I have been trying to use some code but to use it a bit more to my purposes. The original code went as follows for the isset but it is SO confusing.
// Check if we're already logged in, and check session information against cookies
// credentials to protect against session hijacking
if (isset ($_COOKIE['project-name']['userID']) &&
crypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'],
$_COOKIE['project-name']['secondDigest']) ==
$_COOKIE['project-name']['secondDigest'] &&
(!isset ($_COOKIE['project-name']['username']) ||
(isset ($_COOKIE['project-name']['username']) &&
Users::checkCredentials($_COOKIE['project-name']['username'],
$_COOKIE['project-name']['digest']))))
My current code:
function encrypt($input)
{
$hash = password_hash($input, PASSWORD_DEFAULT);
return $hash;
}
function checkUserCreds($username, $password)
{
//do code at some point
return $username;
return $password;
}
function checkLoggedIn($page)
{
session_start();
//Check if already logged in and check session information against cookies
if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2'] && (!isset ($_COOKIE['sukd']['login']) || (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash']))))
{
//Some code here.. eventually
}
}
Whilst I have fixed the syntax error, I am genuinely confused by the thing I am trying to copy off.
function encrypt($input)
{
$hash = password_hash($input, PASSWORD_DEFAULT);
return $hash;
}
password_hash() creates a new password hash using a strong one-way hashing algorithm.
calling encrypt($input) will return hashed password
function checkUserCreds($username, $password)
{
//do code at some point
return $username;
return $password;
}
calling checkUserCreds($username, $password) will just return what you submitted
unless you have some code at
//do code at some point
function checkLoggedIn($page) { session_start();
//Check if already logged in and check session information against cookies
if (isset($_COOKIE['sukd']['id']) && encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2'] && (!isset ($_COOKIE['sukd']['login']) || (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash'])))
{
//Some code here.. eventually
}
}
i tried to breakdown the checkLoggedIn function
(1) if (isset($_COOKIE['sukd']['id'])
(2) && encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2']
(3) && (!isset ($_COOKIE['sukd']['login'])
|| (isset ($_COOKIE['sukd']['login']) && checkUserCreds($_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash'])))
{
//Some code here.. eventually
}
$_SERVER['REMOTE_ADDR'] = visitors IP
$_SERVER['HTTP_USER_AGENT'] = visitors browser
$_COOKIE['sukd']['hashv2'] = your defined cookie( i GUESS to your password )
$_COOKIE['sukd']['login'] = user defined cookie( i GUESS to check if login )
(1). you check if $_COOKIE['sukd']['id'] isset and
(2). create a password hash by calling encrypt function and compare it to the cookie $_COOKIE['sukd']['hashv2']
encrypt($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2']) == $_COOKIE['sukd']['hashv2']
encrypt is a user defined function where you pass the combination of $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2'] to retrieve password hash
(3). you check if $_COOKIE['sukd']['login'] exist or
cookie is set and calls the function that returns
$_COOKIE['sukd']['login'](username), $_COOKIE['sukd']['hash'](password)
if any of the 3 fails, it will not proceed
EDIT
also, you are comparing
$_COOKIE['sukd']['hashv2']
(if) equal to
encrypt($_SERVER['REMOTE_ADDR' . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['sukd']['hashv2'])
that has
$_COOKIE['sukd']['hashv2']
which i believe will return false
also, be careful in number 3
it will return true if
$_COOKIE['sukd']['login'] is not set
or
$_COOKIE['sukd']['login'] is set and $_COOKIE['sukd']['login'], $_COOKIE['sukd']['hash']
will just return the param(not empty)
also, make sure you set the cookies before calling checkLoggedIn()
hope this helps