CodeIgniter Forums
Improved secure login form - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Model-View-Controller (https://forum.codeigniter.com/forumdisplay.php?fid=10)
+--- Thread: Improved secure login form (/showthread.php?tid=68709)

Improved secure login form - Marcolino92 - 08-15-2017

Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.

I tried with password_hash and then password_verify, but I missed something in the code.

You could help me improve my login, I'm not going to make it super safe, but also the least.

At this time, this is the files in the controller and the model:

PHP Code:
   public function index() {
        $this->admin_model->isLoggedIn();
        $this->load->view('admin/index');
    }
    
    public function login(){

        $username $this->input->post('username');
        $password $this->input->post('password');
        
        //call the model for auth
        if($this->admin_model->login($username$password)){
            redirect('admin/index');
        }

        else {
            $this->load->view('admin/login');
        }
    

admin_model.php

PHP Code:
   public function login($username$password) { 
        $this->db->where('username'$username);
        $this->db->where('password'$password);
        $query $this->db->get('user');
        if($query->num_rows()==1){
            foreach ($query->result() as $row){
                $data = array(
                            'username'=> $row->username,
                            'logged_in'=>TRUE
                        );
            }
            $this->session->set_userdata($data);
            return TRUE;
        }
        else{
            return FALSE;
         
    }
        
    public function isLoggedIn(){
            $is_logged_in $this->session->userdata('logged_in');
            if(!isset($is_logged_in) || $is_logged_in!==TRUE)
            {
                redirect('admin/login');
                exit;
            }
    

Thanks for your help

RE: Improved secure login form - Paradinight - 08-15-2017

(08-15-2017, 11:25 PM)Marcolino92 Wrote: Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.

I tried with password_hash and then password_verify, but I missed something in the code.

You could help me improve my login, I'm not going to make it super safe, but also the least.

At this time, this is the files in the controller and the model:

PHP Code:
   public function index() {
        $this->admin_model->isLoggedIn();
        $this->load->view('admin/index');
    }
    
    public function login(){

        $username $this->input->post('username');
        $password $this->input->post('password');
        
        //call the model for auth
        if($this->admin_model->login($username$password)){
            redirect('admin/index');
        }

        else {
            $this->load->view('admin/login');
        }
    

admin_model.php

PHP Code:
   public function login($username$password) { 
        $this->db->where('username'$username);
        $this->db->where('password'$password);
        $query $this->db->get('user');
        if($query->num_rows()==1){
            foreach ($query->result() as $row){
                $data = array(
                            'username'=> $row->username,
                            'logged_in'=>TRUE
                        );
            }
            $this->session->set_userdata($data);
            return TRUE;
        }
        else{
            return FALSE;
         
    }
        
    public function isLoggedIn(){
            $is_logged_in $this->session->userdata('logged_in');
            if(!isset($is_logged_in) || $is_logged_in!==TRUE)
            {
                redirect('admin/login');
                exit;
            }
    

Thanks for your help

https://community-auth.com/
https://github.com/benedmunds/CodeIgniter-Ion-Auth


Back to the problem:
- save the hash in the database.
- select the user by the username/email and not by the password
- check the password with password_verify

RE: Improved secure login form - Diederik - 08-16-2017

First you should always store a (salted) hash of the password, not the password itself. You then compare the hash of the posted password to the stored hash. That way if your site goes get hacked the attacker cannot use the login credentials of your users on other sites for example.
Second, you should validate your users input before using it.

But seriously, I doubt your skill level is at the level it should be in order to create a secured login feature. I would advise you to implement an existing auth library. I use Ion auth in all my projects.

RE: Improved secure login form - Marcolino92 - 08-16-2017

I've already tried with "ion auth" but I need to create a personalized and slimmed class, so I'd like to avoid book it already ready because I only need the login system and the method to see if the user is logged in.

RE: Improved secure login form - Marcolino92 - 08-16-2017

This?

PHP Code:
public function login($username$password) { 
        
        $query $this->db->get_where('user', array('username'=>$username));
        $row $query->row();
        
        if($query->num_rows()==1) {
            if(password_verify(stripslashes($password), $row->password)) {     
                $data = array(
                    'username'=> $row->username,
                    'logged_in'=>TRUE
                );  
                $this->session->set_userdata($data);
                return TRUE;
            
            else {
                return FALSE;
              
        } else {
            return FALSE;
        
    


RE: Improved secure login form - Diederik - 08-16-2017

You could use your own controller and only use the login function of the ion auth library.

Your controller could be:
PHP Code:
<?php
defined('BASEPATH') OR exit('No direct script access allowed');

class Admin extends CI_Controller {


    public function __construct()
    {
        parent::__construct();
        $this->load->library('ion_auth');

        $this->data = array( 'error' => '' );

    }

    public function index() 
    {
        
        if (!$this->ion_auth->is_admin()) {
            
            redirect('admin/login');
        }

        $this->load->view('admin/index');
    }
    
    public function login()
    {

        if (!empty($_POST)) {

            // Setup validation
            $this->form_validation->set_rules('username''Username''trim|required|valid_email');
            $this->form_validation->set_rules('password''Password''required|min_length[8]');

            if ($this->form_validation->run() === true) {
                
                // check the credentials
                if ($this->ion_auth->login($this->input->post('username'), $this->input->post('password'), ) ){

                    redirect('admin/index');

                } else {

                    // Credentials are not correct
                    $this->data['error'] = $this->ion_auth->errors();
                }
              else {

                // Input is invalid
                $this->data['error'] = validation_errors();
             }
        }
        
        $this->load->view('admin/login'$this->data);
        // You can echo $error in your view to print the error message.
    



RE: Improved secure login form - InsiteFX - 08-16-2017

password_hash adds it's own salt in the hash.

RE: Improved secure login form - InsiteFX - 08-17-2017

Here is a good read on Secure logins

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)