0

I want to do auto authorization on my website after registration. (logging in right after sucessfull user registration). What I do and what I have:

I have auth.php

<?php

session_start();

function getRandom16IV()  {
    // get iv for encryption
    $alph = array_merge(range('A', 'Z'), range('a', 'z'));
    $result = "";
    $i = 0;
    while ($i != 16) {
        $result = $result . $alph[array_rand($alph, 1)];
        $i++;
    }
    return $result;
}

function getRandom255Key() {
    // get key from encryprion
    $numbers = range(1, 9);
    $result = "";
    $i = 0;
    while ($i != 255) {
        $result = $result . $numbers[array_rand($numbers, 1)];
        $i++;
    }
    return $result;
}
// get login or password values
$log_mail = $_POST['login_mail'];
$pwd      = $_POST['pwd'];
// get params for DB from config.php
include("config.php");
$con = mysqli_connect($db_ip, $db_login, $db_pwd , $db_name);
if (mysqli_connect_errno()){
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// process inputs
$login_mail = $_POST['login_mail'];
$pwd = stripslashes($_POST['pwd']);
$pwd = mysqli_real_escape_string($con, $pwd);

// check if user exist
$query    = "SELECT login, pwd, email FROM `users`";
$result   = mysqli_query($con, $query);

// if user exist
$user_exist = false;
while($row = $result->fetch_assoc()) {
    if ($row["login"] == $login_mail or $row["email"] == $login_mail) {
        if ($row["pwd"] == $pwd) {
            $user_exist = true;
        }
    }
}


// authorize if user exist in DB
if ($user_exist == true) {
    include("config.php");
    include("get_from_db_functions.php");
    $key = getRandom255Key();
    $iv = getRandom16IV();
    
    $encrypt_result = openssl_encrypt($login_mail, $encr_method, $key, $options=0, $iv);

    $bday = getBday($login_mail);
    $age = calcAge($bday);

    setcookie("login_encr", $encrypt_result, time() + (86400 * 30 * 31 * 12), "/"); // год
    setcookie("logged_in", "true", time() + (86400 * 30 * 31 * 12), "/");
    setcookie("age", $age, time() + (86400 * 30 * 31 * 12), "/");
    
    $query    = "SELECT id FROM `users`WHERE login='$login_mail' OR email='$login_mail' LIMIT 1";
    $result   = mysqli_query($con, $query);
    while ($row = mysqli_fetch_assoc($result)) {
        setcookie("id", $row['id'], time() + (86400 * 30 * 31 * 12), "/");
    }
    
    $query    = "UPDATE `users` SET encr_iv='$iv', encr_key='$key' WHERE login='$login_mail' OR email='$login_mail'";
    $result   = mysqli_query($con, $query);
    
    $_SESSION['auth-errors'] = array(); // no errors array
    
} else {
    // we have errors while authorization
    $_SESSION['auth-errors'] = array(
        'e1' => "Wrong login or password"
    );

}

$con->close();

header("Location: ../index.php");

?>

registration.php

// user registration... in sucessfull case I use this post request trying to authorize:
// set post fields

session_start();

header('Content-Type: charset=utf-8');

include("config.php");
include("get_from_db_functions.php");
include("user_params_operations.php");

function validateInputs() {
    
    $valid = true;
    $errorMessage = array();
    foreach ($_POST as $key => $value) {
        if (empty($_POST[$key])) {
            $valid = false;
        }
    }
    if($valid == false) {
        $errorMessage[] = "Need to fill all fields";
    }
    return;
}

$registration_result = validateInputs();
$_SESSION['registration_errors'] = $registration_result;

$con = setConnection();

$name = stripslashes($_POST['name']);
$name = mysqli_real_escape_string($con, $name);
$surname = stripslashes($_POST['surname']);
$surname = mysqli_real_escape_string($con, $surname);
$login = stripslashes($_POST['login']);
$login = mysqli_real_escape_string($con, $login);
$pwd = stripslashes($_POST['pwd']);
$pwd = mysqli_real_escape_string($con, $pwd);
$email = stripslashes($_POST['email']);
$email = mysqli_real_escape_string($con, $email);
$bday = stripslashes($_POST['date']);
$bday = mysqli_real_escape_string($con, $bday);

// check if user exist
$user_check_query = "SELECT id FROM users WHERE login='$login' OR email='$email' LIMIT 1";
$result = mysqli_query($con, $user_check_query);
$user = mysqli_fetch_assoc($result);

if ($user) {
    // if user exist return error
    if ($_SESSION['registration_errors'] == null) {
        $_SESSION['registration_errors'] = array();
    }
    if ($user['login'] === $login) {
        array_push($_SESSION['registration_errors'], "user already exist");
    } else if ($user['email'] === $email) {
        array_push($_SESSION['registration_errors'], "usere already exist");
    }
} else {
    
    $query    = "INSERT INTO `users` (name, surname, login, pwd, birthdate, email, encr_iv, encr_key) VALUES ( '$name', '$surname', '$login', '$pwd', '$bday', '$email', '', '')";
    $result   = mysqli_query($con, $query);
    
    
    $getid = "SELECT id FROM users WHERE login='$login' OR email='$email' LIMIT 1";
    $result = mysqli_query($con, $getid);
    while ($row = mysqli_fetch_assoc($result)) {
        $id = $row['id'];
        $age = calcAgeByBirthDate($bday);
        $query    = "INSERT INTO `user_params` (user_id, age, happiness_level, good_habbits, bad_habbits, max_lifespan, expected_lifespan)
                    VALUES ('$id', '$age', 0, '', '', 0, 0)";
        $res   = mysqli_query($con, $query);
    }



    // set post fields
    $post = [
        'login_mail' => $login,
        'pwd' => $pwd
    ];

    $ch = curl_init('auth.php');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);

    // execute!
    $response = curl_exec($ch);

    // close the connection, release resources used
    curl_close($ch);

    // do anything you want with your response
    // var_dump($response);
}



$con->close();
header("Location: ../profile.php");

If I use auth separately it works file, registration works fine, but it does not authorize as I want (via post request right after registration).

What I did wrong?

WhoAmI
  • 623
  • 5
  • 16
  • How does your authorization process work? Please [edit] your question to include the source code of the 'auth.php' file. Using a CURL request here is most likely not what you want. – Progman Aug 30 '20 at 18:02
  • @Progman made edits, please see – WhoAmI Aug 30 '20 at 18:08
  • Auth file looks poor: $pwd = mysqli_real_escape_string($con, $pwd); - why would you need to escape a password that should be hashed anyway? – SJacks Aug 30 '20 at 18:09
  • @SJacks I thought it will let me avoid some scripts injection? I know the code is bad, but the question is in another – WhoAmI Aug 30 '20 at 18:11
  • That's part of the beauty of hashing, you don't need multiple ways to sanitize a post value as hashing does it for you - take password, add pepper, hash and compare to stored hash. Makes things easier and safer. – SJacks Aug 30 '20 at 18:15
  • @SJacks I will change it a little later, I am confused for now with what is wrong with auto authorization part – WhoAmI Aug 30 '20 at 18:18
  • That's why I mention it now. Later will be difficult as you will have many passwords stored in a non-hashed format which is a bad idea for security. If you're going to do hashed passwords, now is the time, not later. – SJacks Aug 30 '20 at 18:20
  • @WhoAmI Please see https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php on how to prevent SQL injection by using prepared statements. – Progman Aug 30 '20 at 18:23
  • @WhoAmI Please see https://stackoverflow.com/questions/1217824/post-to-another-page-within-a-php-script – A. Sang Aug 30 '20 at 20:36
  • i think best solution store data to session then get via auth.php – A. Sang Aug 30 '20 at 20:42

2 Answers2

1

Using cURL here is not the solution. The cURL functions will make a new different HTTP request to the file, where the client will not be the user's browser, but instead the webserver PHP is running. Any session/login cookie would be saved on the webserver, but it should be stored in the browser of the user.

You have to use an include statement to load and run the code from a different PHP script. It should be something like include 'auth.php'; but that would be "too much" to execute. You only need the part where you generate and send the cookies. Depending on how your code work and how you want to structure your system, you can extract the "generate and send login cookie" part to a separate PHP script or a new function. So you would write something like include 'sendauthcookie.php'; or sendLoginCookies($login_mail); to generate the login cookies and send them to the user's browser. This code can be called from your "auth.php" file as well as from your "registration.php" file.

Progman
  • 16,827
  • 6
  • 33
  • 48
1

Best solution store user details in session with Encrypt.

and use it!!

Edit changes

registration.php

// set post fields
$_SESSION['en_user'] = encrypt($login);
$_SESSION['en_pass'] = encrypt($pwd);
header("Location: auth.php");
//end

encrypt.php

function encrypt($payload) {
  $key ='whatxxxxwhatever';
  $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
  $encrypted = openssl_encrypt($payload, 'aes-256-cbc', $key, 0, $iv);
  $var = base64_encode($encrypted . '::' . $iv);
  $var = strtr($var, '+/=', '-_,');
  return $var;
}

function decrypt($garble) {
    $garble = strtr($garble, '-_,', '+/=');
    $key ='whatxxxxwhatever';
    list($encrypted_data, $iv) = explode('::', base64_decode($garble), 2);
    return openssl_decrypt($encrypted_data, 'aes-256-cbc', $key, 0, $iv);
}

auth.php

//include encrypt.php
if(isset($_POST['login_mail']) && isset($_POST['pwd']))
{
    $log_mail = $_POST['login_mail'];
    $pwd      = $_POST['pwd'];
}elseif(isset($_SESSION['en_user']) && isset($_SESSION['en_pass']))
{
    $log_mail = decrypt($_SESSION['en_user']);
    $pwd      = decrypt($_SESSION['en_pass']);
}else{
    unset($_SESSION['en_user']); 
    unset($_SESSION['en_pass']); 
    exit;
}

USE session in "Database" for secure.

Try this

A. Sang
  • 381
  • 4
  • 11