If I use token, it kills my script

PHP
1

I have two problems, one is with “token” the other is with “login”. I will only ask about token for now since it might fix my login problem at the same time.

Here is the token class:

<?php 
class Token{
	
	public static function generate(){
		return Session::put(Config::get('session/token_name'), md5(uniqid()));
	}
	
	
	public static function check($token){
		$tokenName = Config::get('session/token_name');
		
		if(Session::exists($tokenName) && $token === Session::get($tokenName)){
			Session::delete($tokenName);
			return true;
		}
		return false;
	}
}

?>

Here is the form:

<form action="" method="post">
        	<div class="field">
            	<label for="username" class="label">Username</label>
                <input type="text" class="input" name="username" value="<?php echo escape (input::get('username'));?>" id="username" autocomplete="off">
            </div>
        	<div class="field">
            	<label for="password" class="label">Password</label>
                <input type="password" class="input" name="password" id"password" >
            </div>
        	<div class="field">
            	<label for="password_again" class="label">Repeat Password</label>
                <input type="password" class="input" name="password_again" id"password_again" >
            </div>
            <div class="field">
            	<label for="name" class="label">Name</label>
                <input type="text" class="input" name="name" value="<?php echo escape (input::get('name'));?>" id="name" >
            </div>
            <input type="submit" value="Register">
            
            <input type="hidden"  name="token" value"<?php echo Token::generate();?>">
        </form>

and here is the script:

<?php include ("core/init.php");


if(Input::exists()){
	if(Token::check(Input::get('token'))){
		$validate = new Validate();
		$validation = $validate->check($_POST, array(
			'username'	=> array(
				'required'  => true,
				'min'		=> 2,
				'max'		=> 20,
				'unique'	=> 'associates'
			),
			'password'		=> array(
				'required'	=> true,
				'min'		=> 6
			),
			'password_again'=> array(
				'required'	=> true,
				'matches'	=> 'password'
			),
			'name'			=> array(
				'required'  => true,
				'min'		=> 2,
				'max'		=> 50
			)
		));
		
			if($validation->passed()){
				
				$user = new User();
				$salt=Hash::salt(32);
				
				try{
					$user-> create(array(
						'username' 	=> Input::get('username'),
						'password'	=> Hash::make(Input::get('password'), $salt),
						'salt'		=> $salt,
						'name'		=> Input::get('name'),
						'joined'	=> date('Y-M-D H:i:s'),
						'groupid'		=> 1
					));
					
					
				Session::flash('home', 'you registered successfully, you can now login.');
				Redirect::to('index.php');
				}catch(Exception $e){
					die($e->getMessage());
				}
			
			}else{
					foreach($validation->errors() as $error){
							echo $error, '<br />';
					}
				}
	
	}
}
?>

and finally the init file

<?php 
session_start();

$GLOBALS['config']= array(

	'mysql'=> array(
		'host'=> '127.0.0.1',
		'username'=> 'root',
		'password'=> 'rootpass',
		'db'=> 'sfdb'
	),
	'remember'=> array(
		'cookie_name'=>'hash',
		'cookie_expiry'=> 604800
	),
	'session'=> array(
		'session_name'=>'user',
		'token_name' =>'token'
	)
		
);

spl_autoload_register(function($class){
	
	require_once 'classes/' . $class. '.php ';
	require_once 'functions/sanitize.php';
});

?>

The problem that I am having is the form and script works perfectly but the second if statement checking token messes up the whole script. I can’t validate, I can’t register users on database jsut nothing happen, I am only left with the form and the two sticky echo statements in name and username. script not working. but if I comment the if statement, everything works fine. Can anyone see why that would be?

2

I’m confused as to why your form and script are seperate files that dont seem to call each other at any point.

Other than that…

        <input type="hidden"  name="token" value"<?php echo Token::generate();?>">

I spy with my little eye a missing character near “value”.

2 Likes
3

Yes I have noticed the missing “=” just after I posted my message. I did a correction of the form with all the missing =. unfortunately it is still not working.

Instead of looking for flaws, could anyone recommend me a good book that would teach me how to debug my application?

4

It’s not really a question of reading a book.

Debugging is usually just the same pattern:

Identify an area the problem appears to be occuring.
Determine the value of appropriate variables entering that space (Check your Input.)
Determine the command flow within that space (Check your Logic)
Determine the resulting values from that section, if applicable (Check your Output)
Refine problem area, Repeat.

Your best friends will be [fphp]echo[/fphp] and [fphp]var_dump[/fphp].

In your case: You believe you identified (I think… still a little confused by your opening post) that the line causing the issue is:

if(Token::check(Input::get('token'))){

So… break the line down. Directly before this line, var_dump(Input::get(‘token’)) to make sure it contains the value you expect (Appears to be expecting a string);
then var_dump(Token::check(Input::get(‘token’))) and make sure it’s outputting the boolean you expect.

Also… why does the check() function delete a session if you match the session name and a session exists, and doesnt create a new one? Is that the desired logic?

5

I isolated the code just to show what involves token. I have a method called create() in the User class that does all the work in the background. it’s not showing on this script

6

thank you for pointing out a way of getting at the problem. I don’t know what I did but I changed a few things and while testing another area of the script I ended up fixing the problem. I have no idea how I did it lol, but whatever I did worked lol.
to answer you question about the session being deleted. a new session for token gets created each time a page open. So in essence, once the token has been validated, it is no longer needed since it’s used for making sure the page gets called from my site and not from another with malicious codes.

7

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.