Jump to content

Adding a "Remember Me" to Justin Hagstrom AutoIndexer


pocahontas13jb

Recommended Posts

My company has use Justin Hagstrom AutoIndexer for years but it was mention that a "Remember Me" function would be handy. I of course took on the task thinking a simple tutorial would be a teaching element and I could help solve the problem. I think I bit off more than I can chew.

 

    $log_login = false;
    if (USE_LOGIN_SYSTEM && isset($_POST['username'], $_POST['password'])
        && $_POST['username'] != '' && $_POST['password'] != '')
    {
        $you = new UserLoggedIn($_POST['username'], sha1($_POST['password']));
        $log_login = true;
        $_SESSION['password'] = sha1($_POST['password']);
        unset($_POST['password']);
        $_SESSION['username'] = $_POST['username'];
        
    }
    else if(USE_LOGIN_SYSTEM && isset($_SESSION['username'], $_SESSION['password']))
    {
        $you = new UserLoggedIn($_SESSION['username'], $_SESSION['password']);
    }
    else if (USE_LOGIN_SYSTEM && isset($_COOKIE['username'], $_COOKIE['password']))
    {
        $you = new UserLoggedIn($_COOKIE['username'], $_COOKIE['password']);
    }
    else
    {
        $you = new User();
        if (MUST_LOGIN_TO_DOWNLOAD && USE_LOGIN_SYSTEM)
        {
            $str = '<p>You must login to view and download files. </p>'
            . '<table border="0" cellpadding="8" cellspacing="0">'
            . '<tr class="paragraph"><td class="autoindex_td">'
            . $you -> login_box() . '</td></tr></table>';
            echo new Display($str);
            die();
        }
    }

if(!empty($_POST["remember"]))
{
setcookie ("user", $_POST["username"], time() + (10 * 365 * 24 * 60 * 60));
setcookie ("pass", $_POST["password"], time() + (10 * 365 * 24 * 60 * 60));
}
else
{
if(isset($_COOKIE["user"]))
{
setcookie ("user", "");
}
if(isset($_COOKIE["pass"]))
{
setcookie ("pass", "");
}
    
 
 
I keep getting an error  Parse error: parse error in /Library/WebServer/Documents/mesc2015/mesc/gatedTEST/index.php on line 663
 
    }
    $log -> add_entry($search_log);
    $str = $dir_list -> __toString();
    echo new Display($str);
}
catch (ExceptionDisplay $e)
{
    echo $e;
}
catch (Exception $e)
{
    echo simple_display($e -> getMessage());
}
 

 

index.php

Link to comment
Share on other sites

you should NOT store any static/fixed user information for login purposes in a cookie, since anyone stealing/capturing those cookie values can log in as the actual user until the values get changed and i'm betting you don't want your users to keep changing their usernames and passwords in case someone has managed to get a copy of them.

 

you should also NOT store the username and hashed password in session variables. you should store the user's id (auto-increment database table column) in the session variable and use that id from the session variable to query for any other user information. this will allow the username to be edited by a moderator/admin to your site, without requiring the user to log out and back in again for the edit to take effect.

 

the way to implement a remember me system is to generate a unique random token when the user successfully logs in, store that in the user's row in the database table and store it in the cookie.

 

as part of the login check, if the current visitor is not logged in (no session variable with the user id), check if the cookie holding the token exists. if it does, query to find the row of data with that matches the token value. if a row is found, fetch the user's id and store that in the session variable. all the rest of the code testing that session variable will remain the same.

 

next, using sha1() to hash passwords is not very secure since it is easy with today's personal computers to quickly brute force generate 'rainbow' tables of password values to hashes. you need to use php's password_hash() and password_verify() functions.

 

to convert current user's, add a column to the users table to hold the new hash value. when a user tries to log in, if the user has a value in the new hash column, use that in the login code, using password_verify() to compare the submitted password value with the hash value.  if they don't have a value in the new hash column, use the value from the existing hash column to perform the login check. if the old-hash login is successful, generate a new hash using password_hash(), store that in the new hash column, and clear the existing hash column.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.