Improved secure login form - Marcolino92 - 08-15-2017
Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.
I tried with password_hash and then password_verify, but I missed something in the code.
You could help me improve my login, I'm not going to make it super safe, but also the least.
At this time, this is the files in the controller and the model:
PHP Code: public function index() { $this->admin_model->isLoggedIn(); $this->load->view('admin/index'); } public function login(){
$username = $this->input->post('username'); $password = $this->input->post('password'); //call the model for auth if($this->admin_model->login($username, $password)){ redirect('admin/index'); }
else { $this->load->view('admin/login'); } }
admin_model.php
PHP Code: public function login($username, $password) { $this->db->where('username', $username); $this->db->where('password', $password); $query = $this->db->get('user'); if($query->num_rows()==1){ foreach ($query->result() as $row){ $data = array( 'username'=> $row->username, 'logged_in'=>TRUE ); } $this->session->set_userdata($data); return TRUE; } else{ return FALSE; } } public function isLoggedIn(){ $is_logged_in = $this->session->userdata('logged_in'); if(!isset($is_logged_in) || $is_logged_in!==TRUE) { redirect('admin/login'); exit; } }
Thanks for your help
RE: Improved secure login form - Paradinight - 08-15-2017
(08-15-2017, 11:25 PM)Marcolino92 Wrote: Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.
I tried with password_hash and then password_verify, but I missed something in the code.
You could help me improve my login, I'm not going to make it super safe, but also the least.
At this time, this is the files in the controller and the model:
PHP Code: public function index() { $this->admin_model->isLoggedIn(); $this->load->view('admin/index'); } public function login(){
$username = $this->input->post('username'); $password = $this->input->post('password'); //call the model for auth if($this->admin_model->login($username, $password)){ redirect('admin/index'); }
else { $this->load->view('admin/login'); } }
admin_model.php
PHP Code: public function login($username, $password) { $this->db->where('username', $username); $this->db->where('password', $password); $query = $this->db->get('user'); if($query->num_rows()==1){ foreach ($query->result() as $row){ $data = array( 'username'=> $row->username, 'logged_in'=>TRUE ); } $this->session->set_userdata($data); return TRUE; } else{ return FALSE; } } public function isLoggedIn(){ $is_logged_in = $this->session->userdata('logged_in'); if(!isset($is_logged_in) || $is_logged_in!==TRUE) { redirect('admin/login'); exit; } }
Thanks for your help
https://community-auth.com/
https://github.com/benedmunds/CodeIgniter-Ion-Auth
Back to the problem:
- save the hash in the database.
- select the user by the username/email and not by the password
- check the password with password_verify
RE: Improved secure login form - Diederik - 08-16-2017
First you should always store a (salted) hash of the password, not the password itself. You then compare the hash of the posted password to the stored hash. That way if your site goes get hacked the attacker cannot use the login credentials of your users on other sites for example.
Second, you should validate your users input before using it.
But seriously, I doubt your skill level is at the level it should be in order to create a secured login feature. I would advise you to implement an existing auth library. I use Ion auth in all my projects.
RE: Improved secure login form - Marcolino92 - 08-16-2017
I've already tried with "ion auth" but I need to create a personalized and slimmed class, so I'd like to avoid book it already ready because I only need the login system and the method to see if the user is logged in.
RE: Improved secure login form - Marcolino92 - 08-16-2017
This?
PHP Code: public function login($username, $password) { $query = $this->db->get_where('user', array('username'=>$username)); $row = $query->row(); if($query->num_rows()==1) { if(password_verify(stripslashes($password), $row->password)) { $data = array( 'username'=> $row->username, 'logged_in'=>TRUE ); $this->session->set_userdata($data); return TRUE; } else { return FALSE; } } else { return FALSE; } }
RE: Improved secure login form - Diederik - 08-16-2017
You could use your own controller and only use the login function of the ion auth library.
Your controller could be:
PHP Code: <?php defined('BASEPATH') OR exit('No direct script access allowed');
class Admin extends CI_Controller {
public function __construct() { parent::__construct(); $this->load->library('ion_auth');
$this->data = array( 'error' => '' );
}
public function index() { if (!$this->ion_auth->is_admin()) { redirect('admin/login'); }
$this->load->view('admin/index'); } public function login() {
if (!empty($_POST)) {
// Setup validation $this->form_validation->set_rules('username', 'Username', 'trim|required|valid_email'); $this->form_validation->set_rules('password', 'Password', 'required|min_length[8]');
if ($this->form_validation->run() === true) { // check the credentials if ($this->ion_auth->login($this->input->post('username'), $this->input->post('password'), ) ){
redirect('admin/index');
} else {
// Credentials are not correct $this->data['error'] = $this->ion_auth->errors(); } } else {
// Input is invalid $this->data['error'] = validation_errors(); } } $this->load->view('admin/login', $this->data); // You can echo $error in your view to print the error message. } }
RE: Improved secure login form - InsiteFX - 08-16-2017
password_hash adds it's own salt in the hash.
RE: Improved secure login form - InsiteFX - 08-17-2017
Here is a good read on Secure logins
Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
|