PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php:1) in /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php on line 6
Warning: Cannot modify header information - headers already sent by (output started at /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php:1) in /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php on line 69
Warning: Cannot modify header information - headers already sent by (output started at /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php:1) in /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php on line 142
Could anyone tell me what is wrong and post the modifications in this topic and then hopefully update what is under tutorials.
Last edited by rtc4lyfee on Wed Jun 27, 2007 10:00 pm, edited 1 time in total.
Make sure there's no whitespace (or anything else) being output before session_start() is called... this includes blank lines in front of the opening php tag
<?php
session_start();
/*
Connect to database, and some table (say mytestdatabase)
Edit for your own credentials...
*/
$conn = mysql_connect('localhost', 'fhhsband_auth', 'auth') or die('Could not connect to database');
mysql_select_db('fhhsband_auth', $conn) or die ('Can\'t use mytestdatabase : ' . mysql_error());
/*
Filtering all incoming user data is essential. I'm not going to do so in-depth but bear this in mind for any
real life - live implementation!
*/
/*
We expect the username and Response to be alphabetic and numeral characters only (for this example at least)
For users without javascript we will assume their password should be alphanumeric
Do not take the following validation of input as gospel - 'tis basic only maties...
*/
if(isset($_POST['response']) && !empty($_POST['response']) && (!ctype_alnum($_POST['username']) || !ctype_alnum($_POST['response'])))
{
// we may log bad data, or make the user walk the plank for their trouble!
die('Bad Input: Response or username are not alphanumeric!');
}
if(isset($_POST['password']) && !empty($_POST['password']) && (!ctype_alnum($_POST['username']) || !ctype_alnum($_POST['password'])))
{
// log or keel-haul the swabbies!
die('Bad Input: Password or username are not alphanumeric!');
}
/*
Get our server stored Challenge from the database
Rem: ensure we only select Challenges which have not timed out!
*/
$result = mysql_query("select challenge from challenge_record where sess_id = '" . session_id() . "' and timestamp > " . time()) or die("Invalid query: " . mysql_error());
/*
Check we got a matching result
If this is not so, its most likely the Challenge has timed out - user waited too long to submit form
*/
if(mysql_num_rows($result) == 0)
{
header('Location: timedout.php'); //simple file with a die() statement - see the download pack
}
/*
Fetch the array containing the Challenge
*/
$c_array = mysql_fetch_assoc($result);
/*
Execute a query to select User data based on the submitted username
Normally we would use some escaping here - its omitted for clarity (is magic_quotes dependent)
*/
$result = mysql_query("select userid, username, password from user_accounts where username = '" . $_POST['username'] . "'") or die("Invalid query: " . mysql_error());
/*
Ensure we got a result
No result would indicate the User does not exist and must register an account
(code for registering is not included in this tutorial)
*/
if(mysql_num_rows($result) == 0)
{
header('Location: usernotexist.php'); // see download pack for file
}
/*
Fetch the User data into an associative array
*/
$user = mysql_fetch_assoc($result);
/*
We're back to worship at the Altar of Feyd
Include feyd's PHP sha256 implementation
*/
require_once('sha256.inc.php');
/*
Our database already stores a SHA256 hashed copy of the user's password
Storing plain text passwords on the database is bad - it may earn you a plank walk
Generate what we expect to be the Client's response using the same Challenge we initially sent them
- lowerstring username
- hashed password
- the unique time-limited once-off Challenge hash
*/
$response_string = strtolower($user['username']).':'.$user['password'].':'.$c_array['challenge'];
$expected_response = SHA256::hash($response_string);
/*
Compare the actual client Response hash against our expected Response hash
1. If they match, we will authenticate the user
2. If they don't, we will check if a plain text password exists (might be a client with javascript disabled), hash it, and compare to the database stored password hash
3. All other cases - we fail the authentication test, and boot the user (maybe direct to "Try Again" page)
*/
if($_POST['response'] == $expected_response)
{
$_SESSION['authenticated'] = 1;
$_SESSION['userid'] = $user['userid'];
header('Location: hello.php');
}
elseif(isset($_POST['userpass']) && !empty($_POST['userpass']))
{
/*
Response from client did not match expected Response
See if a plain text password exists (sent if the client has javascript disabled)
*/
if(SHA256::hash($_POST['userpass']) == $user['password'])
{
/*
Submitted plain text password from non-js client, when hashed, agrees to database stored password hash
We authenticate the User
*/
$_SESSION['authenticated'] = 1;
$_SESSION['userid'] = $user['userid'];
header('Location: hello.php');
}
else
{
/*
At this point:
- the non-js client's plain text password - when hashed - does not match the database stored password hash
This login attempt has failed - we should direct user to try again.
*/
$_SESSION['authenticated'] = 0;
header('Location: badlogin.php?err=pass');
}
}
else
{
/*
At this point:
- The client Response does not agree with the server generated Expected Response
This login attempt has failed - we should direct user to try again.
*/
$_SESSION['authenticated'] = 0;
header('Location: badlogin.php?err=response');
}
//EOF
?>
Copy everything after your <?php tag, open up notepad (or a compiler if you've got one), paste it all, add the <?php tag to the beginning, and overwrite the old file. That should get rid of hidden characters.