PHP Session/Login does not function

Question

Community

I have to programm a small challenge. For that I need a login-system but it does not function. I hope you can help me with that information.

First I will show you my login page (login.php):

<?php
$host = "localhost";
$user = "root";
$passw = "";
$dbase = "la4s";
$db = mysqli_connect($host, $user, $passw, $dbase);

if(isset($_POST['submit'])) {
    $username = $_POST['loginname'];
    $password = $_POST['pass'];
    $getPassword = mysqli_query($db, "SELECT pw FROM login WHERE username = '".$username."';");

    if(mysqli_num_rows($getPassword) == 1) {
        while($array = mysqli_fetch_array($getPassword)) {
            $passwordFromDB = $array['pw'];
        }

        $saltPassword = explode("!", $passwordFromDB);
        $passwordPeppered = "sd45SFSDF".$password."82hb+22f2!f";
        $passwordSaltedAndPeppered = $saltPassword[0].$passwordPeppered;
        $passwordMultihash = md5(md5(md5(sha1(sha1(md5(sha1(md5(md5(sha1(sha1(sha1(md5($passwordSaltedAndPeppered)))))))))))));
        $passwordFinal = $saltPassword[0].'!'.$passwordMultihash;
        $check = mysqli_query($db, "SELECT * FROM login WHERE username = '".$username."' and pw ='".$passwordFinal."';");

        if(mysqli_num_rows($check) == 1) {
            $getType = mysqli_query($db, "SELECT type FROM login WHERE username = '".$username."';");
            $type = mysqli_fetch_assoc($getType);

            if($type['type'] == admin) {
                session_start();                                                                
                $_SESSION['admin'] = 1;
                header("Location:userconfiguration.php");
            }
            elseif($type['type'] == "student") {
                session_start();                                                                
                $_SESSION['student'] = 1;
                header("Location:home.php");
            }
            elseif($type['type'] == "teacher") {
                session_start();                                                                
                $_SESSION['teacher'] = 1;
                header("Location:teacher.php");
            }
            else {
                echo '<b style="color: red">Invalid Username/Password!</b>';
            }
        }
        else {
            echo '<b style="color: red">Invalid Username/Password!</b>';
        }
    }
    else {
        echo '<b style="color: red">Invalid Username/Password!</b>';
    }
}
?>
<!DOCTYPE html>
<html>
<head>
<title>LA4S - Learning Application For Schools</title>
<link href="./Style/style.css" type="text/css" rel="stylesheet">
</head>
<body>
<div id="div_login">
    <img src="./Pictures/logo.png" id="logo" /><br />
    <table style="margin:auto;">
        <form action="login.php" method="post">
            <tr>
                <td class="first_row">
                    Username
                </td>
                <td>
                    <input type="text" name="loginname" />
                </td>
            </tr>
            <tr>
                <td class="first_row">
                    Password
                </td>
                <td>
                    <input type="password" name="pass" />
                </td>
            </tr>
            <tr>
                <td colspan="2" id="button_login">
                    <input type="submit" name="submit" value="Login" />
                </td>
            </tr>
    </form>
</table>
</div>
</body>
</html>

There is no problem with the password check. That functions right.

In the secure page all things are right, but not the logout function with the session. If I do a logout on the following page and after that I enter the page in the browser, I get this page although I need to login for seeing that. I don't know why. I have learned it so and it always functioned but that time not...

Now the secure page (userconfiguration.php):

<?php
session_start();

if(isset($_GET['logout']) && $_GET['logout'] == 1){
unset($_SESSION['admin']);
}

if(isset($_SESSION['admin'])) {
if($_SESSION['admin'] == 1) {
?>
<!DOCTYPE html>
<html>
<head>
<title>LA4S - Administrator</title>
<link href="./Style/style.css" type="text/css" rel="stylesheet">
</head>
<body>
<script type="text/javascript"> 
function changeadd() {
    document.getElementById("clearuser").style.visibility = "hidden";
    document.getElementById("adduser").style.visibility = "visible";
}

function changeclear() {
    document.getElementById("adduser").style.visibility = "hidden";
    document.getElementById("clearuser").style.visibility = "visible";
}

function error() {
    alert("Username cannot be empty!");
}

function error2() {
    alert("Password cannot be empty!");
}

function error3() {
    alert("This username already exists!");
}

function created() {
    alert("User created!");
}

function del() {
    alert("User deleted!");
}
</script>
<div>
    <img src="./Pictures/logo_small.png" width="100" id="logo" />&nbsp;&nbsp;&nbsp;<span class="title">Administrator</span>
</div>
<br />
<div class="menu">
    <a onclick="changeadd()">Add User</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <a onclick="changeclear()">Delete User</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <a style="text-decoration: none; color: black" href="login.php?logout=1">Logout</a>
</div>
<br />
<div id="adduser">
    <table>
        <form action="userconfiguration.php" method="post">
            <tr>
                <td>
                    Username&nbsp;
                </td>
                <td>
                    <input type="text" name="loginname" />
                </td>
            </tr>
            <tr>
                <td>
                    Password&nbsp;
                </td>
                <td>
                    <input type="password" name="pass" />
                </td>
            </tr>
            <tr>
                <td>
                    Type&nbsp;
                </td>
                <td>
                    <select name="type" size="1" id="type_select">
                        <option value="schueler" selected="selected">Sch&uuml;ler</option>
                        <option value="lehrer">Lehrer</option>
                        <option value="admin">Admin</option>
                    </select>
                </td>
            </tr>
            <tr>
                <td colspan="2" id="button_login">
                    <input type="submit" name="submit" value="Add" />
                </td>
            </tr>
        </form>
    </table>
</div>
<?php
if(isset($_POST['submit'])) {
    $host = "localhost";
    $user = "root";
    $passw = "";
    $dbase = "la4s";

    $db = mysqli_connect($host, $user, $passw, $dbase);

    if(mysqli_connect_errno()) {
        echo mysqli_connect_errno();
        die("Error"); 
    }

    if($_POST['loginname'] == null) {
        echo "<script type=\"text/javascript\">error();</script>";
    }
    elseif($_POST['pass'] == null) {
        echo "<script type=\"text/javascript\">error2();</script>";
    }   
    else {

        $username = mysqli_real_escape_string($db,htmlentities($_POST['loginname']));

        $pw = mysqli_real_escape_string($db,htmlentities($_POST['pass']));
        $passwordPeppered = "sd45SFSDF".$pw."82hb+22f2!f";
        $s=str_shuffle("$?!-,.0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
        $salt = substr($s, mt_rand(0, 50), 10); 
        $passwordSaltedAndPeppered = $salt.$passwordPeppered;
        $passwordMultihash = md5(md5(md5(sha1(sha1(md5(sha1(md5(md5(sha1(sha1(sha1(md5($passwordSaltedAndPeppered)))))))))))));
        $passwordFinal = $salt.'!'.$passwordMultihash;

        $type = $_POST['type'];

        $checkUsers = mysqli_query($db, "SELECT username FROM login WHERE username = '".$username."';");
        if(mysqli_num_rows($checkUsers) == 0) {
            mysqli_query($db,"INSERT INTO login (username, pw, type) VALUES ('".$username."', '".$passwordFinal."', '".$type."');");
            mysqli_insert_id($db);
            echo "<script type=\"text/javascript\">created();</script>";
        } 
        else {
            echo "<script type=\"text/javascript\">error3();</script>";
        }
    }
    mysqli_close($db);
}
?>
<div id="clearuser" style="visibility: hidden">
        <?php
            $host = "localhost";
            $user = "root";
            $pass = "";
            $dbase = "la4s";

            $db = mysqli_connect($host, $user, $pass, $dbase);

            if (mysqli_connect_errno())
            {
                echo mysqli_connect_errno();
                die ("Error");
            }

            if(isset($_GET['d'])) {
                mysqli_query($db, "DELETE FROM login WHERE id=".$_GET['d'].";");
                echo "<script type=\"text/javascript\">del();</script>";
            }

            $getUsers = mysqli_query($db, "SELECT * FROM login");

            echo "<table><tr><td><b>Username</b></td><td><b>L&ouml;schen</b></td></tr>";

            while($ResultArray = mysqli_fetch_array($getUsers)) {
                echo "<tr><td>";
                echo $ResultArray['username'];
                echo "</td><td>";
                echo '<a style="color: red" href="userconfiguration.php?d='.$ResultArray["id"].'">X</a>';
                echo "</td></tr>";
            }

            echo "</table>";

            mysqli_close($db);
        ?>
    </div>
<?php
    }
    else {
        echo "Not allowed!";
    }
}
else {
    echo "Not allowed!";
}
?>
</body>
</html>

I hope you can help me. I have looked the whole day for a solution for this problem but I didn't found one. If you need more information, contact me. Thanks

Greez Tomi

All that "secure" password stuff won't matter much because **by building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. You can also see http://bobby-tables.com/php for alternatives and explanation of the danger. — Andy Lester, Apr 21 '14 at 20:20
I've posted a solution to your problem asked below but agree with @AndyLester here. Also you should never write PHP to retrieve the password from the DB this is insecure. — ptimson, Apr 21 '14 at 20:37
I know about the SQL injection attacks. I will fix it at the end. But thank you for your comment and the hint. :) — AlbertoGiorgino, Apr 21 '14 at 21:37

score 0 · Accepted Answer · answered Apr 21 '14 at 20:18

Explanation:

If you var_dump your session after you logged out you will see that you are still 'logged in':

var_dump($_SESSION);
array (size=1)
  'admin' => int 1

So we can see the Logout is working incorrectly as it is not clearing the $_SESSION.

If you look at your logout action you are calling the login page:

<a style="text-decoration: none; color: black" href="login.php?logout=1">Logout</a>

So you need to make sure the $_SESSION login is unset in the login.php. As currently it is in the userconfiguration.php:

if(isset($_GET['logout']) && $_GET['logout'] == 1){
    unset($_SESSION['admin']);
}

Solution:

Add the following to the top of your login.php:

session_start();

if(isset($_GET['logout']) && $_GET['logout'] == 1){
    unset($_SESSION['admin']);
}

Hey ptimson, thanks for your comment. If I do this, it doesn't work. I always get the NOT ALLOWED hint. — AlbertoGiorgino, Apr 21 '14 at 21:43
Sorry not sure what you mean by this could you post me a screenshot? — ptimson, Apr 21 '14 at 21:45

PHP Session/Login does not function

1 Answers1