I'm trying to achieve a redirect to the home page of the user storing email in the session in Codeigniter. I have used password_hash($this->input->post('password'), PASSWORD_DEFAULT)) to hash the passwords and it works fine, but when I try to password_verify() it, it fails.
Here is my Model
public function canLogin($email, $password) {
$this->db->where('email',$email);
$query = $this->db->get($this->tableName);
$row = $query->row();
if ($row) {
return password_verify($password, $row->password);
}
else {
return false;
}
}
and here is my Controller
public function loginValidation() {
// User Model Loaded in constructor
if ($this->user->canLogin($_POST['email'], $_POST['password'])) {
$session_data = array('email' => $_POST['email'] );
$this->session->set_userdata($session_data);
redirect('profile/personal','Refresh');
} else {
echo 'fail';
$this->session->set_flashdata('error', 'Invalid Username or Password');
// redirect('login','Refresh');
}
}
I don't know where the logic went wrong and it everytime redirects to the same login page, I am trying to authenticate it, store email in session and redirect it to profile/personal , Can anyone point where I missed the logic?
#YashKaranke what is the password column's length? – Funk Forty Niner
#FunkFortyNiner It is 50 with datatype varchar – Yash Karanke
The password column's length is too short, it should be 60 or 255 as the manual on PHP.net for password_hash() suggests.
You now have to start over with new hashes.
The verification failed silently.
If you're using:
password_hash($this->input->post('password', PASSWORD_DEFAULT));
Are you sure this is hashing correctly? Shouldn't it be:
password_hash($this->input->post('password'), PASSWORD_DEFAULT);
Related
I have created a registration system where password are storing in bycript form. But While I am trying to validate for login purpose, it's saying wrong password . My code for authentication is given bellow :
public function authenticate(Request $request){
$email=$request->post('email');
$password=$request->post('password');
$result=Admin::where(['email'=>$email,'password'=>$password])->get();
if(isset($result['0']->id)){
$request->session()->put('ADMIN_LOGIN',true);
$request->session()->put('ADMIN_ID',$result['0']->id);
return redirect('admin');
}else{
$request->session()->flash('error','Please enter valid login details');
return redirect('admin-login');
}
}
You don't need to be building your own authentication system, but this would be the flow:
use App\Models\Admin;
use Hash;
...
public function authenticate(Request $request)
{
...
if ($user = Admin::where($request->only('email'))->first()) {
if (Hash::check($request->input('password'), $user->password)) {
// login
}
}
// not authenticated
}
You have to find the user by an identifier, so 'email' is used here. You can't query against the password because it is a hash. If you get a user from the query you can then do a hash check on the submitted password and the user's password from the record.
This is a simplified version of what SessionGuard::attempt/Auth::attempt([...]) is doing.
You have to find the admin by email like this:
$admin = Admin::where(['email'=>$email])->first();
and than compare the hashes
if ($admin && Hash::check($admin->password, $password)) {
// ... logged in
} else {
// ... not legged in
}
When your request is processed password comes as plain text while password in your database is hashed.
So you have to bcrypt or hash your password first to properly make your query.
You can:
$password = Hash::make($request->post('password'));
Or:
$password = bcrypt($request->post('password'));
Both Hash and bcrypt helper function work in the same way
I have a problem when decrypting passwords hashed with bcrypt. I can't login when I use this code. So, are there any mistakes?
function login(){
if ($this->session->userdata('username'))
{
redirect('dasbor');
}
//fungsi login
$valid = $this->form_validation;
$username = $this->input->post("username");
$password = $this->input->post("password");
$hash = $this->db->get('users')->row('password');
$hashp = $this->bcrypt->check_password($password,$hash);
$valid->set_rules("username","Username","required");
$valid->set_rules("password","Password","required");
if ($hashp) {
if($valid->run()) {
$this->simple_login->login($username,$hashp, base_url("dasbor"), base_url("Auth/login"));
}
}
// End fungsi login
$data = array('title'=>'Halaman Login Admin');
$this->load->view('admin/login_view',$data);
}
please help me to solve this problem.
I know this is an old question, but I want to help others who face the same problem.
First thing first, you need to rework again on your algorithm. The password_verify() function needs 2 parameters:
Password, the text that the user input in the text field before submitting the form.
Hash, a hash that is already stored in your database.
The goal is to verify if Password and Hash are similar. As you know, the password_hash() will return a different result at different times even when you hash the same string. Because of that, you can not use this->db->where() active record.
So, what I would do are these simple 2 steps:
Create a function in the model (e.g. Main_model.php) for getting user data.
public function get_user($user) {
$this->db->where('username', $user);
return $this->db->get('user')->row_array();
}
Get the password from the controller and use password_verify
$get_user = $this->main_model->get_user($this->input->post('username'));
if(password_verify($this->input->post('password'), $get_user['password'])){
// Success
}
else {
// Not Success
}
And one additional tip from me, don't write any active record in the Controller. It is not neat for the MVC method.
I am trying to code an application around an existing database. It already has several hundred users and data involving those users. So trying to change over the database that is used by a different program(game) from md5 to password_bcrypt or the like is not possible. This application is supposed to be a user's panel to allow for profile info and display user's character information. what I have atm is using PASSWORD_BCRYPT. I can get it to register the user with the md5 hash, however, my biggest issue is coding a password check. Here is the current code using PASSWORD_BCRYPT:
public function password($password)
{
return password_hash(
$password,
$this->config->get('app.hash.algo'),
['cost' => $this->config->get('app.hash.cost')]
);
}
public function passwordCheck($password, $hash)
{
return password_verify($password, $hash);
}
Again I know how to write out the code to let the user register with an md5 hash, but when they login it fails. Here is the call to the passwordCheck function:
if ($v->passes()) {
$user = $app->user
->where('username', $identifier)
->first();
if ($user && $app->hash->passwordCheck($password, $user->password)) {
$_SESSION[$app->config->get('auth.session')] = $user->id;
$app->flash('global', 'You are now signed in!');
} else {
$app->flash('global', 'Could not log you in!');
}
$app->response->redirect($app->urlFor('login'));
}
any and all suggestions welcome.
Thanks in advance!
The issue turned out to be that because I need to use a different hash, I can't use PASSWORD_HASH or the follow up function password_verify since the password_verify is checking apparently for the password_hash function. I'm not totally sure. But the following code is what works:
public function password($encrypt)
{
$encrypt = $salt . md5($encrypt);
return $encrypt;
}
public function passwordCheck($password, $hash)
{
return (strcmp($password, $hash) == 0);
}
the salt is a custom salt that I will keep to myself. I've tested this with my current app I am building and it is working like I want it to. The user can register and log in. Thanks for the help, but sadly the answer above came from else where. I know this isn't as secure as it should be but again it is a must since I am forced to use a pre-existing database that is still in use.
I have a reset password form on my site and I'm unsure whether it's being compromised or if my code is just flakey. The process goes like this:
User enters email address of forgotten password
Password is changed in DB and email is sent to use
User can now login with new password and change once in their account
(I realise this is an imperfect process but it's v1 of the site).
The problem is that intermittently all user passwords are being changed (to the same password) and I can't for the life of me figure it out. XSS and CSRF filters are both enabled inside Codeigniter.
Here's my code:
Controller
$this->form_validation->set_rules('email','Email address','required');
if ($this->form_validation->run() === FALSE)
{
$this->password_reset();
}
else
{
/**
* Generate a new password and send to model
*/
$newpass = substr(md5(rand()),0,10);
$this->users_model->reset_password($newpass);
// stuff for email here
$this->email->send();
/**
* Load view
**/
$data['content'] = 'content/login/reset_done';
$data['title'] = 'Password Reset';
$this->load->view($this->layout, $data);
}
}
Model
public function reset_password($newpass)
{
$email = $this->input->post('email');
$query = $this->db->get_where('users', array('user_email' => $email));
if($query->num_rows())
{
$newpass = do_hash($newpass, 'md5');
$this->db->where('user_email', $email);
$this->db->update('users', array('user_password' => $newpass));
}
}
So to repeat the problem once again: every so often all users passwords are being changed (to the same password). How is this happening?
In your model, don't use $this->input->post, instead send this data as an argument. (Because your model shouldn't act like a controller with routes/sessions/headers/etc information)
It is possible that this happens because $this->input->post('email') is empty or '' (in this case, it will update everybody and num_rows will return the total of users in database), you must check for :
public function reset_password($email, $newpass)
{
if(!$email || !$newpass)
return false;
$query = $this->db->get_where('users', array('user_email' => $email));
if($query->num_rows())
{
$newpass = do_hash($newpass, 'md5');
$this->db->where('user_email', $email);
$this->db->update('users', array('user_password' => $newpass));
}
}
EDIT
- You don't need to do 2 queries (check email then update)
public function reset_password($email, $newpass)
{
if(!$email || !$newpass)
return false;
$newpass = do_hash($newpass, 'md5');
$this->db->where('user_email', $email);
$this->db->update('users', array('user_password' => $newpass));
if ($this->db->affected_rows() < 1) {
return false; //Email wasn't found
} else {
return true;
}
}
You can also call for $this->db->last_query(); to see the query and if the where() did work.
this is not an answer to your specific question, but it needs to be addressed, and it was too long for a comment.
DO NOT use MD5 as a hashing mechanism for passwords. it is outdated, and basically provides zero security anymore. instead use PHPs password_hash() and if you don't have PHP5.5 use the compatibility library. it's very easy to use and works great, and uses better hashing algorithms.
second, it is not generally good practice to create a new password for a user. rather create a token that expires within 1 hour of the request, and then pass that along in the email. then the user enters their email, token, and new password.
and because I can't say it enough, DONT USE MD5
I was learning this login tutorial online with the choice for user to change password after login and the notes given are
if ($validator->fails())
{
return Redirect::route('account-change-password')
->withErrors($validator);
}
else
{
$user = User::find(Auth::user()->id);
$old_password = Input::get('old_password');
$password = Input::get('password');
if(Hash::check($old_password, $user->getAuthPassword()))
{
$user->password = Hash::make($password);
if($user->save())
{
return Redirect::route('home')
->with('global', 'Your Password has been changed');
}
}
else
{
return Redirect::route('account-change-password')
->with('global', 'Your old password is incorrect');
}
}
in the tutorial inside the else $user = User::find(Auth::user()->id); is used right away and then the if statement to check the password is using $user = User::find(Auth::user()->id);
When I'm trying to do it on my on after watching the tutorial I did it differently.
if ($v->fails())
{
return Redirect::route('account-change-password')
->withErrors($v)
->with('global', 'Please check the errors in red');
}
else
{
if (Hash::check(Input::get('old_password'),Auth::user()->password))
{
$user = User::find(Auth::user()->id);
$user->password = Hash::make(Input::get('new_password'));
if ($user->save())
{
return Redirect::route('home')
->with('global', 'Password Changed.');
}
}
return Redirect::route('account-change-password')
->with('global', 'Old password is incorrect');
}
I checked the password and the password in the database right away with Auth::user()->password) by using the if statement and put the $user = User::find(Auth::user()->id); inside the if statement in order for me to get access to $user->password and change the password.
I know there are always lots different ways to do things but I'm just wondering if the way I am doing it would have some kind of problem in the future that I am not realizing it now and would be better to remember and stick to the way the tutorial taught.
Actually, you should check the source, it's within your reach so why not just dig in to deep, anyways, when you use following code:
$user = User::find('1');
$user->getAuthPassword();
This code returns the password of currently instantiated user and hence it's the user with id=1 and it could be any user you may want, depends on you, whom to retrieve from the database. The code inside the getAuthPassword function is:
public function getAuthPassword()
{
return $this->password;
}
So, it doesn't matter whether the user you retrieved from the database is logged in or not. If you retrieve the user with id=10 then you can get this user's password too.
On the other hand, the following code:
Auth::user()->password;
It returns the currently logged in user's password because Auth::user() returns the currently logged in user instance and this method will work only when the current user is logged in. So, yes, there is a difference in both cases.