SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot ablueman's Avatar
    Join Date
    Jun 2005
    Posts
    178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Authentication using cookies and MD5 password.

    Hi,

    After a long time not playing with it I have picked up my website project and been fiddling with it to try and get it to work the way I want.

    I am now trying to make an automatic login, using the existing script which was session and user based. By using cookies. For this project the security issue presented by using cookies isn't important.

    So..
    Code:
    <?php 
    // access.php
    session_start(); ?>
    
    <?php 
    if (!dbcnx)
    {
    include_once 'dbcnx.php';
    }
    else
    {
    include_once './security/dbcnx.php';
    }
    // Logged in function
    
    function loggedIn()
    {
      return isset($_SESSION['authorized']);
    }
    
    //Process login attempt
    
    if (isset($_COOKIE['ablueman'])){
    
    if($_COOKIE ['ablueman'] != ""){
    
    $usrpass = $_COOKIE['ablueman'];
    $usrpass = explode(",", $usrpass);
    
    $cusername = $usrpass[0];
    $cupassword = $usrpass[1];
    
    	}
    } 
    
    if (isset($_POST['username']) ||  isset($cusername)	) {
    $username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username'] ;
    $upassword = isset($_POST['upassword']) ? $_POST['upassword'] : $_SESSION['upassword'] ;
    
    
    	// SELECT statement  -----------FIRST ATTEMPT ------- No PASSWORD or MD5
    	$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$upassword'";
    	
    	$result = mysql_query($sql);
    	while ($results = mysql_fetch_array($result)) 
    	{
      	$uid		= $results['uid'];
    	$username	= $results['username'];
    	$ulevel		= $results['ulevel'];
    	}
    
    	// SELECT statement ------------SECOND ATTEMPT ------- PASSWORD and MD5	
    	if (mysql_num_rows($result) == 0) {
    
      	$upassword = md5 ($upassword);
      	$sql = "SELECT * FROM users WHERE username = '$username' AND upassword = PASSWORD('$upassword')";
      	
    	$result = mysql_query ($sql);
    	while ($results = mysql_fetch_array($result)) 
    	{
      	$uid		= $results['uid'];
    	$username	= $results['username'];
    	$ulevel		= $results['ulevel'];
    	} 
    
    	// SELECT statement ------------SECOND ATTEMPT ------- PASSWORD and MD5	- COOKIE
    	if (mysql_num_rows($result) == 0) {
      	$username = $cusername;
      	$upassword = md5 ($cupassword);
      	$sql = "SELECT * FROM users WHERE username = '$username' AND upassword = PASSWORD('$upassword')";
      	
    	$result = mysql_query ($sql);
    	while ($results = mysql_fetch_array($result)) 
    	{
      	$uid		= $results['uid'];
    	$username	= $results['username'];
    	$ulevel		= $results['ulevel'];
    	}
    echo $username;
    echo MD5($upassword);
    
    }
    	
    }
    		
    	if (mysql_num_rows($result) == 0) 
    		{
    		unset($_SESSION['username']);
    		unset($_SESSION['upassword']); 
    		echo "What we are dealing with here is a failure to communicate.(Unset Usr/Pass)";
    		}
    
    // Session variables to add once logged in.
    	if (mysql_num_rows($result) != 0 )
    		{
    		$_SESSION['authorized'] = TRUE;
    		$_SESSION['uid'] 		= $uid;
    		$_SESSION['username'] 	= $username;
    		$_SESSION['ulevel']		= $ulevel;	
    		$cookie = array($_SESSION['username'], md5($upassword), 'MD5');
    		$usrpass = implode(",", $cookie);
    
    	//echo $comma_separated; // username, password, md5
    
    	// Empty string when using an empty array:
    	//var_dump(implode('Hello', array())); // string(0) ""
    
    	 setcookie("ablueman", $usrpass , time() + 31536000);	
    
    		}
    	}
    
    // Process logout
    if (isset($_REQUEST['logout'])) 
    	{
      	unset($_SESSION['authorized']);
    	unset($_SESSION['uid']);
    	unset($_SESSION['username']);
    	unset($_SESSION['ulevel']);
    	}
    ?>
    The problem I am getting is that the cookie is correctly storing the details so I get the correct username and md5(password) echoing. But it doesn't find it in the SQL database. I presume Im either presenting the md5 password wrong or requesting it incorrectly. Can someone give me a pointer. This was an authentication script from Kevin Yanks book many many moons ago.

    Thanks in advance.

    Andy

  2. #2
    SitePoint Addict
    Join Date
    Sep 2006
    Posts
    238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try

    PHP Code:
    md5($upassword
    instead of:

    PHP Code:
    PASSWORD('$upassword'

  3. #3
    SitePoint Zealot ablueman's Avatar
    Join Date
    Jun 2005
    Posts
    178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jaynesh View Post
    Try

    PHP Code:
    md5($upassword
    instead of:

    PHP Code:
    PASSWORD('$upassword'
    I actually did try this but I may have a second go tonight to make sure it was not something else that was broken at the time which has since been fixed.

    No matter what I try it seems to get mysql_num_rows($result) == 0;

    Thanks for the assistance though.

    EDIT: Yes I did try this and it did not fix the issue.

    If I am echoing the md5(password) from the cookie and echoing the md5(password) from the sql attempt. Im right in saying they will look different is that correct?

  4. #4
    SitePoint Addict
    Join Date
    Sep 2006
    Posts
    238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmm maybe try this..


    PHP Code:
    $sql "SELECT * FROM users WHERE (username = '".$username."') AND (upassword = '".md5($upassword)."')"
    if that doesn't work, try copying and pasting one of your passwords in to pin point where the actual problem could be. e.g


    PHP Code:
    $sql "SELECT * FROM users WHERE (username = '".$username."') AND (upassword = '42348SDJKFNSFDKSDF32')"

  5. #5
    SitePoint Zealot
    Join Date
    Jan 2011
    Location
    Portland
    Posts
    148
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    have you tried to run the query with your database client such as phpmyadmin or workbench or what ever you use just try to run the query and make sure you are getting what you want. Also you might want to escape those variables as if they are quoted already your query will end up with double quotes witch will cause the query to fail. also you should var_dump your query make sure your getting a resource or a boolean.

  6. #6
    SitePoint Zealot ablueman's Avatar
    Join Date
    Jun 2005
    Posts
    178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jgetner View Post
    have you tried to run the query with your database client such as phpmyadmin or workbench or what ever you use just try to run the query and make sure you are getting what you want. Also you might want to escape those variables as if they are quoted already your query will end up with double quotes witch will cause the query to fail. also you should var_dump your query make sure your getting a resource or a boolean.
    Had a little play with this last night. Managed to get it working by using exactly the same code but striping out all MD5 pretty much. Looks like I had a mismatch caused by somehow double md5'ing a value somewhere. Now I just need to work out how to re-md5 without breaking it.

    Thanks for your help and sorry that it turns out it was so obvious. I appreciate you pointing out things to look for though, ultimately it did lead me to stripping the code down to bare bones and finding the problem.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •