+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: General (https://forum.codeigniter.com/forumdisplay.php?fid=1)
+--- Forum: Regional User Groups (https://forum.codeigniter.com/forumdisplay.php?fid=25)
+--- Thread: Can login even though the password is wrong (/showthread.php?tid=73190)
Can login even though the password is wrong - firas - 03-28-2019
Hello, I just noticed that when I login into my system using a wrong password, I can still log in the system, but when I put a wrong username, I can't log in into the system. Can someone help me check what did i do wrong T_T. Thanks in advance !
Controller :
Code:
//login user
public function login(){
$data['title'] = 'Sign In';
$this->form_validation->set_rules('username', 'Username', 'required');
$this->form_validation->set_rules('password', 'Password', 'required');
if($this->form_validation->run() === FALSE)
{
$this->load->view('templates/header');
$this->load->view('users/login', $data);
$this->load->view('templates/footer');
} else {
//Get username
$username = $this->input->post('username');
//Get and encrypt the password
$password = $this->bcrypt->verify('password');
// Login user
$user_id = $this->user_model->login($username, $password);
if($user_id){
// Create Session
$user_data = array(
'user_id' => $user_id,
'username' => $username,
'logged_in' => true
);
$this->session->set_userdata($user_data);
// set message
$this->session->set_flashdata('user_loggedin','You are now log in');
redirect('home');
}else {
// set message
$this->session->set_flashdata('login_failed','Login is invalid');
redirect('users/login');
}
}
}Model :
Code:
//Login user in
public function login($username, $password){
$this->db->where('username', $username);
$this->db->where('password', $password);
$result = $this->db->get('omg_user');
if($result->num_rows() == 1){
return $result->row(0)->user_id;
} else {
return false;
}
}custom bcrypt libraries :
Code:
<?php
class Bcrypt {
private $rounds;
public function __construct($rounds = 12) {
if(CRYPT_BLOWFISH != 1) {
throw new Exception("bcrypt not supported in this installation. See http://php.net/crypt");
}
$this->rounds = $rounds;
}
public function hash($input) {
$hash = crypt($input, $this->getSalt());
if(strlen($hash) > 13)
return $hash;
return false;
}
public function verify($input, $existingHash) {
$hash = crypt($input, $existingHash);
return $hash === $existingHash;
}
private function getSalt() {
$salt = sprintf('$2a$%02d$', $this->rounds);
$bytes = $this->getRandomBytes(16);
$salt .= $this->encodeBytes($bytes);
return $salt;
}
private $randomState;
private function getRandomBytes($count) {
$bytes = '';
if(function_exists('openssl_random_pseudo_bytes') &&
(strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')) { // OpenSSL slow on Win
$bytes = openssl_random_pseudo_bytes($count);
}
if($bytes === '' && is_readable('/dev/urandom') &&
($hRand = @fopen('/dev/urandom', 'rb')) !== FALSE) {
$bytes = fread($hRand, $count);
fclose($hRand);
}
if(strlen($bytes) < $count) {
$bytes = '';
if($this->randomState === null) {
$this->randomState = microtime();
if(function_exists('getmypid')) {
$this->randomState .= getmypid();
}
}
for($i = 0; $i < $count; $i += 16) {
$this->randomState = md5(microtime() . $this->randomState);
if (PHP_VERSION >= '5') {
$bytes .= md5($this->randomState, true);
} else {
$bytes .= pack('H*', md5($this->randomState));
}
}
$bytes = substr($bytes, 0, $count);
}
return $bytes;
}
private function encodeBytes($input) {
// The following is code from the PHP Password Hashing Framework
$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$output = '';
$i = 0;
do {
$c1 = ord($input[$i++]);
$output .= $itoa64[$c1 >> 2];
$c1 = ($c1 & 0x03) << 4;
if ($i >= 16) {
$output .= $itoa64[$c1];
break;
}
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 4;
$output .= $itoa64[$c1];
$c1 = ($c2 & 0x0f) << 2;
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 6;
$output .= $itoa64[$c1];
$output .= $itoa64[$c2 & 0x3f];
} while (1);
return $output;
}
}RE: Can login even though the password is wrong - jreklund - 03-29-2019
In your controller:
Code:
$password = $this->bcrypt->verify('password');In your bcrypt library:
Code:
public function verify($input, $existingHash) {
$hash = crypt($input, $existingHash);
return $hash === $existingHash;
}You are't passing an existing hash into your verifying function.
You need to do:
1. Get and store username and password from user in a variable
2. Fetch a user based on username
3. Verify user inputted password against the one stored in database
Tip:
Remove your library and use standard functions instead
https://www.php.net/manual/en/function.password-hash.php
https://www.php.net/manual/en/function.password-verify.php
In case you aren't on PHP7 upgrade now! Or don't...
https://github.com/ircmaxell/password_compat
RE: Can login even though the password is wrong - InsiteFX - 03-31-2019
You should be using the new PHP password_hash() and password_verify() methods.