function authenticate()
{
if (isset($_POST['password']) && isset($_POST['email'])) {
$hasher = new \PasswordHash();
//TODO better manage external classes
$sth = $this->stone->pdo->prepare("SELECT user_pbkdf2, user.user_id as user_id\n FROM user\n JOIN link_email2user \n ON link_email2user.user_id = user.user_id\n JOIN email \n ON link_email2user.email_id = email.email_id\n WHERE email_address = :email");
$sth->execute(array(":email" => $_POST['email']));
$loginData = $sth->fetch();
$dbHash = $loginData['user_pbkdf2'];
$user_id = $loginData['user_id'];
//DEBUG
//echo "<pre>" . var_export($loginData,true) . "</pre>";
//DEBUG
$validPassword = $hasher->validate_password($_POST['password'], $dbHash);
if ($validPassword) {
$this->stone->setUserID($user_id);
$sth = $this->stone->pdo->prepare("SELECT capability_name \n FROM capability \n WHERE user_id = :user_id");
$sth->execute(array(":user_id" => $user_id));
$capabilities = array();
while ($capability = $sth->fetchColumn()) {
$capabilities[] = $capability;
}
$this->stone->setUserCapabilities($capabilities);
$data = array();
//$data[":session_hash"]=sha1(mcrypt_create_iv(16), MCRYPT_DEV_URANDOM);
// even with URANDOM, it hangs, production server appears to have little entropy // is this really the case???
$data[":session_hash"] = sha1(rand());
//TODO: something better as a session hash!
if (strstr($_SERVER['REMOTE_ADDR'], ":")) {
// Remote address is IPv6 or IPv4 in IPv6 notation
$data[":session_ip_start"] = inet_pton($_SERVER['REMOTE_ADDR']);
} else {
// Remote address is IPv4 in IPv4 notation
// Convert to IPv6 notation
$data[":session_ip_start"] = inet_pton("::ffff:" . $_SERVER['REMOTE_ADDR']);
}
$data[":session_useragent"] = $_SERVER['HTTP_USER_AGENT'];
$sth = $this->stone->pdo->prepare("INSERT INTO session (session_hash,session_ip_start,session_useragent) values (:session_hash,:session_ip_start,:session_useragent)");
//$sth->execute($data);
if (!$sth->execute($data)) {
//todo: error handling
}
setcookie("ItPhilManagerSession", $data[":session_hash"], 4294967295.0);
//PHP_INT_MAX);
// PHP_MAX_INT causes problem on production server:
// PHP Warning: Expiry date cannot have a year greater than 9999
// and does not set cookie. I suppose using the max 32 bit value solves the problem.... until 2038
// (This problem occurs on 64 bit PHP installations)
$data = array();
$data[':session_id'] = $this->stone->pdo->lastInsertId();
$data[':user_id'] = $user_id;
$sth = $this->stone->pdo->prepare("INSERT INTO link_session2user (session_id,user_id) Values (:session_id,:user_id)");
if (!$sth->execute($data)) {
//todo: error handling
}
}
}
}
<?php
session_start();
require_once "../../PasswordHashClass.php";
$DB = new DB('sqlite::memory:');
// Replace with your own
if (isset($_POST['username']) && isset($_POST['password'])) {
$result = $DB->pQuery("SELECT * FROM user_accounts WHERE username = ?", $_POST['username']);
if (!empty($result)) {
$user =& $result[0];
if (PasswordHash::validate_password($_POST['password'], $user['password'])) {
// Replace with your application logic
die("LOGIN SUCCESS");
}
}
// Replace with your application logic
die("LOGIN FAILURE");
}
?>
<!DOCTYPE html>
<html>
<head>
<title>DEMO</title>
</head>
<body>
<h1>Login</h1>
<?php
if (isset($_SESSION['msg'])) {
echo "<p>" . htmlentities($_SESSION['msg'], ENT_QUOTES, 'UTF-8') . "</p>\n";
unset($_SESSION['msg']);
}
function ProcessLogin()
{
global $pdo;
if (isset($_COOKIE['ItPhilManagerSession'])) {
$sth = $pdo->prepare("SELECT user.user_id as user_id from user\n JOIN link_session2user\n ON link_session2user.user_id = user.user_id\n JOIN session\n ON link_session2user.session_id = session.session_id\n WHERE session_hash = :session_hash");
$sth->execute(array(":session_hash" => $_COOKIE['ItPhilManagerSession']));
$user_id = $sth->fetchColumn();
if ($user_id) {
$_SESSION['user'] = array();
$_SESSION['user']['id'] = $user_id;
$sth = $pdo->prepare("SELECT capability_name FROM capability WHERE user_id = :user_id");
$sth->execute(array(":user_id" => $user_id));
//echo "ERRIR (udi $user_id <pre>" . var_export( $sth->errorInfo() , true ) . "</pre>";
//$capabilities = $sth->fetchAll(PDO::FETCH_ASSOC|PDO::FETCH_GROUP); //not quite the desired result
$capabilities = array();
while ($capability = $sth->fetchColumn()) {
$capabilities[] = $capability;
}
$_SESSION['user']['capabilities'] = $capabilities;
return;
} else {
setcookie(ItPhilManagerSession, "", 1);
//unsetting cookie
}
}
$hasher = new PasswordHash();
$sth = $pdo->prepare("SELECT user_pbkdf2, user.user_id as user_id\n FROM user\n JOIN link_email2user \n ON link_email2user.user_id = user.user_id\n JOIN email \n ON link_email2user.email_id = email.email_id\n WHERE email_address = :email");
$sth->execute(array(":email" => $_POST['email']));
$loginData = $sth->fetch();
$dbHash = $loginData['user_pbkdf2'];
$user_id = $loginData['user_id'];
//DEBUG
//echo "<pre>" . var_export($loginData,true) . "</pre>";
//DEBUG
$validPassword = $hasher->validate_password($_POST['password'], $dbHash);
if ($validPassword) {
$_SESSION['user'] = array();
$_SESSION['user']['id'] = $user_id;
//echo "password valid, creating session";
$data = array();
//$data[":session_hash"]=sha1(mcrypt_create_iv(16), MCRYPT_DEV_URANDOM);
// even with URANDOM, it hangs, production server appears to have little entropy // is this really the case???
$data[":session_hash"] = sha1(rand());
//TODO: something better as a session hash!
if (strstr($_SERVER['REMOTE_ADDR'], ":")) {
// Remote address is IPv6 or IPv4 in IPv6 notation
$data[":session_ip_start"] = inet_pton($_SERVER['REMOTE_ADDR']);
} else {
// Remote address is IPv4 in IPv4 notation
// Convert to IPv6 notation
$data[":session_ip_start"] = inet_pton("::ffff:" . $_SERVER['REMOTE_ADDR']);
}
$data[":session_useragent"] = $_SERVER['HTTP_USER_AGENT'];
$sth = $pdo->prepare("INSERT INTO session (session_hash,session_ip_start,session_useragent) values (:session_hash,:session_ip_start,:session_useragent)");
//$sth->execute($data);
if (!$sth->execute($data)) {
//todo: error handling
}
setcookie("ItPhilManagerSession", $data[":session_hash"], 2147483647);
//PHP_INT_MAX);
// PHP_MAX_INT causes problem on production server:
// PHP Warning: Expiry date cannot have a year greater than 9999
// and does not set cookie. I suppose using the max 32 bit value solves the problem.... until 2038
// (This problem occurs on 64 bit PHP installations)
$data = array();
$data[':session_id'] = $pdo->lastInsertId();
$data[':user_id'] = $user_id;
$sth = $pdo->prepare("INSERT INTO link_session2user (session_id,user_id) Values (:session_id,:user_id)");
if (!$sth->execute($data)) {
//todo: error handling
}
} else {
$data['content_raw'] .= "Invalid Password";
}
}
if ($a === $b) {
echo "pass\n";
} else {
echo "FAIL\n";
}
// Test vector hex output.
$a = $MyHash->pbkdf2("sha1", "password", "salt", 2, 20, false);
$b = "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957";
if ($a === $b) {
echo "pass\n";
} else {
echo "FAIL\n";
}
$hash_of_password = $MyHash->create_hash("password");
// Test correct password.
if ($MyHash->validate_password("password", $hash_of_password)) {
echo "pass\n";
} else {
echo "FAIL\n";
}
// Test wrong password.
if ($MyHash->validate_password("wrong_password", $hash_of_password) === FALSE) {
echo "pass\n";
} else {
echo "FAIL\n";
}
// Test bad hash.
if ($MyHash->validate_password("password", "") === FALSE) {
echo "pass\n";
} else {
echo "FAIL\n";
