Authentication using cookies and MD5 password

ablueman · January 9, 2012, 3:08pm

Hi,

After a long time not playing with it I have picked up my website project and been fiddling with it to try and get it to work the way I want.

I am now trying to make an automatic login, using the existing script which was session and user based. By using cookies. For this project the security issue presented by using cookies isn’t important.

So…

<?php
// access.php
session_start(); ?>

<?php
if (!dbcnx)
{
include_once 'dbcnx.php';
}
else
{
include_once './security/dbcnx.php';
}
// Logged in function

function loggedIn()
{
  return isset($_SESSION['authorized']);
}

//Process login attempt

if (isset($_COOKIE['ablueman'])){

if($_COOKIE ['ablueman'] != ""){

$usrpass = $_COOKIE['ablueman'];
$usrpass = explode(",", $usrpass);

$cusername = $usrpass[0];
$cupassword = $usrpass[1];

	}
}

if (isset($_POST['username']) ||  isset($cusername)	) {
$username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username'] ;
$upassword = isset($_POST['upassword']) ? $_POST['upassword'] : $_SESSION['upassword'] ;


	// SELECT statement  -----------FIRST ATTEMPT ------- No PASSWORD or MD5
	$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$upassword'";
	
	$result = mysql_query($sql);
	while ($results = mysql_fetch_array($result))
	{
  	$uid		= $results['uid'];
	$username	= $results['username'];
	$ulevel		= $results['ulevel'];
	}

	// SELECT statement ------------SECOND ATTEMPT ------- PASSWORD and MD5	
	if (mysql_num_rows($result) == 0) {

  	$upassword = md5 ($upassword);
  	$sql = "SELECT * FROM users WHERE username = '$username' AND upassword = PASSWORD('$upassword')";
  	
	$result = mysql_query ($sql);
	while ($results = mysql_fetch_array($result))
	{
  	$uid		= $results['uid'];
	$username	= $results['username'];
	$ulevel		= $results['ulevel'];
	}

	// SELECT statement ------------SECOND ATTEMPT ------- PASSWORD and MD5	- COOKIE
	if (mysql_num_rows($result) == 0) {
  	$username = $cusername;
  	$upassword = md5 ($cupassword);
  	$sql = "SELECT * FROM users WHERE username = '$username' AND upassword = PASSWORD('$upassword')";
  	
	$result = mysql_query ($sql);
	while ($results = mysql_fetch_array($result))
	{
  	$uid		= $results['uid'];
	$username	= $results['username'];
	$ulevel		= $results['ulevel'];
	}
echo $username;
echo MD5($upassword);

}
	
}
		
	if (mysql_num_rows($result) == 0)
		{
		unset($_SESSION['username']);
		unset($_SESSION['upassword']);
		echo "What we are dealing with here is a failure to communicate.(Unset Usr/Pass)";
		}

// Session variables to add once logged in.
	if (mysql_num_rows($result) != 0 )
		{
		$_SESSION['authorized'] = TRUE;
		$_SESSION['uid'] 		= $uid;
		$_SESSION['username'] 	= $username;
		$_SESSION['ulevel']		= $ulevel;	
		$cookie = array($_SESSION['username'], md5($upassword), 'MD5');
		$usrpass = implode(",", $cookie);

	//echo $comma_separated; // username, password, md5

	// Empty string when using an empty array:
	//var_dump(implode('Hello', array())); // string(0) ""

	 setcookie("ablueman", $usrpass , time() + 31536000);	

		}
	}

// Process logout
if (isset($_REQUEST['logout']))
	{
  	unset($_SESSION['authorized']);
	unset($_SESSION['uid']);
	unset($_SESSION['username']);
	unset($_SESSION['ulevel']);
	}
?>

The problem I am getting is that the cookie is correctly storing the details so I get the correct username and md5(password) echoing. But it doesn’t find it in the SQL database. I presume Im either presenting the md5 password wrong or requesting it incorrectly. Can someone give me a pointer. This was an authentication script from Kevin Yanks book many many moons ago.

Thanks in advance.

Andy

Jaynesh · January 9, 2012, 4:28pm

Try

md5($upassword)

instead of:

PASSWORD('$upassword')

ablueman · January 9, 2012, 4:52pm

I actually did try this but I may have a second go tonight to make sure it was not something else that was broken at the time which has since been fixed.

No matter what I try it seems to get mysql_num_rows($result) == 0;

Thanks for the assistance though.

EDIT: Yes I did try this and it did not fix the issue.

If I am echoing the md5(password) from the cookie and echoing the md5(password) from the sql attempt. Im right in saying they will look different is that correct?

Jaynesh · January 9, 2012, 6:46pm

hmm maybe try this…

$sql = "SELECT * FROM users WHERE (username = '".$username."') AND (upassword = '".md5($upassword)."')";

if that doesn’t work, try copying and pasting one of your passwords in to pin point where the actual problem could be. e.g

$sql = "SELECT * FROM users WHERE (username = '".$username."') AND (upassword = '42348SDJKFNSFDKSDF32')";

jgetner · January 9, 2012, 7:35pm

have you tried to run the query with your database client such as phpmyadmin or workbench or what ever you use just try to run the query and make sure you are getting what you want. Also you might want to escape those variables as if they are quoted already your query will end up with double quotes witch will cause the query to fail. also you should var_dump your query make sure your getting a resource or a boolean.

ablueman · January 10, 2012, 8:47am

Had a little play with this last night. Managed to get it working by using exactly the same code but striping out all MD5 pretty much. Looks like I had a mismatch caused by somehow double md5’ing a value somewhere. Now I just need to work out how to re-md5 without breaking it.

Thanks for your help and sorry that it turns out it was so obvious. I appreciate you pointing out things to look for though, ultimately it did lead me to stripping the code down to bare bones and finding the problem.