[RESOLVED]Challenge/Response system out of date?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
rtc4lyfee
Forum Newbie
Posts: 8
Joined: Wed Jun 27, 2007 5:53 pm

[RESOLVED]Challenge/Response system out of date?

Post by rtc4lyfee »

Maugrim_The_Reaper system seems to be a bit to out of date to work on our current install of PHP. viewtopic.php?t=38810

I downloaded this right off of that topic, added my DB login info and tried to login. You can try for yourself here: http://www.fhhsbandhome.com/authalpha/c ... ponsecode/

It doesn't login :( The username is devnetwork and the password is password

I get 4 errors

Code: Select all

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php:1) in /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php on line 6

Warning: Cannot modify header information - headers already sent by (output started at /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php:1) in /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php on line 69

Warning: Cannot modify header information - headers already sent by (output started at /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php:1) in /home/fhhsband/public_html/authalpha/challengeresponsecode/login.php on line 142
Could anyone tell me what is wrong and post the modifications in this topic and then hopefully update what is under tutorials. :D
Last edited by rtc4lyfee on Wed Jun 27, 2007 10:00 pm, edited 1 time in total.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

Make sure there's no whitespace (or anything else) being output before session_start() is called... this includes blank lines in front of the opening php tag
rtc4lyfee
Forum Newbie
Posts: 8
Joined: Wed Jun 27, 2007 5:53 pm

Post by rtc4lyfee »

Code: Select all

<?php
session_start();

/*
    Connect to database, and some table (say mytestdatabase)
    Edit for your own credentials...
*/
$conn = mysql_connect('localhost', 'fhhsband_auth', 'auth') or die('Could not connect to database');
mysql_select_db('fhhsband_auth', $conn) or die ('Can\'t use mytestdatabase : ' . mysql_error());

/*
    Filtering all incoming user data is essential. I'm not going to do so in-depth but bear this in mind for any
    real life - live implementation!
*/

/*
    We expect the username and Response to be alphabetic and numeral characters only (for this example at least)
    For users without javascript we will assume their password should be alphanumeric
    Do not take the following validation of input as gospel - 'tis basic only maties...
*/
if(isset($_POST['response']) && !empty($_POST['response']) && (!ctype_alnum($_POST['username']) || !ctype_alnum($_POST['response'])))
{
    // we may log bad data, or make the user walk the plank for their trouble!
    die('Bad Input: Response or username are not alphanumeric!');
}
if(isset($_POST['password']) && !empty($_POST['password']) && (!ctype_alnum($_POST['username']) || !ctype_alnum($_POST['password'])))
{
    // log or keel-haul the swabbies!
    die('Bad Input: Password or username are not alphanumeric!');
}

/*
    Get our server stored Challenge from the database
    Rem: ensure we only select Challenges which have not timed out!
*/
$result = mysql_query("select challenge from challenge_record where sess_id = '" . session_id() . "' and timestamp > " . time()) or die("Invalid query: " . mysql_error());

/*
    Check we got a matching result
    If this is not so, its most likely the Challenge has timed out - user waited too long to submit form
*/
if(mysql_num_rows($result) == 0)
{
    header('Location: timedout.php'); //simple file with a die() statement - see the download pack
}

/*
    Fetch the array containing the Challenge
*/
$c_array = mysql_fetch_assoc($result);

/*
    Execute a query to select User data based on the submitted username
    Normally we would use some escaping here - its omitted for clarity (is magic_quotes dependent)
*/
$result = mysql_query("select userid, username, password from user_accounts where username = '" . $_POST['username'] . "'") or die("Invalid query: " . mysql_error());

/*
    Ensure we got a result
    No result would indicate the User does not exist and must register an account
    (code for registering is not included in this tutorial)
*/
if(mysql_num_rows($result) == 0)
{
    header('Location: usernotexist.php'); // see download pack for file
}

/*
    Fetch the User data into an associative array
*/
$user = mysql_fetch_assoc($result);

/*
    We're back to worship at the Altar of Feyd 
    Include feyd's PHP sha256 implementation
*/
require_once('sha256.inc.php');

/*
    Our database already stores a SHA256 hashed copy of the user's password
    Storing plain text passwords on the database is bad - it may earn you a plank walk
    Generate what we expect to be the Client's response using the same Challenge we initially sent them

    - lowerstring username
    - hashed password
    - the unique time-limited once-off Challenge hash
*/
$response_string = strtolower($user['username']).':'.$user['password'].':'.$c_array['challenge'];
$expected_response = SHA256::hash($response_string);

/*
    Compare the actual client Response hash against our expected Response hash
    1. If they match, we will authenticate the user
    2. If they don't, we will check if a plain text password exists (might be a client with javascript disabled), hash         it, and compare to the database stored password hash
    3. All other cases - we fail the authentication test, and boot the user (maybe direct to "Try Again" page)
*/
if($_POST['response'] == $expected_response)
{
    $_SESSION['authenticated'] = 1;
    $_SESSION['userid'] = $user['userid'];
    header('Location: hello.php');
}
elseif(isset($_POST['userpass']) && !empty($_POST['userpass']))
{
    /*
        Response from client did not match expected Response
        See if a plain text password exists (sent if the client has javascript disabled)
    */
    if(SHA256::hash($_POST['userpass']) == $user['password'])
    {
        /*
            Submitted plain text password from non-js client, when hashed, agrees to database stored password hash
            We authenticate the User
        */
        $_SESSION['authenticated'] = 1;
        $_SESSION['userid'] = $user['userid'];
        header('Location: hello.php');
    }
    else
    {
        /*
        At this point:
            - the non-js client's plain text password - when hashed - does not match the database stored password hash
        This login attempt has failed - we should direct user to try again.
        */
        $_SESSION['authenticated'] = 0;
        header('Location: badlogin.php?err=pass');
    }
}
else
{
    /*
        At this point:
            - The client Response does not agree with the server generated Expected Response
        This login attempt has failed - we should direct user to try again.
    */
    $_SESSION['authenticated'] = 0;
    header('Location: badlogin.php?err=response');
}

//EOF

?>
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Copy everything after your <?php tag, open up notepad (or a compiler if you've got one), paste it all, add the <?php tag to the beginning, and overwrite the old file. That should get rid of hidden characters.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

I get

http://www.fhhsbandhome.com/authalpha/challengeresponsecode/badlogin.php?err=response wrote:The client response did not match the expected response generated by the server. You could not be authenticated.
not an error.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

I get:
You have been authenticated through the Challenge/Response process. Congratulations!
I win. :D
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

patrikG wrote:I get

http://www.fhhsbandhome.com/authalpha/challengeresponsecode/badlogin.php?err=response wrote:The client response did not match the expected response generated by the server. You could not be authenticated.
not an error.
Me too
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

d3ad1ysp0rk wrote:I get:
You have been authenticated through the Challenge/Response process. Congratulations!
I win. :D
Ok, I yield :cry: Here's your prize

Image
Post Reply