Asked  7 Months ago    Answers:  5   Viewed   45 times

I'm a beginner working on a login script in PHP. This is the form token statement that I have so far:

$_SESSION["form_token"] = md5(rand(time (), true)) ;

The statement is issued just after the user indicates that he/she wants to login.

My limited understanding is that the tokens purpose is to identify a unique user at a unique point in time and to disguise the form token information.

Then everything becomes fuzzy. Here are my 3 open questions:

  1. When is the best time to "check" the form token for security purposes?

  2. How do I check it?

  3. When, if ever, do I "destroy" the form token? (IOW, would the form token stay "active" until the user logs out?

 Answers

100

There is no need to do what you are attempting. When you start a session in PHP with session_start() a unique SESSIONID is already generated for you. You should not be putting this on the form. It is handled via cookies by default. There is also no need to check the SESSIONID either, that again is handled for you.

You are responsible for authenticating the user and storing their authenticated identity (e.g. $_SESSION['user_id'] = $userId in the SESSION. If a user logs out you destroy their session with session_destroy.

You should ensure session_start() is one of the first things for all pages in your site.

Here is a basic example:

<?php
session_start(); // starts new or resumes existing session
session_regenerate_id(true); // regenerates SESSIONID to prevent hijacking

function login($username, $password)
{
    $user = new User();
    if ($user->login($username, $password)) {
        $_SESSION['user_id'] = $user->getId();
        return true;
    }
    return false;
}

function logout()
{
    session_destroy();
}

function isLoggedIn()
{
    return isset($_SESSION['user_id']);
}

function generateFormHash($salt)
{
    $hash = md5(mt_rand(1,1000000) . $salt);
    $_SESSION['csrf_hash'] = $hash
    return $hash;
}

function isValidFormHash($hash)
{
    return $_SESSION['csrf_hash'] === $hash;
}

Edit: I misunderstood the original question. I added the relevant methods above for generating and validating form hashes;

Please see the following resources:

  • PHP Session Handling
  • session_start()
  • session_destroy()
Wednesday, March 31, 2021
 
alez
answered 7 Months ago
75

assuming your cell is A1 ..

$objPHPExcel->getActiveSheet()->getStyle('A1')
    ->getNumberFormat()->applyFromArray( 
        array( 
            'code' => PHPExcel_Style_NumberFormat::FORMAT_PERCENTAGE_00
        )
    );
Wednesday, March 31, 2021
 
PHPWDev
answered 7 Months ago
95

In short:

Dont put this :

$message = 'Bedrijfsnaam: ' . $bedrijfsnaam;

Before this:

$bedrijfsnaam = $_POST['bedrijfsnaam'];

Same things for all others variables used for your mail() function

Your php script should be like this:

<?php
$servername = "youdliketoknowthat.com";
$username = "butitssecret";
$password = "hunter123";
$dbname = "yougettheidea";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

if(isset($_POST['submit'])){

$bedrijfsnaam = $_POST['bedrijfsnaam'];
$volledigenaam = $_POST['volledigenaam'];
$telefoonnummer = $_POST['telefoonnummer'];
$email = $_POST['email'];
if($volledigenaam !=''||$email !='');
$website = $_POST['website'];
$webshop = $_POST['webshop'];
$app = $_POST['app'];
$onlinemarketing = $_POST['onlinemarketing'];

{

$sql = "INSERT INTO intake_formulier_test (bedrijfsnaam, volledigenaam, telefoonnummer, email, website, webshop, app, onlinemarketing)
VALUES ('$bedrijfsnaam', '$volledigenaam', '$telefoonnummer', '$email', '$website', '$webshop', '$app', '$onlinemarketing')";
}
if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
    // Now we can send email
    $to = 'me@myemail.com';
    $subject = 'Content formulier';
    $headers = "From: me@myemail.comrn";
    $message = 'Bedrijfsnaam: ' . $bedrijfsnaam;
    $message .= 'Volledige naam: ' . $volledigenaam;
    $message .= 'Telefoonnummer: ' . $telefoonnummer;
    $message .= 'email: ' . $email;
    mail($to, $subject, $message, $headers);
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}
}

$conn->close();
?>

You were adding things to your $message var like this: $message = 'Bedrijfsnaam: ' . $bedrijfsnaam; But at that point, for this particular exemple, the var $bedrijfsnaam wasn't declared... So your $message var was empty ! In my example, i put all the things related to emailing infos after DB query, and after all your $var = $_POST["var"]..

Saturday, May 29, 2021
 
kmunky
answered 5 Months ago
54

As of Symfony 4.0, logout_on_user_change is set to true. That means a user will be logged out if it has been changed.

You should implement SymfonyComponentSecurityCoreUserEquatableInterface and add the isEqualTo method:

class User implements EquatableInterface
{
    public function isEqualTo(UserInterface $user)
    {
        if ($this->password !== $user->getPassword()) {
            return false;
        }

        if ($this->salt !== $user->getSalt()) {
            return false;
        }

        if ($this->username !== $user->getUsername()) {
            return false;
        }

        return true;
    }
}

Changelog

https://github.com/symfony/security-bundle/blob/master/CHANGELOG.md

4.1.0

The logout_on_user_change firewall option is deprecated and will be removed in 5.0.

4.0.0

the firewall option logout_on_user_change is now always true, which will trigger a logout if the user changes between requests

3.4.0

Added logout_on_user_change to the firewall options. This config item will trigger a logout when the user has changed. Should be set to true to avoid deprecations in the configuration.

The option wasn't documented by the time of writing this answer: https://github.com/symfony/symfony-docs/issues/8428, but it now is: https://symfony.com/doc/4.4/reference/configuration/security.html#logout-on-user-change

Side note on updating to a new major release

If you want to upgrade to a new major version, always update to the latest minor version first. That means update to 2.8 before updating to 3.0 and updating to 3.4 before going to 4.0. See Symfony 4: Compose your Applications by Fabien Potencier.

Symfony 3.0 = Symfony 2.8 - deprecated features

(..)

Symfony 4.0 = Symfony 3.4 - deprecated features + a new way to develop applications

Updating to a new major release is much easier if you're already on the latest minor release, because you can see all deprecation notices.

Friday, June 25, 2021
 
dmp
answered 4 Months ago
dmp
12

Try adding this to appSettings in your web.config:

<add key="loginUrl" value="~/Account/LogOn" />
Wednesday, July 21, 2021
 
julesj
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :