Question for PHPass Expert

[NomadicJosh]

I've just implemented PHPass into an application that I am working on, and I am seeing a strange inconsistency. The issue is, the application is installed on one site, and it works perfectly. But the same application works on another site, and the login nor registration works. Does anyone know what might be the issue that registration and login works on one site but not the other with PHPass? Thanks.

[QuickOldCar]

Make a phpinfo page each site and compare to see what is different.

 

<?php phpinfo();?>

[NomadicJosh]

Make a phpinfo page each site and compare to see what is different.

 

<?php phpinfo();?>

 

Thanks for responding, they are on the same server and use the same PHP.ini, so there shouldn't be that big of a difference between the two. I don't see anything that stands out under PHP Variables.

[PFMaBiSmAd]

You are going to need to troubleshoot exactly at what point the code and data are doing what you expect and at what point they are not in order to pin down what is causing the problem.

 

In any case, we cannot help you without seeing the code needed to reproduce the problem (less any database credentials) and a description or picture of the error or symptom you are getting that makes you believe that the code does not work.

[NomadicJosh]

You are going to need to troubleshoot exactly at what point the code and data are doing what you expect and at what point they are not in order to pin down what is causing the problem.

 

In any case, we cannot help you without seeing the code needed to reproduce the problem (less any database credentials) and a description or picture of the error or symptom you are getting that makes you believe that the code does not work.

 

I just wanted to start off with a question to see if this was something that has come up before posting long lines of code. Below is the function that is called when the login form is submitted. The registration form is a little more involved, so I will spare posting it, but I am 100% sure that the registration process works. Thanks again for helping to troubleshoot with me.

 

	 function pm_login($username, $password, $remember = NULL) {

	$hasher = new PasswordHash(8, FALSE);

	$user = strtolower(pmdb::connect()->escape($username));
	$pass = pmdb::connect()->escape($password);

	$results = pmdb::connect()->get_row( "SELECT * FROM ". DB ."members WHERE username = '$user'" );

	// Use to set cookie session for domain.
	$cookiedomain = $_SERVER['SERVER_NAME']; 
	$cookiedomain = str_replace('www.', '', $cookiedomain);

		if(isset($_POST['login'])) {
			if($hasher->CheckPassword($pass, $results->password)) {

			do_action( 'pm_login_form_script' );

			$_SESSION['logged'] = 1; // Sets the session.
			$_SESSION['username'] = $results->username; // Sets the username session.
			$_SESSION['userID'] = $results->user_id;
			$_SESSION['remember_me'] = $_POST['remember_me']; // Sets a remember me cookie if remember me is checked.

		if(isset($remember)){
      			setcookie("pm_cookname", $user, time()+60*60*24*120, "/", $cookiedomain);
      			setcookie("pm_cookpass", md5($pass), time()+60*60*24*120, "/", $cookiedomain);
   			}
			pm_redirect(PM_URI . "/index.php");

			} else {

			setcookie("pm_cookname", $user, time()+3600*24);
      			setcookie("pm_cookpass", md5($pass), time()+3600*24);
		}
			pm_redirect(PM_URI . "/index.php");
	}
      return apply_filter( 'login', $username, $password, $remember );
 }

[Psycho]

When you state that the login works on one site but not another, can you provide some more information. Are the two sites sharing the same database? I'm not taking about the same database server, but the exact same tables? Or did you, by chance, copy the database from one site into the other?

[NomadicJosh]

No, there was nothing copied over. One is a development instance where all fixes, changes, and updates occur. It is not a new install, but it is where updates will be pulled from when updates are pushed to the server and everything works well on the development instance. The second site is where I did a new installation by running the installer which created new tables in a new database and new admin account.

[NomadicJosh]

Ok, now I have a new issue that is probably related to my previous issue. On the site where the login is somewhat working, if I go to login as a different user, when I visit a different page, I then become a different user. Is there anything in my code above that needs to change to correct this issue? Thanks.

[xyph]

pmdb::connect()->escape($username)

 

Does pmdb::connect() return a new instance of a database class? Or is it a singleton, that returns the same instance?

 

Why not follow the article they provide?

http://www.openwall.com/articles/PHP-Users-Passwords

 

It covers a LOT, including securing your script beyond simply using PHPass.

[batwimp]

Stupid question, but are you sure both your installations are the same version?

[NomadicJosh]

pmdb::connect()->escape($username)

 

Does pmdb::connect() return a new instance of a database class? Or is it a singleton, that returns the same instance?

 

Why not follow the article they provide?

http://www.openwall.com/articles/PHP-Users-Passwords

 

It covers a LOT, including securing your script beyond simply using PHPass.

 

It is a singleton. I've read through it over and over, but I don't see anything about inconsistency and becoming a different user after login.

[NomadicJosh]

Stupid question, but are you sure both your installations are the same version?

 

Yes, they are the same versions. The code was copied from development into another site including the installer.

[PFMaBiSmAd]

I'm not exactly sure what you mean in reply #7, but if it seems like you have more than set of session values and navigating between different pages, perhaps some with and some without the www. on the URL or with different paths, switches back and forth between logged in users, check what a phpinfo statement shows for the session.cookie_path and session.cookie_domain settings on both systems.

[xyph]

Well, you've set it up way differently than they suggest.

 

We can't really help much though. Most of your scripts workload is through functions we have no access to.

I can post you a working implementation of PHPass that I use.

 

This is rough, and quite a bit of database structure is hard-coded into the login class. It's all attached.

 

example.php - The file to run. It's a VERY ROUGH implementation of the classes

exception.php - The exception class. It's simply an extension of PHP's default Exception handler, I just use my own to make changing it later less of a hassle

login.php - The login class. Does the work specific to tracking a user

login.phpass.php - The PHPass class

sql.php - The SQL class. A raw extension of the MySQLi class. Used to make changing later easier.

token.php - Abstract token class. I use this when building any class that needs state in some form. Requires mcrypt, and if running on Windows, requires PHP5.3 or later

 

Your issues seem to stem from how you're handling/destroying sessions. PFMaBiSmAd's advice will help you find out if those are cookie issues.

18095_.zip

[NomadicJosh]

@xyph, thank you for this. I will check it out and see where I am failing. If I had to guess, I think my issue is with the way sessions is implemented.

[NomadicJosh]

Thanks everyone for your help. I found out what the problem was. It wasn't my code, it was my database. Since I was going form md5 to something more secure, the password field was set at varchar(60), so the characters were being truncated.