Jump to content

xekon

Members
 View Profile  See their activity

  • Posts

    13

  • Joined

  • Last visited

 Content Type 

Everything posted by xekon

  1. xekon
    CMS/Forum Session/cookie management and security, picking a good example. I am starting an opensource GPL forum project primarily for the sake of learning. I have been looking at the different implementations for user authentication and session management of different CMS and forum packages.Trying to go through and learn what is being done. Also wondering which makes for the best example of a good clean way to implement it.I would prefer to store the bare minimum cookies client side and keep most data in session variables server side.Unless there is a good reason to have another cookie or two, like if it somehow added additional security. SMF & Drupal makes use of the standard session_start(), and both also use database for session management.(more scalable) phpBB3 also uses the databse for session management, but does not use the standard "session_start()"it uses custom implementation using session_begin() , session_create() , session_kill() , session_gc() I like that Drupal only had the one session cookie, however it takes me much longer to follow the functions and understand what is happening with drupal code.In drupal a lot of things are generated like forms etc, using a single function, this is very clean as it reuses a lot of code, however I would rather learn from something easier to follow.I can always make the code more efficient afterwards. mybb seemed to set more cookies than the rest, and did not make use of the standard session_start(), I am unsure if it uses the db for session management. Right now I think I have it narrowed down to either SMF or PHPBB3, I am kinda leaning toward PHPBB because of a post I found: I read this post: https://www.phpbb.co...49840#p12949840 "Stealing a session id/key is not enough to get logged in. The IP must match to the extent defined in the ACP.Also, the browser user-agent must match (enabled by default). Additionally, you can have it check the x_forwarded_for value." I would think the extra checks like user-agent, IP, x_forwarded_for would help mitigate xss and sesion fixation.phpbb3 key function quotes:"Multiple keys may exist for each user representing different browsers or locations."I am curious if they limited the number of sessions per user, so that a malicious user cant intentionally create Tons of session keys on purpose. SMF may have the same checks, I am unsure. (I do not see IP or x_forwarded_for checks in the 'cookies and Sessions' admin section of smf, but they could be hardcoded.) Any insight or opinions on the subject are appreciated, or if you know of another opensource CMS or Forum that I should take a look at as a good example. at the moment I am leaning towards further studying the phpbb3 implementation and tryint to implement something similar.
  2. xekon
    Thank you so much worked perfect: function create_user(){var allclear = 'go';check_user(function(rval) {//should fire when callback function is called if(rval != 1) { allclear='check_user: '+rval; }});if(check_password() != 1) { allclear=allclear+' check_password ';} else if(check_confirm_password() != 1) { allclear=allclear+' check_confirm_password ';} else if(check_email() != 1) { allclear=allclear+' check_email ';} else if(check_gender() != 1) { allclear=allclear+' check_gender ';} else if(check_dob() != 1) { allclear=allclear+' check_dob ';} else if(check_termpriv() != 1) { allclear=allclear+' check_termpriv ';}if(allclear != 'go'){ $("#cstatus").html('<font color="red">error: <b>'+allclear+'</b></font>');}else{ //no errors found, should be good to go var op = "new"; var user = $("#user").val(); var pass = $("#pass").val(); $("#cstatus").html('<img src="inc/loader.gif"> Registering...'); $.post('inc/user-man.php',{op:op,user:user,pass:pass},function(data){ if(data == 'Available') { $('#cstatus').html(' <img src="inc/tick.gif">'); } else//should be used for failed ajax .post, all other possible outcomes should be covered above { $('#cstatus').html(data); } });}}function check_user(callback) {var op = "checkuser";var user = $("#user").val();var pass = $("#pass").val();if(user.length >= 2){ $("#ustatus").html('<img src="inc/loader.gif"> checking availability...'); $.post('inc/user-man.php',{op:op,user:user,pass:pass},function(data){ if(data == 'Available') { $("#user").removeClass('object_error'); // if necessary $("#user").addClass("object_ok"); $('#ustatus').html(' <img src="inc/tick.gif">'); callback(1);//callback function } else if(data == 'Unavailable') { $("#user").removeClass('object_ok'); // if necessary $("#user").addClass("object_error"); $("#ustatus").html('<font color="red">username <b>' + user + '</b> is unavailable.</font>'); } else { $("#user").removeClass('object_ok'); // if necessary $("#user").addClass("object_error"); $('#ustatus').html(data); } });}else{ $("#ustatus").html('<font color="red">username must have <b>2+</b> characters.</font>'); $("#user").removeClass('object_ok'); // if necessary $("#user").addClass("object_error");}}
  3. xekon
    phpass uses Salt + stretch, and the default is blowfish, which is preferred over md5 by most.
  4. xekon
    Hi w3schoon, I actually am in the process of finishing up a registration form that uses PHP with Ajax & JQuery. If you do your initial sanity checks in pure Javascript as Ingolme suggests then you can minimize the amount of requests to the server, then once you pass the initial javascript comparative checks you can pass your values with ajax so you can do things like checking if a username is available or not. I may even do some more pure javascript checks on my data just to minimize work on the server, however a registration page wont get worked nearly as much as other forms on the site. to your question:"Isn't it the PHP & not the Ajax that will do the job of submitting and processing the form after the data has been validated?" you can use php directly to submit and process the form, but this would cause you to leave your current page, so lets say you submit your data, the page would then have to go to another page or reload the current page, but with Ajax, you can verify if the username is already taken, without the need to reload the page.
  5. xekon
    I have been working on my registration page for the last couple days, I just about have it finished and I hit a snag. If I call the below function from another function, the return value remains undefined because I believe it is out of scope, I tried a simple Return 1 or Return 0. then I tried using a variable so I could better see what was happening. It seems the variables within .post() lose scope? at the end of the function rval is still undefined. Is there another way to handle the variable, or a workaround? function check_usern(){var op = "checkuser";var usern = $("#usern").val();var passworda = $("#passworda").val();var rval;if(usern.length >= 2){ $("#ustatus").html('<img src="inc/loader.gif"> Checking availability...'); $.post('inc/user-man.php',{op:op,user:usern,pass:passworda},function(data){ if(data == 'Available') { rval = 1 $("#usern").removeClass('object_error'); // if necessary $("#usern").addClass("object_ok"); $('#ustatus').html(' <img src="inc/tick.gif">'); } else if(data == 'Unavailable') { rval = 0 $("#usern").removeClass('object_ok'); // if necessary $("#usern").addClass("object_error"); $("#ustatus").html('<font color="red">Username <b>' + usern + '</b> is unavailable.</font>'); } else { rval = 0 $("#usern").removeClass('object_ok'); // if necessary $("#usern").addClass("object_error"); $('#ustatus').html(data); } });}else{ $("#ustatus").html('<font color="red">Username should have <strong>2+</strong> characters.</font>'); $("#usern").removeClass('object_ok'); // if necessary $("#usern").addClass("object_error"); //rval = 0// this one works if uncommented, its just the ones within .post() that lose scope}return rval} I have a function to validate each field. as you go from field to field, .change()/.focus()/.blurThen when the user clicks submit I would like it to validate all fields by calling all the different functions, and if they pass validation, submit the data to user-man.php for insertion into the database. I have not done a ton of web design, if you have any suggestions for me please let me know. also here is the complete code for the page for anyone curious (there are no html,head,body tags because this page is loaded through index as an include): <center><div align="center"> <form> <table width="600" border="0"> <tr> <td width="150"><div align="right">Username: </div></td> <td width="100"><input id="usern" size="20" maxlength="20" type="text" name="usern"></td> <td align="left"><div id="ustatus"></div></td> </tr> <tr> <td width="150"><div align="right">Password: </div></td> <td width="100"><input id="passworda" size="20" maxlength="40" type="password" name="passworda"></td> <td align="left"><div id="pstatus"></div></td> </tr> <tr> <td width="150"><div align="right">Confirm Password: </div></td> <td width="100"><input id="confirm_password" size="20" maxlength="40" type="password" name="confirm_password"></td> <td align="left"><div id="cpstatus"></div></td> </tr> <tr> <td width="150"><div align="right">Email: </div></td> <td width="100"><input id="email" size="20" maxlength="50" type="text" name="email"></td> <td align="left"><div id="estatus"></div></td> </tr> <tr> <td width="150"><div align="right">Gender: </div></td> <td width="100"><input id="gender" type="radio" name="gender" value="male">Male <input id="gender" type="radio" name="gender" value="female">Female</td> <td align="left"><div id="gstatus"></div></td> </tr> <tr> <td width="150"><div align="right">Date of Birth: </div></td> <td width="100"><input id="date" name="date" size="10" maxlength="10" type="textbox" value="mm/dd/yyyy"/> </td> <td align="left"><div id="bstatus"></div></td> </tr> <tr> <td width="250" colspan="2"> I agree to the Terms of Use & Privacy Policy <input id="termpriv" type="checkbox" name="termpriv" value="Yes"></td> <td align="left"><div id="tpstatus"></div></td> </tr> <tr> <td width="250" align="right" colspan="2"><button type="button" id="create" name="create" value=" Register "> Register </button></td> <td align="left"><div id="cstatus"></div></td> </tr> </table> </form></div></center><script type="text/javascript">pic1 = new Image(16, 16);pic1.src = "inc/loader.gif";$(document).ready(function(){$('#create').click(create_user);$('#usern').change(check_usern);$('#passworda').change(check_password);$('#passworda').focus(check_password);$('#confirm_password').blur(check_confirm_password);$('#confirm_password').focus(check_confirm_password);$('#email').change(check_email);$("input[name=date]").focus(function(){ if($(this).val() === "mm/dd/yyyy"){ $(this).val(''); }});$("input[name=date]").blur(function(){ if($(this).val() === ""){ $(this).val('mm/dd/yyyy'); }});$("#date").datepicker({ changeMonth: true, changeYear: true, yearRange: "-120:+0"});});function create_user(){if(check_usern() != 1){ $('#cstatus').html('check_usern: '+check_usern()); return 0}else if(check_password() != 1){ $('#cstatus').html('check_password'); return 0}else if(check_confirm_password() != 1){ $('#cstatus').html('check_confirm_password'); return 0}else if(check_email() != 1){ $('#cstatus').html('check_email'); return 0}else{ var op = "new"; var usern = $("#usern").val(); $("#cstatus").html('<img src="inc/loader.gif"> Registering...'); $.post('inc/user-man.php',{op:op,user:usern},function(data){ if(data == 'Available') { $('#cstatus').html(' <img src="inc/tick.gif">'); } else//should be used for failed ajax .post, all other possible outcomes should be covered above { $('#cstatus').html(data); } });}}function check_usern(){var op = "checkuser";var usern = $("#usern").val();var passworda = $("#passworda").val();var rval;if(usern.length >= 2){ $("#ustatus").html('<img src="inc/loader.gif"> Checking availability...'); $.post('inc/user-man.php',{op:op,user:usern,pass:passworda},function(data){ if(data == 'Available') { rval = 1 $("#usern").removeClass('object_error'); // if necessary $("#usern").addClass("object_ok"); $('#ustatus').html(' <img src="inc/tick.gif">'); } else if(data == 'Unavailable') { rval = 0 $("#usern").removeClass('object_ok'); // if necessary $("#usern").addClass("object_error"); $("#ustatus").html('<font color="red">Username <b>' + usern + '</b> is unavailable.</font>'); } else { rval = 0 $("#usern").removeClass('object_ok'); // if necessary $("#usern").addClass("object_error"); $('#ustatus').html(data); } });}else{ $("#ustatus").html('<font color="red">Username should have <strong>2+</strong> characters.</font>'); $("#usern").removeClass('object_ok'); // if necessary $("#usern").addClass("object_error"); //rval = 0// this one works if uncommented, its just the ones within .post() that lose scope}return rval}function check_password(){var op = "checkpass";var usern = $("#usern").val();var passworda = $("#passworda").val();if(passworda == ''){ //do nothing}else if(passworda.length >= 4){ //$("#pstatus").html('<img src="inc/loader.gif"> Checking availability...'); $.post('inc/user-man.php',{op:op,user:usern,pass:passworda},function(data){ //if(data == 'OK') if(data.indexOf("OK") != -1) { $("#passworda").removeClass('object_error'); // if necessary $("#passworda").addClass("object_ok"); $('#pstatus').html(' <img src="inc/tick.gif">'); return 1 } else if(data.indexOf("classes") != -1) { $("#passworda").removeClass('object_ok'); // if necessary $("#passworda").addClass("object_error"); $('#pstatus').html('<font color="red">password must have 2+ numbers/symbols</font>'); } else if(data.indexOf("short") != -1) { $("#passworda").removeClass('object_ok'); // if necessary $("#passworda").addClass("object_error"); $('#pstatus').html('<font color="red">password must be 8+ characters long</font>'); } else//should be used for failed ajax .post, all other possible outcomes should be covered above { $("#passworda").removeClass('object_ok'); // if necessary $("#passworda").addClass("object_error"); $('#pstatus').html('<font color="red">'+data+'</font>'); } });}else{ $("#pstatus").html('<font color="red">The password should have at least <strong>4</strong> characters.</font>'); $("#passworda").removeClass('object_ok'); // if necessary $("#passworda").addClass("object_error");}return 0}function check_confirm_password(){var passworda = $("#passworda").val();var confirm_password = $("#confirm_password").val();if(passworda == '' || confirm_password == ''){ //do nothing}else if(passworda == confirm_password){ $("#confirm_password").removeClass('object_error'); // if necessary $("#confirm_password").addClass("object_ok"); $('#cpstatus').html(' <img src="inc/tick.gif">'); return 1}else{ $("#cpstatus").html('<font color="red">Passwords do not match.</font>'); $("#confirm_password").removeClass('object_ok'); // if necessary $("#confirm_password").addClass("object_error");}return 0}function check_email(){var email = $("#email").val();var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,4})?$/;if(!emailReg.test(email)){ $("#email").removeClass('object_ok'); // if necessary $("#email").addClass("object_error"); $('#estatus').html('<font color="red">Please enter a valid email address</font>');} else { $("#email").removeClass('object_error'); // if necessary $("#email").addClass("object_ok"); $('#estatus').html(' <img src="inc/tick.gif">'); return 1}return 0}</script>
  6. xekon
    DOH! I figured out the problem. The php manual example shows using the first row as the result, once I changed the row to 0 it worked. So it must start at row 0 for results, not row 1 http://www.php.net/m...etch-result.php I am still very curious to know if there are any security concerns using this method/guide/tutorial. so for anyone that is curious here is the tutorial I followed: http://www.openwall....Users-Passwords on that page there is a archive with all of the example documents, I used the files from "demo4" folder, which is just before "How to enforce a password policy"I was having an issue getting that to work, and I am thinking some simple regex matching might be enough to enforce the password policy. For anyone that wants the complete edits to the file "user-man.php" for postgresql: http://pastebin.com/nb5YiBAX The authentication of this guide just checks if the supplied password is correct, now I need to read up on how to handle creating a session, so they stay logged in between pages and what not.
  7. xekon
    I have been developing a php web site. I have been trying to follow suggested best practices. I am running ubuntu minimalist install, and installed the following packages: nginx php5 php5-fpm postgresql phppgadmin php5-gd I have nginx up and running instead of apache.I have done some basic configuration for nginx.got my vhost setup and linked. and I am now able to browse my php pages on my local test machine running ubuntu. I have created my postgre database, and have a user setup. So I am to the point that I wanted to create a page to register/login/change password. I searched and found http://stackoverflow...asswords-safely it was posted back in 2010, it links to this guide using phpass: http://www.openwall....Users-Passwords The guide/tutorial was created using Mysql, I have been swapping out functions to their equivalent postgresql functions using the postgresql documentation. I modified the guide to the point that I can create new users in my postgre database. When I got to the point "How to authenticate existing users" I hit a snag. mysql version from guide: } else { $hash = '*'; // In case the user is not found($stmt = $db->prepare('select pass from users where user=?'))|| fail('MySQL prepare', $db->error);$stmt->bind_param('s', $user)|| fail('MySQL bind_param', $db->error);$stmt->execute()|| fail('MySQL execute', $db->error);$stmt->bind_result($hash)|| fail('MySQL bind_result', $db->error);if (!$stmt->fetch() && $db->errno)fail('MySQL fetch', $db->error); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';}unset($hasher);} my version: } else { $hash = '*'; // In case the user is not foundpg_prepare($dbconn, "quser", 'SELECT pass FROM users WHERE pk_users=$1') or fail('pg_prepare failed ',pg_last_error($dbconn));$hashx = pg_execute($dbconn, "quser", array($user)) or fail('pg_execute failed ',pg_last_error($dbconn));$hash = pg_fetch_result($hashx, 1, 'pass'); if (!$hash && pg_last_error($dbconn))fail('pg_execute failed.2 ',pg_last_error($dbconn)); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';$op = 'fail'; // Definitely not 'change'} I think it has to do with bind_result($hash) I used $hashx = pg_execute() I assumed it would take the results of pg_execute() and store it in the $hashx variable, and I thought that was what bind_result($hash) was doing in the mysql example. here is the error from the server logs: 2013/02/15 19:01:12 [error] 16860#0: *1 FastCGI sent in stderr: "PHP message: PHP Warning: pg_fetch_result(): Unable to jump to row 1 on PostgreSQL result index 5 in ..../testing.com/public/inc/user-man.php on line 91" while reading response header from upstream, client: 192.168.1.150, server: testing.com, request: "POST /inc/user-man.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "testing.com", referrer: "http://testing.com/inc/user-man.html" Also if anyone has any input weather or not this is still best practice for user registration/password security, please let me know. In addition to having a good user/password system I know that I am going to need to recheck my configuration for both nginx and postgresql to make sure everthing is locked down and secure, as well as user permissions, I have not looked for any info/guides on any of this yet. Thanks so much for any responses, I appreciate it.
  8. xekon
    How do you change transparency if your source was not a fill color? In this example the transparency is changed for a fill color but I dont see how you could use this function to change the transparency if your source is from an image: http://is.php.net/ma...locatealpha.php The only thing I could see that might be able to be manipulated to work is the imagefilter() function. however none of the filtertype parameters are for transparency directly, but transparency can be passed to the other filtertypes, so I was thinking maybe the transparency could be changed in a roundabout way or maybe I am totally off and there is a better way to use PHP GD to adjust transparency. http://is.php.net/ma...imagefilter.php Any idea, suggestions appreciated EDIT: DOH! should have read the user comments on the bottom of the imagefilter page, somebody posted a custom function for transparency on the fly. EDIT: Custom Function WORKS PERFECT! exactly what I needed
  9. xekon
    Yes, thank you both. after your comments I found a post explaining the difference I just wasnt using the right search terms: http://stackoverflow...ed-color-in-rgb quote: "It turns out that what you and I learned in grade school is really more accurately known as a subtractive color model, versus the additive color model used by RGB." I'm not going to bother trying to change or convert anything. It was just that when I seen the result of mixing yellow and blue and didn't get green I immediately thought something was wrong, but now that I know its possible to get green, you just have to mix cyan and yellow, I am not going to bother.
  10. xekon
    ah, that explains a bit. and should definitely help in searching for the algorithm I need. Thank you
  11. xekon
    I am trying to overlay some colors, and in some cases images with color and transparency.http://xekon.byethost7.com/ (if the image breaks, try refreshing the page) if I take a solid yellow picture, and overlay a 50% transparent blue, I get grey, or close to it depending on the levels of transparency. and it makes sense because yellow: rgba(255,255,0,1)blue: rgba(0,0,255,0.4) together rgb values all balance out to equal, and when all three are equal the color is grey. but in art, if you mix yellow & blue paint you get green paint, anyone know if this is possible using php gd?http://www.enchanted...lormixing.shtml here is a good example, click the yellow and the blue, and you get a green box: http://painting.about.com/library/blpaint/blcolormixingpalette1.htm I am thinking it might be possible but that I would need to write a custom function that makes use of the php gd functions, reading over the various functions I do not see anything that would work. http://www.php.net/m...n/ref.image.php
  12. xekon
    Doh! something so simple, I really appreciate your reply. I'de been staring at it for a couple hours trying this and that. I have bookmarked the validator at the top of my list
  13. xekon
    Need expert help, Javascript is same as example, but has error in IE, works perfect in chrome/firefox. Jquery spectrum() colorpicker The example works perfect in Internet explorer, here: http://jsfiddle.net/bgrins/ctkY3/ Then on my test site, using the exact same css+js files it will not work on my site in IE: http://xekon.byethost7.com/ I have even simplified the example a bit. I cannot tell what the problem is, but I would certainly appreciate any help. I inspected the source at jsfiddle but did not see anything being done differently. edit: Also I am using windows 7, latest updates, Internet Explorer 9.0.8112.16421I have also tried from windows XP sp3, latest updates, Internet Explorer 8.0.6001.18702
×
×
  • Create New...