Login

Marcolino92 · 08-16-2017, 12:25 AM

Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.

I tried with password_hash and then password_verify, but I missed something in the code.

You could help me improve my login, I'm not going to make it super safe, but also the least.

At this time, this is the files in the controller and the model:

PHP Code:

   public function index() {
        $this->admin_model->isLoggedIn();
        $this->load->view('admin/index');
    }
    
    public function login(){

        $username = $this->input->post('username');
        $password = $this->input->post('password');
        
        //call the model for auth
        if($this->admin_model->login($username, $password)){
            redirect('admin/index');
        }

        else {
            $this->load->view('admin/login');
        }
    } 

admin_model.php

PHP Code:

   public function login($username, $password) { 
        $this->db->where('username', $username);
        $this->db->where('password', $password);
        $query = $this->db->get('user');
        if($query->num_rows()==1){
            foreach ($query->result() as $row){
                $data = array(
                            'username'=> $row->username,
                            'logged_in'=>TRUE
                        );
            }
            $this->session->set_userdata($data);
            return TRUE;
        }
        else{
            return FALSE;
      }    
    }
        
    public function isLoggedIn(){
            $is_logged_in = $this->session->userdata('logged_in');
            if(!isset($is_logged_in) || $is_logged_in!==TRUE)
            {
                redirect('admin/login');
                exit;
            }
    } 

Thanks for your help

Paradinight · 08-16-2017, 12:38 AM

(08-16-2017, 12:25 AM)Marcolino92 Wrote: Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.

I tried with password_hash and then password_verify, but I missed something in the code.

You could help me improve my login, I'm not going to make it super safe, but also the least.

At this time, this is the files in the controller and the model:

PHP Code:

public function index() { $this->admin_model->isLoggedIn(); $this->load->view('admin/index'); } public function login(){ $username = $this->input->post('username'); $password = $this->input->post('password'); //call the model for auth if($this->admin_model->login($username, $password)){ redirect('admin/index'); } else { $this->load->view('admin/login'); } }

admin_model.php

PHP Code:

public function login($username, $password) { $this->db->where('username', $username); $this->db->where('password', $password); $query = $this->db->get('user'); if($query->num_rows()==1){ foreach ($query->result() as $row){ $data = array( 'username'=> $row->username, 'logged_in'=>TRUE ); } $this->session->set_userdata($data); return TRUE; } else{ return FALSE; } } public function isLoggedIn(){ $is_logged_in = $this->session->userdata('logged_in'); if(!isset($is_logged_in) || $is_logged_in!==TRUE) { redirect('admin/login'); exit; } }

Thanks for your help

https://community-auth.com/
https://github.com/benedmunds/CodeIgniter-Ion-Auth

Back to the problem:
- save the hash in the database.
- select the user by the username/email and not by the password
- check the password with password_verify

Diederik · 08-16-2017, 01:12 AM

First you should always store a (salted) hash of the password, not the password itself. You then compare the hash of the posted password to the stored hash. That way if your site goes get hacked the attacker cannot use the login credentials of your users on other sites for example.
Second, you should validate your users input before using it.

But seriously, I doubt your skill level is at the level it should be in order to create a secured login feature. I would advise you to implement an existing auth library. I use Ion auth in all my projects.

Marcolino92 · 08-16-2017, 01:41 AM

I've already tried with "ion auth" but I need to create a personalized and slimmed class, so I'd like to avoid book it already ready because I only need the login system and the method to see if the user is logged in.

Marcolino92 · 08-16-2017, 01:59 AM

This?

PHP Code:

public function login($username, $password) { 
        
        $query = $this->db->get_where('user', array('username'=>$username));
        $row = $query->row();
        
        if($query->num_rows()==1) {
            if(password_verify(stripslashes($password), $row->password)) {     
                $data = array(
                    'username'=> $row->username,
                    'logged_in'=>TRUE
                );  
                $this->session->set_userdata($data);
                return TRUE;
            } 
            else {
                return FALSE;
            }   
        } else {
            return FALSE;
        } 
    } 

Diederik · 08-16-2017, 02:23 AM

You could use your own controller and only use the login function of the ion auth library.

Your controller could be:

PHP Code:

<?php
defined('BASEPATH') OR exit('No direct script access allowed');

class Admin extends CI_Controller {


    public function __construct()
    {
        parent::__construct();
        $this->load->library('ion_auth');

        $this->data = array( 'error' => '' );

    }

    public function index() 
    {
        
        if (!$this->ion_auth->is_admin()) {
            
            redirect('admin/login');
        }

        $this->load->view('admin/index');
    }
    
    public function login()
    {

        if (!empty($_POST)) {

            // Setup validation
            $this->form_validation->set_rules('username', 'Username', 'trim|required|valid_email');
            $this->form_validation->set_rules('password', 'Password', 'required|min_length[8]');

            if ($this->form_validation->run() === true) {
                
                // check the credentials
                if ($this->ion_auth->login($this->input->post('username'), $this->input->post('password'), ) ){

                    redirect('admin/index');

                } else {

                    // Credentials are not correct
                    $this->data['error'] = $this->ion_auth->errors();
                }
             }  else {

                // Input is invalid
                $this->data['error'] = validation_errors();
             }
        }
        
        $this->load->view('admin/login', $this->data);
        // You can echo $error in your view to print the error message.
    } 
} 

InsiteFX · 08-16-2017, 03:39 AM

password_hash adds it's own salt in the hash.

InsiteFX · 08-17-2017, 03:29 AM

Here is a good read on Secure logins

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)

Login
Username:
Password:	Lost Password?
	Remember me