Jump to content


Photo

Sessions Login Problem


  • Please log in to reply
26 replies to this topic

#1 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 03 September 2007 - 09:18 PM

Im using this script in the same way basically on another 'website'. Now when I want to use it on this page with a few different variables it dosn't seem to want to work logically.

Problem: I login with random info, it gives me error message, that is good. Now when I enter the correct username, and either a random password or no password at all it, still logs me in.

I'm loosing my mind. Here's the code, lose yours too, if you havn't already!

<?php

 if($_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks']){

	  echo "<p>Welcome back, $username.</p>";
	  if($_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks'] && $_SESSION['tdxuser'] && $logged['member_group'] >= 1){ memberPanel(); }

	   }else{

   if(isset($_POST['login'])){
	   $username = htmlspecialchars($_POST['username'], ENT_QUOTES);
	   $password = htmlspecialchars($_POST['password'], ENT_QUOTES);
	   $password = xcrypt($password);
	   $error = "<p>Sorry, you are unable to login because you have entered your username/password combination wrong. Please check spelling & try again.</p>";
	   $sql = mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password' LIMIT 1");

	   if(isset($username) && isset($password) && $username !== '' && $password !== ''){

	   if(mysql_num_rows($sql) !== 0){

		   		$_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks'] = true;
			 	$_SESSION['tdxuser'] = $username;
			 	$_SESSION['tdxpass'] = $password;
			recordAdmin("Logged In"); 

			   	echo "<p>Welcome back, $username.</p>";
			echo "<div id=\"loading\"></div>";
			echo "<meta http-equiv=\"refresh\" content=\"1\">";
			echo "<p></p>";

	   }else{
		   echo $error;
	   }

	   }else{
		   echo $error;
	   }

   }else{

		   ?>


			<div id="adminlogin">	
			<h1>TD Admin Control Panel</h1>
			<form action="" method="post" name="login" style="height: 90px;">
			<p>
			<img src="<?=$domain;?>/images/locked.png" align="left">
		<table border="0" cellspacing="2" cellpadding="10">
			<tr>
				<td align="right">Username:</td>
				<td><input name="username" type="text" class="textbox" size="35"></td>
			</tr>
			<tr>
				<td align="right">Password:</td>
				<td><input name="password" type="password" class="textbox" size="35"></td>
			</tr>
		</table>
		<table border="0" cellspacing="0" cellpadding="5" align="right">
			<tr>
				<td><input type="submit" name="login" value="Log In Administrator" style="font-weight: bold; width:100%; padding-left: 10px; padding-right: 10px; padding-top: 5px; padding-bottom: 5px;"></td>
			</tr>
		</table>
			</p>
			</form>
			</div>


	   <?php
	   }
	   }
	   ?>

All help is appreciated. :) :)

Edited by Braunson, 08 September 2007 - 10:40 PM.


#2 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 03 September 2007 - 10:57 PM

$_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks']
I have seen a lot of strange things in my life. Strange people, strange questions, strange problems... But i have to say, what the hell is that?! Not trying to be rude, but theres a difference between attempting to prevent hacking, and creating an absurdly long key for an array. I guess having lost your mind might explain a bit though... meh.

$sql = mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password' LIMIT 1");
To me, that's the key part. Aside from the fact that your username and password variables are guaranteed to be set (set, but empty), and potentially less likely to be strings (ref: type comparison), if it gets past the SQL query, then you must have a match to something.

A. Check your database, make sure the user has a password.
B. Show us the code for the xcrypt(); function. Don't know how much of a difference it'll make, but who does?

Edited by rc69, 03 September 2007 - 10:59 PM.


#3 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 04 September 2007 - 08:23 AM

1. The user has a password.
2. It's a stupid encryption. Works elsewhere so if you really need it...
3. Any way to make this more secure.?!

Thanks rc.

#4 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 05 September 2007 - 11:34 PM

Again with the type comparisons!!
if(mysql_num_rows($sql) !== 0){
Just realized you did that. Type comparison like that is a nice feature. It has the potential to make applications more secure when used correctly, but when being used with functions, you have to make sure you know what you're doing.

If you read through the type comparison chart that i gave you, you would know this:
0 === 0; // True
false === false; // True
false !== 0; // True
So, you see a potential problem yet? Let me continue...

mysql_num_rows — Get number of rows in result
...
Return Values
The number of rows in a result set on success, or FALSE on failure.

In otherwords, unless you are more than 100% positive you know what type a variable/function will be at every given moment, try and stick to using equality comparisons (!=) rather than type comparisons (!==).

From there, we can start doing some simple debugging, you already broke the golden rule:
$sql = mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password' LIMIT 1") or die(mysql_error());
Change your if-statement and sql query as suggested, then let us know what happens.

Edited by rc69, 05 September 2007 - 11:35 PM.


#5 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 06 September 2007 - 04:31 PM

Okay, I've done that now. I still have that problem where I can enter nothing in the fields and it says error, But when I enter a registered username in the user field and a random password or no password and it still logs me in.

Also how would I make my sessions more 'secure' here other then using... tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks

My Updated Code:
<?php

 if($_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks']){

	  echo "<p>Welcome back, $username.</p>";
	  if($_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks'] && $_SESSION['tdxuser'] && $logged['member_group'] >= 1){ memberPanel(); }

	   }else{

   if(isset($_POST['login'])){
	   $username = htmlspecialchars($_POST['username'], ENT_QUOTES);
	   $password = htmlspecialchars($_POST['password'], ENT_QUOTES);
	   $password = xcrypt($password);
	   $error = "<p>Sorry, you are unable to login because you have entered your username/password combination wrong. Please check spelling & try again.</p>";

	   $sql = mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password' LIMIT 1") or die(mysql_error());

	   if(isset($username) && isset($password) && $username !== '' && $password !== ''){

	   if(mysql_num_rows($sql) != false){

		   		$_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks'] = true;
			 	$_SESSION['tdxuser'] = $username;
			 	$_SESSION['tdxpass'] = $password;
			recordAdmin("Logged In"); 

			   	echo "<p>Welcome back, $username.</p>";
			echo "<div id=\"loading\"></div>";
			echo "<meta http-equiv=\"refresh\" content=\"1\">";
			echo "<p></p>";

	   }else{
		   echo $error;
	   }

	   }else{
		   echo $error;
	   }

   }else{

		   ?>


			<div id="adminlogin">	
			<h1>TD Admin Control Panel</h1>
			<form action="" method="post" name="login" style="height: 90px;">
			<p>
			<img src="<?=$domain;?>/images/locked.png" align="left">
		<table border="0" cellspacing="2" cellpadding="10">
			<tr>
				<td align="right">Username:</td>
				<td><input name="username" type="text" class="textbox" size="35"></td>
			</tr>
			<tr>
				<td align="right">Password:</td>
				<td><input name="password" type="password" class="textbox" size="35"></td>
			</tr>
		</table>
		<table border="0" cellspacing="0" cellpadding="5" align="right">
			<tr>
				<td><input type="submit" name="login" value="Log In Administrator" style="font-weight: bold; width:100%; padding-left: 10px; padding-right: 10px; padding-top: 5px; padding-bottom: 5px;"></td>
			</tr>
		</table>
			</p>
			</form>
			</div>


	   <?php
	   }
	   }
	   ?>


#6 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 06 September 2007 - 09:19 PM

<?php
if($_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks']){
	echo "<p>Welcome back, $username.</p>";
	if($_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks'] && $_SESSION['tdxuser'] && $logged['member_group'] >= 1){
		memberPanel();
	}
}else{
	if(isset($_POST['login'])){
		$username = htmlspecialchars($_POST['username'], ENT_QUOTES);
		$password = htmlspecialchars($_POST['password'], ENT_QUOTES);
		$password = xcrypt($password);

		if(!empty($username) && !empty($password)){
			$sql = mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password' LIMIT 1") or die(mysql_error());
			if(mysql_num_rows($sql) > 0){
				$_SESSION['tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks'] = true;
				$_SESSION['tdxuser'] = $username;
				$_SESSION['tdxpass'] = $password;
				recordAdmin("Logged In"); 

				echo "<p>Welcome back, $username.</p>"
					."<div id=\"loading\"></div>"
					."<meta http-equiv=\"refresh\" content=\"1\"><p></p>";
			}else{
				echo "<p>Sorry, you are unable to login because you have entered your username/password combination wrong. Please check spelling & try again.</p>";
			}
		}else{
			echo '<p>Please enter a username and password.</p>';
		}
	}else{
?>
That's just the first block of php. Don't know how much that will help, but at least we can narrow down where the error is.

It helps to differentiate your errors enough that you can tell the difference, but it doesn't give away anything specific.

Also, i can't help when it comes to securing your sessions. There are way to many things to look at, plus my understanding is only amature at best. I can tell you this much though, that id thing, is just a pain, not a security feature.

Edited by rc69, 06 September 2007 - 09:21 PM.


#7 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 06 September 2007 - 09:46 PM

Hmm, Okay we'll thanks for the security anwser. And now about the username problem hmm =\ :o

#8 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 08 September 2007 - 12:20 PM

Did you try the code i posted? Which error showed up...?

#9 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 08 September 2007 - 01:50 PM

Hmm, Still does the same thing using your code... No error's show'ed up. :closedeyes:

#10 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 08 September 2007 - 03:13 PM

If no errors showed up then i'm afraid i don't know what else to do. How it gets passed the mysql_query() with random info is beyond me.

#11 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 08 September 2007 - 04:54 PM

Not random info. If I enter random info, it gives me an error. It only logg's me in if I enter a registered username. the password field is blank or dosn't matter what it is.

#12 Demonslay

Demonslay

    P2L Jedi

  • Members
  • PipPipPip
  • 973 posts
  • Gender:Male
  • Location:A strange world where water falls out of the sky... for no reason.
  • Interests:Graphic Design, Coding, Splinter Cell, Cats

Posted 08 September 2007 - 05:51 PM

Hmm, at this point, since I can't see anything wrong, and neither can rc, I'd say you might wanna show us the code to your xcrypt() function, as rc asked before. Never know, there could be something funny that might be SQL injecting yourself. :P

Only thing I can think of, as everything else looks fine.

#13 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 08 September 2007 - 08:00 PM

okay, heres the encryption yes its dumb. Let me know of anyways I can make it a more secure encryption. Yes it could be called 'rambow tables'.

function xcrypt($string){
$string = stripslashes($string);
$string = strip_tags($string);
$salt = "24jk5h345j6hw0e34096zz3hc65s34f7sdf87984nxc425495";
$string = md5($password . $salt); 
$string = sha1($string);
$string = base64_encode($string);
  return $string;
}


#14 Demonslay

Demonslay

    P2L Jedi

  • Members
  • PipPipPip
  • 973 posts
  • Gender:Male
  • Location:A strange world where water falls out of the sky... for no reason.
  • Interests:Graphic Design, Coding, Splinter Cell, Cats

Posted 08 September 2007 - 08:09 PM

Hmm, still don't see anything wrong with it.
Other than the fact you can shorten it quite a bit (I'm bored...).
function xcrypt($string){
  $salt = '24jk5h345j6hw0e34096zz3hc65s34f7sdf87984nxc425495';
  return base64_encode(sha1(md5(strip_tags(stripslashes($string)) . $salt)));
}

If you still can't figure anything out, I'd try basic debugging (var_dump() on any involved variables, reversing and testing logic conditions, basic stuff), and making sure your error_reporting() is at an appropriate level.

#15 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 08 September 2007 - 08:54 PM

Okay.
I've added error_reporting("E_ALL"); and this is what came up when i loaded the login page. (unloggedin)

Notice: A session had already been started - ignoring session_start() in /home/public_html/lib/configuration.lib.php on line 7

Notice: Undefined index: tdxuser in /home/public_html/lib/configuration.lib.php on line 23

Notice: Undefined index: users in /home/public_html/lib/configuration.lib.php on line 28

Notice: Undefined index: user in /home/public_html/lib/functions.lib.php on line 146

Notice: Undefined index: tdauthaisd84093875973490687h34908tdj038475609dnuidlkndsfjks in /home/public_html/administration/index.php on line 30



#16 Hayden

Hayden

    P2L Jedi

  • Members
  • PipPipPip
  • 717 posts
  • Gender:Male
  • Location:Texas

Posted 08 September 2007 - 09:10 PM

okay, heres the encryption yes its dumb. Let me know of anyways I can make it a more secure encryption. Yes it could be called 'rambow tables'.

function xcrypt($string){
$string = stripslashes($string);
$string = strip_tags($string);
$salt = "24jk5h345j6hw0e34096zz3hc65s34f7sdf87984nxc425495";
$string = md5($password . $salt); 
$string = sha1($string);
$string = base64_encode($string);
  return $string;
}


I think RC would say to just...
function xcrypt($string){
$string = stripslashes($string);
$string = strip_tags($string);
  return md5($string).sha1($string);
}
and forget the salt.

not sure why you care about stripslashes and sttrip_tags if your running it through the md5 function though.

#17 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 08 September 2007 - 10:25 PM

LMAO!!

function xcrypt($string){
$string = stripslashes($string);
$string = strip_tags($string);
$salt = "24jk5h345j6hw0e34096zz3hc65s34f7sdf87984nxc425495";
$string = md5($password . $salt);
$string = sha1($string);
$string = base64_encode($string);
return $string;
}

While i have to agree with Spatial's opinion about my opinion, did anybody notice a problem with his xcrypt() function?
I'm not laughing at anybody in particular, i'm just laughing at the irony. As it turns out, salt is the downfall of this function.

$password isn't a global, therefore xcrypt() always md5's the salt only (which always remains the same), and therefore always returns the same $string, regardless of input.
Naturally, demonslay would have accedentally fixed this with is code and not have required any more work. Spatials would have worked (and would be my prefered method), but would require some updates in the database.

:P

p.s. Get rid of the stripslashes() and strip_tags() functions... they are beyond pointless here :)

Edited by rc69, 08 September 2007 - 10:30 PM.


#18 Braunson

Braunson

    Young Padawan

  • Members
  • Pip
  • 237 posts
  • Gender:Male
  • Location:Ontario, Canada

Posted 08 September 2007 - 10:35 PM

So could that possible be the problem? hahaa That was the problem. Rofl thank you.

Edited by Braunson, 08 September 2007 - 11:46 PM.


#19 Hayden

Hayden

    P2L Jedi

  • Members
  • PipPipPip
  • 717 posts
  • Gender:Male
  • Location:Texas

Posted 08 September 2007 - 11:17 PM

I got playing with rc's idea about just stacking the md5 encryption and sha1 encryption side by side and expanded on it.

function sv1($str) {
	$md5 = md5($str);
	$sha1 = sha1($str);
	$newpass = "";
	for($i=0; $i<strlen($sha1); $i++) {
		$newpass .= substr($md5, $i, 1).substr($sha1, $i, 1);
	}
	return $newpass;
}
and came up with this. basically blends the two together. it seems to fit here and thought I'd see what everyone thought.

:P

#20 Demonslay

Demonslay

    P2L Jedi

  • Members
  • PipPipPip
  • 973 posts
  • Gender:Male
  • Location:A strange world where water falls out of the sky... for no reason.
  • Interests:Graphic Design, Coding, Splinter Cell, Cats

Posted 09 September 2007 - 11:40 AM

LOL.

Wow, that is so funny how we all completely missed what actually happened there, but ended up fixing it out of complete ignorance.

My style tends to use as few variables as possible when I don't need them, thus why I stack functions like crazy, lol.

Well, might as well close this one before it gets into a debate on security and encryption algorithms; unless Braunson has further inquiries that is.

Oh and as a side-note for ya Spatial, you might wanna cache that strlen() in your for loop there and optimize it.

for($i=0, $len=strlen($sha1); $i < $len; $i++){
// ...
}

Now I don't see how effective that will be really, since sha1() and md5() output different sized strings. So the loop will essentially be grabbing absolutely nothing from the md5()'s string after the 32nd iteration.
To fix this, you could either append onto the md5 string by the 8 character difference with some random salt, or you could have a second variable that will then reset itself so that it starts from the beginning of the md5 string after it reaches the end.

Edited by Demonslay, 09 September 2007 - 11:48 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users