I Have some php scripts that i'm working on to create a log-in page, using cookies, sessions & csrf token. The scripts are Object oriented & using Classes, but The CSRF Token, which is a hidden input with-in my form is blocking the submit button from rendering. I have been staring at this and fiddleing around with it for months but I cannot figure out where the error is or why it is blocking rendering of the button, I have error reporting on but no errors are being shown. I'm also using the spl_autoload_register() function to load my classes but I don't believe this is where the issue is. Any help would be greatly appreciated
Register.php
<?php require_once 'Core/init.php';
include 'Core/head.php';
if(!Usr){ // Not doing anything.....
echo '<span style="color:white;">You must be logged in to view properties</span>';
}
?>
<h1 style="color:white;">Let Living Be Life</h1>
<h2 style="color:white;">Property Rentals</h2>
<a href="index.php">Home</a><br>
<a href="profile.php">Profile</a><br>
<a href="register.php">Register</a><br>
<a href="login.php">Login</a><br>
<a href="logout.php">Logout</a><br>
<a href="changepassword.php">Change Password</a><br>
<a href="info.php">Info</a><br>
<input type="radio" name="theme-switch"><span style="color:white;">Theme</span>
<form action="" method="post">
<input id="usrname" type="text" name="usrname"
placeholder="Username" autocomplete="off" required="true">
<input id="psw" type="password" name="psw"
placeholder="password" autocomplete="off" required="true">
<input type="checkbox" name="remember" id="remember"> <span style="color:white;">Remember me.</span>
<!-- This is not being rendered either !!!!!!!!!!!!!!!! -->
<input type="hidden" name="csrf_tokenz" value="<?php echo Token::gen_csrf_token(); ?>"><br> <!-- Added '' around the echo, but it is not generating a valid token, button is back though...-->
<!-- Note, Something is blocking the button from rendering ???????????????????? -->
<button id="Submit_btn" type="submit">Submit</button>
</form>
<a href="index.php">Home</a>
<a href="profile.php">Profile</a>
<a href="register.php">Register</a>
<a href="login.php">Login</a>
<a href="logout.php">Logout</a>
<a href="changepassword.php">Change Password</a>
<a href="info.php">Info</a>
<?php
// $_SESSION['user-type'] = guest; << need to set this at top of loggin page. aswell as other checks.
if(Input::inp_exists()){
if(Token::check_token(Input::post_or_get_inp('csrf_tokenz'))){
$validate = new Validate();
$validation = $validate->check_val($_POST, array(
'usrname' => array('required' => true),
'psw' => array('required' => true)
));
if($validation->vali_passed()){
// Log Usr in..
$usr = new Usr();
$remember = (Input::post_or_get_inp('remember') === 'on') ? true : false;
$login = $usr->login_usr(Input::post_or_get_inp('usrname'), Input::post_or_get_inp('psw'), $remember);
if($login){
Redirect::r_to('index.php');
echo 'Success';
}else{
echo '<p>Sorry Login Failed</p>';
}
}else{
foreach($validation->vali_errors() as $error){
echo $error, '<br>';
}
}
}
}
?>
Token.class.php
<?php // Check all Syntax::>>
class Token{
public static function gen_csrf_token(){ // Csrf Token 1.
return Session::sesh_put(Config::get_conf('session/token_name'), bin2hex(random_bytes(28)).openssl_random_pseudo_bytes(7)); // md5(uniqid()) md5(random_bytes(164))<< this is the old version which is deprecated...
}
public static function gen_csrf_token2(){ // Csrf Token 2.
return Session::sesh_put(Config::get_conf('session/token2_name'), bin2hex(random_bytes(28)).openssl_random_pseudo_bytes(7)); // ::>> Brackets maybe wrong way round in here.
}
public static function genchilli_token(){ // Use this to Build a Pepper, Salt is in the Hash Class. Abstract Away..
$Chilli = bin2hex(128).=openssl_random_psuedo_bytes(48).=md5('x12ii21ii12x');
return $Chilli; // <<:: Test me?
}
public static function check_token($token){
// echo 'I have been run line 15 Token Class';
$token_name = Config::get_conf('session/token_name'); // ::>> index=12
// echo 'I have been run line 16 Token Class';
if(Session::sesh_exists($token_name)&& $token === Session::get_sesh($token_name)){
Session::del_sesh($token_name);
return true;
}
return false;
}
}
The Token Class Rely's Both on the Session & The Conig Classes to work. Namely the Functions: Session::sesh_put() & Config::conf_get() but I can't find any errors in here either, and no errors are being displayed.
Session.class.php
<?php
class Session{
public static function get_sesh($name){
// echo 'Debug Only >> Session::Get Ran';
return $_SESSION[$name]; // ::<< these relate to Token Name in Token.class.php
}
public static function sesh_put($name, $value){
// echo 'Debug Only >> Session::put Ran';
return $_SESSION[$name] = $value;
}
public static function sesh_exists($name){
// echo 'Debug Only >> Session::exists Ran';
return (isset($_SESSION[$name])) ? true : false;
}
public static function del_sesh($name){
if(self::sesh_exists($name)){
unset($_SESSION[$name]);
}
}
public static function sesh_flash($name, $string = ''){ // Used for flashing a msg to user.
if(self::sesh_exists($name)){ // Flash eps 13 // Not returning any messages for some reason..
$session = self::get_sesh($name);
self::del_sesh($name); // This deletes the session
return $session;
} else {
self::sesh_put($name, $string);
}
}
}
// After done upload to code review
?>
Config.php
<?php // ::>> This File Has no Errors. Upto eps 8 No errors spotted so far..
class Config{ // ::>> Need to build in here a check for Faulty Paths then Exit script. destroy session, log user out.
public static function get_conf($path = null){
if($path){
$config = $GLOBALS['config'];
$path = explode('/', $path);
foreach($path as $bit){
if(isset($config[$bit])){
$config = $config[$bit];
}
}return $config;
}return false;
}
}
init.php
<?php
session_start();
error_reporting(E_ALL & E_NOTICE);
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
$GLOBALS['config'] = array(
'mysql' => array(
'host' => 'localhost', // ::> 127.0.0.1
'charset' => 'redacted',
'db-usr' => 'redacted',
'db-psw' => 'redacted',
'db' => 'redacted',
'ssh' => 'false', // ::<< I added these last three for later Updates to Determine access via these three methods.
'cli' => 'false', // <<:: Need very strong Authentication If I every choose to use these.
'cgi' => 'false' // ::>> Set-up two factor Authentication at some point.
),
'remember' => array(
'cookie_name' => 'hashish_cookie',
'cookie_expiry' => '784828'
// 'preferences' => array( // <<:: I added this for later functionality.
// 'usr_pref' => 'has_cat',
// 'needs' => 'null'
// ),
),
'session' => array( // Add different Session types in here ie. Guest, Admin, Mod, ExtMod, RootAd, HasCat.
'session_name' => 'usr_session',
'token_name' => 'csrf_tokenz',
'token2_name' => 'csrf_tokenz2',
'hacker_bait' => 'redacted',
'has_cat' => '0'
)
); // Closing Tag for Globals Array
spl_autoload_register(function($class) {
require_once 'Classes/' . $class . '.class.php';
});
require_once 'Functions/sanitize.php';
if(Cookie::cookie_exists(Config::get_conf('remember/cookie_name')) && !Session::sesh_exists(Config::get_conf('session/session_name'))){
echo 'User Asked to Be remembered!';
$hash = Cookie::get_cookie(Config::get_conf('remember/cookie_name'));
$hashCheck = DB::getInstance()->get_dbr('usr_session', array('hash', '=', $hash)); // <<:: Check if this is xx >> usr_session << Correct one < or usrs_session..
if($hashCheck->count_dbr()){
echo 'Hash matches, log usr in';
} // Unsure if this is dbr_count or count_dbr or a built in pdo version of count?
}
?>
Any help or pointers would be greatly appreciated, as I can't find the error and its bugging me. Will Update the question and include config.php in a minute when i've logged back into my hosting site.. I have already tried using md5, uniqid, random_bytes, ssl_random_pseudo_bytes and multiple different combinations but can't get this to work properly. I know that there are multiple other questions on how to securely generate a CSRF token, but none of the ones I have found are using classes or object oriented program, nor do they address my specific issue. I have read multiple different ones, some of which have helped my understanding but not fixing this issue.
The Image shows what is being rendered and where it stops or breaks. Having used Ctrl + U as Mike suggested in the comments.
Update, Just added a ~ to E_NOTICE error reporting after reading the post that Mike Shared: Error Reporting and it has generated a new Notice that wasn't showing before, so that might help to fix these issues. Picture included below:
Fixed: commenting out the innards of the chilli function....