function authenticate() { if (isset($_POST['password']) && isset($_POST['email'])) { $hasher = new \PasswordHash(); //TODO better manage external classes $sth = $this->stone->pdo->prepare("SELECT user_pbkdf2, user.user_id as user_id\n FROM user\n JOIN link_email2user \n ON link_email2user.user_id = user.user_id\n JOIN email \n ON link_email2user.email_id = email.email_id\n WHERE email_address = :email"); $sth->execute(array(":email" => $_POST['email'])); $loginData = $sth->fetch(); $dbHash = $loginData['user_pbkdf2']; $user_id = $loginData['user_id']; //DEBUG //echo "<pre>" . var_export($loginData,true) . "</pre>"; //DEBUG $validPassword = $hasher->validate_password($_POST['password'], $dbHash); if ($validPassword) { $this->stone->setUserID($user_id); $sth = $this->stone->pdo->prepare("SELECT capability_name \n FROM capability \n WHERE user_id = :user_id"); $sth->execute(array(":user_id" => $user_id)); $capabilities = array(); while ($capability = $sth->fetchColumn()) { $capabilities[] = $capability; } $this->stone->setUserCapabilities($capabilities); $data = array(); //$data[":session_hash"]=sha1(mcrypt_create_iv(16), MCRYPT_DEV_URANDOM); // even with URANDOM, it hangs, production server appears to have little entropy // is this really the case??? $data[":session_hash"] = sha1(rand()); //TODO: something better as a session hash! if (strstr($_SERVER['REMOTE_ADDR'], ":")) { // Remote address is IPv6 or IPv4 in IPv6 notation $data[":session_ip_start"] = inet_pton($_SERVER['REMOTE_ADDR']); } else { // Remote address is IPv4 in IPv4 notation // Convert to IPv6 notation $data[":session_ip_start"] = inet_pton("::ffff:" . $_SERVER['REMOTE_ADDR']); } $data[":session_useragent"] = $_SERVER['HTTP_USER_AGENT']; $sth = $this->stone->pdo->prepare("INSERT INTO session (session_hash,session_ip_start,session_useragent) values (:session_hash,:session_ip_start,:session_useragent)"); //$sth->execute($data); if (!$sth->execute($data)) { //todo: error handling } setcookie("ItPhilManagerSession", $data[":session_hash"], 4294967295.0); //PHP_INT_MAX); // PHP_MAX_INT causes problem on production server: // PHP Warning: Expiry date cannot have a year greater than 9999 // and does not set cookie. I suppose using the max 32 bit value solves the problem.... until 2038 // (This problem occurs on 64 bit PHP installations) $data = array(); $data[':session_id'] = $this->stone->pdo->lastInsertId(); $data[':user_id'] = $user_id; $sth = $this->stone->pdo->prepare("INSERT INTO link_session2user (session_id,user_id) Values (:session_id,:user_id)"); if (!$sth->execute($data)) { //todo: error handling } } } }
<?php session_start(); require_once "../../PasswordHashClass.php"; $DB = new DB('sqlite::memory:'); // Replace with your own if (isset($_POST['username']) && isset($_POST['password'])) { $result = $DB->pQuery("SELECT * FROM user_accounts WHERE username = ?", $_POST['username']); if (!empty($result)) { $user =& $result[0]; if (PasswordHash::validate_password($_POST['password'], $user['password'])) { // Replace with your application logic die("LOGIN SUCCESS"); } } // Replace with your application logic die("LOGIN FAILURE"); } ?> <!DOCTYPE html> <html> <head> <title>DEMO</title> </head> <body> <h1>Login</h1> <?php if (isset($_SESSION['msg'])) { echo "<p>" . htmlentities($_SESSION['msg'], ENT_QUOTES, 'UTF-8') . "</p>\n"; unset($_SESSION['msg']); }
function ProcessLogin() { global $pdo; if (isset($_COOKIE['ItPhilManagerSession'])) { $sth = $pdo->prepare("SELECT user.user_id as user_id from user\n JOIN link_session2user\n ON link_session2user.user_id = user.user_id\n JOIN session\n ON link_session2user.session_id = session.session_id\n WHERE session_hash = :session_hash"); $sth->execute(array(":session_hash" => $_COOKIE['ItPhilManagerSession'])); $user_id = $sth->fetchColumn(); if ($user_id) { $_SESSION['user'] = array(); $_SESSION['user']['id'] = $user_id; $sth = $pdo->prepare("SELECT capability_name FROM capability WHERE user_id = :user_id"); $sth->execute(array(":user_id" => $user_id)); //echo "ERRIR (udi $user_id <pre>" . var_export( $sth->errorInfo() , true ) . "</pre>"; //$capabilities = $sth->fetchAll(PDO::FETCH_ASSOC|PDO::FETCH_GROUP); //not quite the desired result $capabilities = array(); while ($capability = $sth->fetchColumn()) { $capabilities[] = $capability; } $_SESSION['user']['capabilities'] = $capabilities; return; } else { setcookie(ItPhilManagerSession, "", 1); //unsetting cookie } } $hasher = new PasswordHash(); $sth = $pdo->prepare("SELECT user_pbkdf2, user.user_id as user_id\n FROM user\n JOIN link_email2user \n ON link_email2user.user_id = user.user_id\n JOIN email \n ON link_email2user.email_id = email.email_id\n WHERE email_address = :email"); $sth->execute(array(":email" => $_POST['email'])); $loginData = $sth->fetch(); $dbHash = $loginData['user_pbkdf2']; $user_id = $loginData['user_id']; //DEBUG //echo "<pre>" . var_export($loginData,true) . "</pre>"; //DEBUG $validPassword = $hasher->validate_password($_POST['password'], $dbHash); if ($validPassword) { $_SESSION['user'] = array(); $_SESSION['user']['id'] = $user_id; //echo "password valid, creating session"; $data = array(); //$data[":session_hash"]=sha1(mcrypt_create_iv(16), MCRYPT_DEV_URANDOM); // even with URANDOM, it hangs, production server appears to have little entropy // is this really the case??? $data[":session_hash"] = sha1(rand()); //TODO: something better as a session hash! if (strstr($_SERVER['REMOTE_ADDR'], ":")) { // Remote address is IPv6 or IPv4 in IPv6 notation $data[":session_ip_start"] = inet_pton($_SERVER['REMOTE_ADDR']); } else { // Remote address is IPv4 in IPv4 notation // Convert to IPv6 notation $data[":session_ip_start"] = inet_pton("::ffff:" . $_SERVER['REMOTE_ADDR']); } $data[":session_useragent"] = $_SERVER['HTTP_USER_AGENT']; $sth = $pdo->prepare("INSERT INTO session (session_hash,session_ip_start,session_useragent) values (:session_hash,:session_ip_start,:session_useragent)"); //$sth->execute($data); if (!$sth->execute($data)) { //todo: error handling } setcookie("ItPhilManagerSession", $data[":session_hash"], 2147483647); //PHP_INT_MAX); // PHP_MAX_INT causes problem on production server: // PHP Warning: Expiry date cannot have a year greater than 9999 // and does not set cookie. I suppose using the max 32 bit value solves the problem.... until 2038 // (This problem occurs on 64 bit PHP installations) $data = array(); $data[':session_id'] = $pdo->lastInsertId(); $data[':user_id'] = $user_id; $sth = $pdo->prepare("INSERT INTO link_session2user (session_id,user_id) Values (:session_id,:user_id)"); if (!$sth->execute($data)) { //todo: error handling } } else { $data['content_raw'] .= "Invalid Password"; } }
if ($a === $b) { echo "pass\n"; } else { echo "FAIL\n"; } // Test vector hex output. $a = $MyHash->pbkdf2("sha1", "password", "salt", 2, 20, false); $b = "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957"; if ($a === $b) { echo "pass\n"; } else { echo "FAIL\n"; } $hash_of_password = $MyHash->create_hash("password"); // Test correct password. if ($MyHash->validate_password("password", $hash_of_password)) { echo "pass\n"; } else { echo "FAIL\n"; } // Test wrong password. if ($MyHash->validate_password("wrong_password", $hash_of_password) === FALSE) { echo "pass\n"; } else { echo "FAIL\n"; } // Test bad hash. if ($MyHash->validate_password("password", "") === FALSE) { echo "pass\n"; } else { echo "FAIL\n";