></table>';
            echo new Display($str);
            die();
        }
    }

if(!empty($_POST["remember"]))
{
setcookie ("user", $_POST["username"], time() + (10 * 365 * 24 * 60 * 60));
setcookie ("pass", $_POST["password"], time() + (10 * 365 * 24 * 60 * 60));
}
else
{
if(isset($_COOKIE["user"]))
{
setcookie ("user", "");
}
if(isset($_COOKIE["pass"]))
{
setcookie ("pass", "");
}
    
 
 
I keep getting an error  Parse error: parse error in /Library/WebServer/Documents/mesc2015/mesc/gatedTEST/index.php on line 663
 
    }
    $log -> add_entry($search_log);
    $str = $dir_list -> __toString();
    echo new Display($str);
}
catch (ExceptionDisplay $e)
{
    echo $e;
}
catch (Exception $e)
{
    echo simple_display($e -> getMessage());
}
 

 

index.php

mac_gyver Prolific Member

mac_gyver

Posted
Posted (edited)

you should NOT store any static/fixed user information for login purposes in a cookie, since anyone stealing/capturing those cookie values can log in as the actual user until the values get changed and i'm betting you don't want your users to keep changing their usernames and passwords in case someone has managed to get a copy of them.

 

you should also NOT store the username and hashed password in session variables. you should store the user's id (auto-increment database table column) in the session variable and use that id from the session variable to query for any other user information. this will allow the username to be edited by a moderator/admin to your site, without requiring the user to log out and back in again for the edit to take effect.

 

the way to implement a remember me system is to generate a unique random token when the user successfully logs in, store that in the user's row in the database table and store it in the cookie.

 

as part of the login check, if the current visitor is not logged in (no session variable with the user id), check if the cookie holding the token exists. if it does, query to find the row of data with that matches the token value. if a row is found, fetch the user's id and store that in the session variable. all the rest of the code testing that session variable will remain the same.

 

next, using sha1() to hash passwords is not very secure since it is easy with today's personal computers to quickly brute force generate 'rainbow' tables of password values to hashes. you need to use php's password_hash() and password_verify() functions.

 

to convert current user's, add a column to the users table to hold the new hash value. when a user tries to log in, if the user has a value in the new hash column, use that in the login code, using password_verify() to compare the submitted password value with the hash value.  if they don't have a value in the new hash column, use the value from the existing hash column to perform the login check. if the old-hash login is successful, generate a new hash using password_hash(), store that in the new hash column, and clear the existing hash column.

Edited by mac_gyver
ignace Advanced Member

ignace

Posted
Posted

Maybe it's time to use another maintained system:

https://www.cvedetails.com/vulnerability-list/vendor_id-7444/product_id-12562/Justin-Hagstrom-Autoindex-Php-Script.html

 

Last commit to the code was from november 2012.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.