• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Improved secure login form

#1
Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.

I tried with password_hash and then password_verify, but I missed something in the code.

You could help me improve my login, I'm not going to make it super safe, but also the least.

At this time, this is the files in the controller and the model:

PHP Code:
   public function index() {
 
       $this->admin_model->isLoggedIn();
 
       $this->load->view('admin/index');
 
   }
 
   
    public 
function login(){

 
       $username $this->input->post('username');
 
       $password $this->input->post('password');
 
       
        
//call the model for auth
 
       if($this->admin_model->login($username$password)){
 
           redirect('admin/index');
 
       }

 
       else {
 
           $this->load->view('admin/login');
 
       }
 
   

admin_model.php

PHP Code:
   public function login($username$password) { 
 
       $this->db->where('username'$username);
 
       $this->db->where('password'$password);
 
       $query $this->db->get('user');
 
       if($query->num_rows()==1){
 
           foreach ($query->result() as $row){
 
               $data = array(
 
                           'username'=> $row->username,
 
                           'logged_in'=>TRUE
                        
);
 
           }
 
           $this->session->set_userdata($data);
 
           return TRUE;
 
       }
 
       else{
 
           return FALSE;
 
        
    
}
 
       
    public 
function isLoggedIn(){
 
           $is_logged_in $this->session->userdata('logged_in');
 
           if(!isset($is_logged_in) || $is_logged_in!==TRUE)
 
           {
 
               redirect('admin/login');
 
               exit;
 
           }
 
   

Thanks for your help
Reply

#2
(08-16-2017, 12:25 AM)Marcolino92 Wrote: Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.

I tried with password_hash and then password_verify, but I missed something in the code.

You could help me improve my login, I'm not going to make it super safe, but also the least.

At this time, this is the files in the controller and the model:

PHP Code:
   public function index() {
 
       $this->admin_model->isLoggedIn();
 
       $this->load->view('admin/index');
 
   }
 
   
    public 
function login(){

 
       $username $this->input->post('username');
 
       $password $this->input->post('password');
 
       
        
//call the model for auth
 
       if($this->admin_model->login($username$password)){
 
           redirect('admin/index');
 
       }

 
       else {
 
           $this->load->view('admin/login');
 
       }
 
   

admin_model.php

PHP Code:
   public function login($username$password) { 
 
       $this->db->where('username'$username);
 
       $this->db->where('password'$password);
 
       $query $this->db->get('user');
 
       if($query->num_rows()==1){
 
           foreach ($query->result() as $row){
 
               $data = array(
 
                           'username'=> $row->username,
 
                           'logged_in'=>TRUE
                        
);
 
           }
 
           $this->session->set_userdata($data);
 
           return TRUE;
 
       }
 
       else{
 
           return FALSE;
 
        
    
}
 
       
    public 
function isLoggedIn(){
 
           $is_logged_in $this->session->userdata('logged_in');
 
           if(!isset($is_logged_in) || $is_logged_in!==TRUE)
 
           {
 
               redirect('admin/login');
 
               exit;
 
           }
 
   

Thanks for your help

https://community-auth.com/
https://github.com/benedmunds/CodeIgniter-Ion-Auth



Back to the problem:
- save the hash in the database.
- select the user by the username/email and not by the password
- check the password with password_verify
Reply

#3
First you should always store a (salted) hash of the password, not the password itself. You then compare the hash of the posted password to the stored hash. That way if your site goes get hacked the attacker cannot use the login credentials of your users on other sites for example.
Second, you should validate your users input before using it.

But seriously, I doubt your skill level is at the level it should be in order to create a secured login feature. I would advise you to implement an existing auth library. I use Ion auth in all my projects.
Reply

#4
I've already tried with "ion auth" but I need to create a personalized and slimmed class, so I'd like to avoid book it already ready because I only need the login system and the method to see if the user is logged in.
Reply

#5
This?

PHP Code:
public function login($username$password) { 
 
       
        $query 
$this->db->get_where('user', array('username'=>$username));
 
       $row $query->row();
 
       
        if
($query->num_rows()==1) {
 
           if(password_verify(stripslashes($password), $row->password)) {     
                $data 
= array(
 
                   'username'=> $row->username,
 
                   'logged_in'=>TRUE
                
);  
                $this
->session->set_userdata($data);
 
               return TRUE;
 
           
 
           else {
 
               return FALSE;
 
             
        
} else {
 
           return FALSE;
 
       
 
   
Reply

#6
You could use your own controller and only use the login function of the ion auth library.

Your controller could be:
PHP Code:
<?php
defined
('BASEPATH') OR exit('No direct script access allowed');

class 
Admin extends CI_Controller {


 
   public function __construct()
 
   {
 
       parent::__construct();
 
       $this->load->library('ion_auth');

 
       $this->data = array( 'error' => '' );

 
   }

 
   public function index() 
 
   {
 
       
        if 
(!$this->ion_auth->is_admin()) {
 
           
            redirect
('admin/login');
 
       }

 
       $this->load->view('admin/index');
 
   }
 
   
    public 
function login()
 
   {

 
       if (!empty($_POST)) {

 
           // Setup validation
 
           $this->form_validation->set_rules('username''Username''trim|required|valid_email');
 
           $this->form_validation->set_rules('password''Password''required|min_length[8]');

 
           if ($this->form_validation->run() === true) {
 
               
                
// check the credentials
 
               if ($this->ion_auth->login($this->input->post('username'), $this->input->post('password'), ) ){

 
                   redirect('admin/index');

 
               } else {

 
                   // Credentials are not correct
 
                   $this->data['error'] = $this->ion_auth->errors();
 
               }
 
             else {

 
               // Input is invalid
 
               $this->data['error'] = validation_errors();
 
            }
 
       }
 
       
        $this
->load->view('admin/login'$this->data);
 
       // You can echo $error in your view to print the error message.
 
   

Reply

#7
password_hash adds it's own salt in the hash.
What did you Try? What did you Get? What did you Expect?

Joined the CodeIgniter Community in 2009.          ( Skype: insitfx )
Reply

#8
Here is a good read on Secure logins

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
What did you Try? What did you Get? What did you Expect?

Joined the CodeIgniter Community in 2009.          ( Skype: insitfx )
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2017 MyBB Group.