Login

General PHP Help
#1

I made a log in script. It was working at first then i added a few things on the code to make it more protective. Now i cant log in. I keep on getting “A critical session or form token post was not set|”

i have 2 php files with a javascript file.

1st php file

[php]<?php
include_once(“check_login_status.php”);
if($user_ok == true){
header(“location: user.php?u=”.$_SESSION[“username”]);
exit();
}
?><?php
//SET TIMESTAMP
//ADD TIMER JAVASCRIPT
//ADD TOKEN TO AJAX POST
$salt = “h89zxKYassa40832”;
$timestamp = time();
$tk = str_shuffle(md5(uniqid().md5($salt)));
$tk = preg_replace(’#[^a-z0-9.-]#i’, ‘’, $tk);
$ses_array = array(“tm” => $timestamp, “tk” => $tk);
if(!isset($_SESSION[‘login’])){
$_SESSION[‘login’] = $ses_array;
} else {
unset($_SESSION[‘login’]);
$_SESSION[‘login’] = $ses_array;
}
?>
[/php]
javascript

[php]var startTime = new Date().valueOf();
function emptyElement(x){
_(x).innerHTML = “”;
}
function login(){
//MAKE SURE TIME HAS NOT EXPIRED
var postTime = new Date().valueOf();
var totalTime = Math.ceil((postTime - startTime)/1000);
//IF 5 MIN HAS PASSED MAKE THEM REFRESH
//SHAVE OFF A FEW SEC OFF FOR TIME LOST IN THE PAGE LOAD 300->295
if(totalTime > 295){
_(“loginbtn”).style.display = “none”;
_(“email”).style.display = “none”;
_(“password”).style.display = “none”;
_(“status”).innerHTML = ‘You have timed out, please refresh the page.’;
return false;
}
var e = _(“email”).value;
var p = _(“password”).value;
if(e == “” || p == “”){
_(“status”).innerHTML = “

Your Missing Something!

”;
} else {
_(“loginbtn”).style.display = “none”;
_(“status”).innerHTML = ‘please wait …’;
var ajax = ajaxObj(“POST”, “…/php_parsers/login_parser.php”);
ajax.onreadystatechange = function() {
if(ajaxReturn(ajax) == true) {
if(ajax.responseText == “login_failed”){
_(“status”).innerHTML = “

Login Unsuccessful! Try Again.

”;
_(“loginbtn”).style.display = “block”;
} else {
window.location = “user.php?u=”+ajax.responseText;
}
}
}
ajax.send(“e=”+e+"&p="+p+"&t=<?php echo $_SESSION['login']['tk']; ?>");
}
}
[/php]
last php file

[php]if(isset($POST[“e”])){
// Get user ip address
$ip = preg_replace(’#[^0-9.]#’, ‘’, getenv(‘REMOTE_ADDR’));
// Get referer from header
$refer = preg_replace(’#[^a-z0-9 -.]#i’, ‘.’, getenv(‘HTTP_REFERER’));
// Set variable for possible logging
$csrf = “”;
// Check for login session
if(isset($_SESSION[‘login’]) && isset($_SESSION[‘login’][‘tm’]) && isset($_SESSION[‘login’][‘tk’]) && isset($_POST[‘t’])){
// Sanitize everything now
$sTimestamp = preg_replace(’#[^0-9]#’, ‘’, $_SESSION[‘login’][‘tm’]);
$sToken = preg_replace(’#[^a-z0-9.-]#i’, ‘’, $_SESSION[‘login’][‘tk’]);
$fToken = preg_replace(’#[^a-z0-9.-]#i’, ‘’, $_POST[‘t’]);
// Make sure we have values after sanitizing
if($sTimestamp != “” && $sToken != “” && $fToken != “”){
// Check if session and post token match
if($fToken !== $sToken){
$csrf .= “Form token and session token do not match|”;
}
// Do 5 minute check
$elapsed = time() - $sTimestamp;
if($elapsed > 300){
$csrf .= “Expired session|”;
}
} else {
$csrf .= “A critical session or form token post was empty after sanitization|”;
}
} else {
$csrf .= “A critical session or form token post was not set|”;
}
// CONNECT TO THE DATABASE
include_once("…/php_includes/db_connect.php");

// Check our errors here
if($csrf !== ""){
	// At least one of our tests above was failed
	// Sanitize the e & p posts for logging
	$e = mysqli_real_escape_string($dbConnect, $_POST['e']);
	$p = mysqli_real_escape_string($dbConnect, $_POST['p']);
	// Time to log this
	$sql = "INSERT INTO hUserLogging (dt, ip, referer, issues, epost, ppost)       
	        VALUES(now(),'$ip','$refer','$csrf','$e','$p')";
	$query = mysqli_query($dbConnect, $sql);
	mysqli_close($dbConnect);
	// Unset 
	if(isset($_SESSION['login'])){
		unset($_SESSION['login']);
	}
	// Throttle back the attack
	sleep(3);
	// Return generic login_failed and exit script
	echo "login_failed";
    exit();
}

}[/php]

#2

First of I think CRSF harder that it should be, when I remember to do it I just use this function to prevent them.
PHP Script
[php]function generate_secure_token($length = 16) {
/* important! this has to be a crytographically secure random generator */
return bin2hex(openssl_random_pseudo_bytes($length));
}
[/php]
Assign it when user logins in

[php]$_SESSION[‘action_token’] = generate_secure_token();[/php]

Then in any form that access secure information do something like this:

[php][/php]

If there is a CRSF attack there is no way these tokens will match!

Then just compare the results with the data is posted using an if statement along with your other standard checks.

Second I would let php do the actual login the user and do the timer function, with JavaScript / Ajax just logging in the user dynamically and checking the time of the user. I would get these to function working properly in php first then it will be no problem converting it over to incorporate Ajax/JavaScript.

BTW here is a good website about Cross-Site Request Frequency: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Sponsor our Newsletter | Privacy Policy | Terms of Service