Thread: Login System

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2014
    Posts
    1
    Rep Power
    0

    Login System


    Hi guys,
    I'm creating a login system and there is one small bug that I am trying to iron out, so any input is appreciated
    Once I log out as a user, I get redirected to my login page like:
    http://localhost:8888/login-form/login.php?status=loggedout
    Now that I am logged out, if I try to "bypass" the login page and go straight to the index.php page (without logging in this time), I can still access the "secure" page (..not that secure, and I get the following message:


    Notice: Undefined index: status in /Applications/MAMP/htdocs/login-form/classes/membership.php on line 32

    Warning: Cannot modify header information - headers already sent by (output started at /Applications/MAMP/htdocs/login-form/classes/membership.php:32) in /Applications/MAMP/htdocs/login-form/classes/membership.php on line 33
    You are Logged In User!!!!
    Log Out

    ----

    This is the code in membership.php (please see towards the end I have marked the link 32 where I get the notice & warning message)

    PHP Code:
    require 'mysql.php';

    class 
    Membership

        function 
    validate_user($un$pwd){
            
    $mysql = New Mysql();
            
    $ensure_credentials $mysql->verify_Username_and_Pass($unmd5($pwd));
            
                
    // if credentials returns true, log in to index page
                
    if($ensure_credentials) {
                    
    $_SESSION['status'] ='authorized';
                    
    header("location: index.php");
                   return 
    true;
                } else return 
    "Please enter a correct username and password";
        }

        function 
    log_User_Out() {
             if(isset(
    $_SESSION['status'])){
                     unset(
    $_SESSION['status']);
                     
                      if(isset(
    $_COOKIE[session_name('Mylogin')])){ 
                          
    setcookie(session_name('Mylogin'), ''time() - 1000);
                          
    session_destroy();
                      }
             }
        }
        
        function 
    confirm_Member(){   // This is Line 32 where I am Getting the Notice Error
            
    session_start();
                if(
    $_SESSION['status'] !='authorized') { 
                    
    header("location: login.php");            //////////////// I think that this is the issue, and there are some more modified headers at the top of membership class
                
    }
        }


    The code in my login.php page is:

    Code:
    <?php
    ob_start();
    session_start();
    
    require_once 'classes/membership.php';
    $membership = new Membership();
    
    //if clicked on log out link on index page
    if(isset($_GET['status']) && $_GET['status'] == 'loggedout'){
        $membership->log_User_Out();
    }
    
    //validate user
    if($_POST && !empty($_POST['username']) && !empty($_POST['pwd'])){
        $response = $membership->validate_user($_POST['username'], $_POST['pwd']);
    }
    
    
    ?>
    
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=uft-8" />
        
        <title>Login</title>
    
           <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> 
    </head>
    <body>
    <script type="text/javascript">
            
            $(function(){
            
                $('h4.alert').hide().fadeIn(700);
                $('<span class="exit"> X</span>').appendTo('h4.alert');
            
                $('span.exit').click(function(){
                    $(this).parent('h4.alert').fadeOut('slow');
                });
            
            });
            
    </script>
        
        <div id="login">
            
            <form method="post" action="">
                <h2>Login <small>enter your credentials</small></h2>
                <p>
                    <label for="name">Username: </label>
                    <input type="text" name="username" />
                </p>
                    <p>
                    <label for="pwd">Password: </label>
                    <input type="password" name="pwd" />
                </p>
                
                <p><input type="submit" id="submit" value="login" name="submit" /></p>
                
            </form>
            <?php if (isset($response)) echo "<h4 class='alert'>".$response."</h4> "; ?>
            
        </div>
    
    </body>
    </html>
    Any advise please?

    Thanks,
    Michel
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    the big mistake you make is that you don't have a die after the redirect. That means the code will keep running. And if the redirect fails because of prior output (in your case an error message), the user will even see the page content.

    Never, ever redirect without stopping the script afterwards.

    In fact, your whole control flow is far too fragile. You rely on some magical function to stop unauthorized users. But if that fails (like in your case), all the sensitive code will still be executed.

    You need a more robust approach:

    php Code:
    <?php
     
    if ($authorized)
    {
    	do_sensitive_stuff()
    }
    else
    {
    	header('Location: http://yourpage.com/');
    	die;
    }

    The next major issue is that you're using MD5 hashes. Seriously, haven't you heard the news? MD5 (or SHA or whatever) offers no protection at all. Anybody can break those hashes in a matter of minutes -- they can even search them on Google.

    You need a real password hashing algorithm like bcrypt.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    694
    Rep Power
    7
    I place the following code near the top of my site's top-level index.php file. This way the check is ran no matter where they are on the site, unless they access an inner file directly, which then doesn't work for them anyway since required includes are not then included, as well as SESSION items, since they would not be set.
    Code:
    if(!isset($_SESSION['user']) && $_GET['loc'] != 'login') {
      header('Location: ?loc=login');
      exit;
    }
    He who knows not and knows not he knows not: he is a fool - shun him. He who knows not and knows he knows not: he is simple - teach him. He who knows and knows not he knows: he is asleep - wake him. He who knows and knows he knows: he is wise - follow him

IMN logo majestic logo threadwatch logo seochat tools logo