Login from link in mail

Rockroxx · #1 02-16-2012, 10:13 PM

Hey i've been stuck on this one for quite sometime now and just cant seem to get it to work. I made a mail that sends the users username and password(hash) in a link to them but i cant seem to get it to work. ive gotten around the salt check in login but dbc.php kicks em back out again in the security check for cookies. So i was wondering if there was a way around this or is it impossible to login from a link in mail with this loginscript?

Wombat76 · #2 02-16-2012, 10:55 PM

It would need a bit of rewriting of the script to log in that way, as normally a user would enter their password in plain text in the login form. If you're trying to log in using the hashed password then the password checking logic would need to be changed.

It would mean a straight comparison of the hashed password stored in the link with the hashed password stored in the database. That bypasses much of the security of the script, apart from the security implications of transmitting the hashed password from the email together with the username: the only 2 pieces of information that a hacker would need to successfully log in as that user. Unless you're using SSL.

I can't see that logging in that way would make dbc.php kick the user because of cookie checking. That must be a different issue. Don't forget to point your browser at logout.php in between test runs to clear the Session and Cookies. What error is dbc.php throwing up?

Rockroxx · #3 02-17-2012, 12:10 PM

Quote:

Originally Posted by Wombat76

It would need a bit of rewriting of the script to log in that way, as normally a user would enter their password in plain text in the login form. If you're trying to log in using the hashed password then the password checking logic would need to be changed.

I got around that using a if and sending a random generated code with the mail which is deleted after login.

Quote:

Originally Posted by Wombat76

It would mean a straight comparison of the hashed password stored in the link with the hashed password stored in the database. That bypasses much of the security of the script, apart from the security implications of transmitting the hashed password from the email together with the username: the only 2 pieces of information that a hacker would need to successfully log in as that user. Unless you're using SSL.

Thats certainly true but if the mail is hacked isnt the person screwed anyway because he could do a forget login to change the pass.

Quote:

Originally Posted by Wombat76

I can't see that logging in that way would make dbc.php kick the user because of cookie checking. That must be a different issue. Don't forget to point your browser at logout.php in between test runs to clear the Session and Cookies. What error is dbc.php throwing up?

Its the else header thats being activated.

PHP Code:


			
     if( !empty($ckey) && is_numeric($_COOKIE['user_id']) && isUserID($_COOKIE['user_name']) && $_COOKIE['user_key'] == sha1($ckey)  ) {

           session_regenerate_id(); //against session fixation attacks.

    

          $_SESSION['user_id'] = $_COOKIE['user_id'];

          $_SESSION['user_name'] = $_COOKIE['user_name'];

        /* query user level from database instead of storing in cookies */    

          list($user_level) = mysql_fetch_row(mysql_query("select user_level from users where id='$_SESSION[user_id]'"));



          $_SESSION['user_level'] = $user_level;

          $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);

          

       } else {

       logout();

       }



  } else {

    header("Location: login.php");

    exit();

    }

Wombat76 · #4 02-17-2012, 05:26 PM

Well, just going on what you've said about altering the password checking part of the script, I'd say the culprit for failing the check would be this part:

Code:

&& $_COOKIE['user_key'] == sha1($ckey)

If you echo these 2 values to the screen, what do you get? Do they match? If not, what's the difference?

If they do match, then you need to find out which of the conditions is failing. Display the variable values (use die($_COOKIE['user_key']."<br />".sha1($ckey)); or something so your values don't get overwritten by your page) and see if they are what you would expect.

Rockroxx · #5 02-17-2012, 06:19 PM

Hey i got it working. I ended up duplicating most of the code in login.php dependent if my _get was set and removing the code i didn't need still it was a very weird error.

Thank you for your effort.