CodeIgniter Forums
Login Controller/Model - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Libraries & Helpers (https://forum.codeigniter.com/forum-22.html)
+--- Thread: Login Controller/Model (/thread-4485.html)



Login Controller/Model - El Forum - 11-27-2007

[eluser]wiredesignz[/eluser]
Session library must be autoloaded.

Code:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class Login extends Controller {

    function Login()
    {
        parent::Controller();
        $this->load->model('security');
    }
    
    function index()
    {
        if ($_POST)
        {
            $attempt->username = $this->input->post('username', TRUE); //use XSS filter
            $attempt->password = md5($this->input->post('password', TRUE)); //hash the password
            
            if ($this->security->try_login($attempt))
            {        
                redirect('home');
            }
        }
        
        $data = array(
            'username' => '',
            'password' => '',
            'message' => 'Enter your Username & Password to continue'
        );
        
        $this->load->view('login', $data);
    }
}
?>

Code:
<?php  if (!defined('BASEPATH')) exit('No direct script access allowed');

class Security extends Model {
    
    function Security()
    {
        parent::Model();
    }
    
    function current_user()
    {
        $user = $this->session->userdata('user');
        
        //check if current user detail is not changed/deleted
        if ($this->try_login($user))
        {
            return $this->session->userdata('user');
        }
    }
    
    function try_login($attempt)
    {
        if ($attempt->password)    
        {
            //prevent SQL injection in username
            $attempt->username = $this->db->escape($attempt->username);

            //find username
            $query = $this->db->query("SELECT * FROM `users` WHERE `username` = {$attempt->username}");
            $user = $query->row();
            
            //check password & create user object in session if ok
            if ($user->password == $attempt->password)    
            {
                $user->category = strToLower($user->category); //user role
                $this->session->set_userdata('user', $user);
                return TRUE;
            }
        }
        
        //otherwise bail
        $this->session->sess_destroy();
        redirect('login');
    }
}
?>

Code:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class Home extends Controller {

    function Home()
    {
        parent::Controller();
        $this->load->model('security');
     }
    
    function index()
    {        
        $user = $this->security->current_user();

Any thoughts?


Login Controller/Model - El Forum - 11-28-2007

[eluser]Michael Wales[/eluser]
You are storing passwords in plain-text. :bug:


Login Controller/Model - El Forum - 11-28-2007

[eluser]wiredesignz[/eluser]
Nice catch.

Yes I am, what are the potential problems?


Login Controller/Model - El Forum - 11-28-2007

[eluser]tonanbarbarian[/eluser]
You should always store passwords hashed
either md5 or some other function like sha1

If the password is stored in plain text then any SQL injection attack could be used to retrieve the password if you are not careful.

Also you might want to salt the password before you store it, and check it. Salting also helps with other exploits.
Some hackers will use an SQL injection attack to get the password hash, and then they will use online tools to see if they can determine a valid password that matches the hash, or they will try a brute force system to look for valid plain text that matches the hash.

If you are not aware there could theoretically be multiple strings that match any given hash.
The MD5 hash of the letter 'a' => 0cc175b9c0f1b6a831c399e269772661 could also be the same hash as the entire works of Willian Shakespear. It probably isnt but it is possible.

To salt the password you have a config option that is the salt string.
You then add the salt to the plain text before you encrypt
i.e.

$hash = md5($this->config->item('password_salt').$password);


Login Controller/Model - El Forum - 11-28-2007

[eluser]wiredesignz[/eluser]
Thanks. I've added MD5 hashing to the login controller and database.

Code:
$attempt->password = md5($this->input->post('password', TRUE)); //hash the password



Login Controller/Model - El Forum - 11-28-2007

[eluser]eedfwChris[/eluser]
[quote author="tonanbarbarian" date="1196261609"]To salt the password you have a config option that is the salt string.
You then add the salt to the plain text before you encrypt
i.e.

$hash = md5($this->config->item('password_salt').$password);[/quote]

I think he missed your salt addition...

It is highly recommended that you also add a "SALT" (see Salt) to your password (or even md5 string) otherwise the password could easily be cracked using Rainbow tables (see Rainbow Tables). Storing JUST a md5 (or sha1) only slightly makes cracking more difficult.

Adding a "SALT" usually renders a rainbow table useless.


Login Controller/Model - El Forum - 11-28-2007

[eluser]eedfwChris[/eluser]
That's lame the forums strip brackets in URLs and then don't allow ) (? search for "Salt Cryptography" on wikipedia..


Login Controller/Model - El Forum - 11-28-2007

[eluser]wiredesignz[/eluser]
Thanks. I did see it. Will do some research.


Login Controller/Model - El Forum - 11-28-2007

[eluser]Michael Wales[/eluser]
I made a post in these forums about using Salts as well - just do a search for 'security salt' - should come up that way.


Login Controller/Model - El Forum - 11-30-2007

[eluser]Senso[/eluser]
You're storing the whole 'users' row in the cookie? That's probably not a good idea.