Login script gives access to wrong account in very rare cases

  • (2 Pages)
  • +
  • 1
  • 2

17 Replies - 491 Views - Last Post: 13 July 2020 - 05:43 PM Rate Topic: -----

#1 O'Niel   User is offline

  • D.I.C Addict

Reputation: 26
  • View blog
  • Posts: 598
  • Joined: 13-September 15

Login script gives access to wrong account in very rare cases

Posted 05 July 2020 - 04:43 AM

I have the following Registration code:
    //Register user
    if (isset($_POST['btnRegister'])) {

        //Check if mail already exists
        $stmt = $conn->prepare("SELECT email FROM user_account WHERE email=?");
        $stmt->bind_param("s", $email_);
        $email_ = $_POST['email'];
        $stmt->execute();
        $stmt->bind_result($email);
        $stmt->store_result();

        if ($stmt->num_rows > 0) {
            echo "Dit account bestaat al";
            $stmt->close();
        } else {
            $insert_id = 0;

            //Add to Database
            $stmt = $conn->prepare("INSERT INTO user_account (firstname, lastname, email, password, address, tel) VALUES (?, ?, ?, ?, ?, ?)");
            $stmt->bind_param("ssssss", $firstname_, $lastname_, $email_, $password_, $address_, $tel_);
            $firstname_ = $_POST['firstname'];
            $lastname_ = $_POST['lastname'];
            $email_ = $_POST['email'];
            $password_ = password_hash($_POST['password'], PASSWORD_DEFAULT);
            $address_ = $_POST['address'];
            $tel_ = $_POST['tel'];
            if ($stmt->execute()) {
               //Send mail

            }
            $insert_id = $stmt->insert_id;
            $stmt->close();

            $_SESSION['user_id'] = $insert_id;
        }
    }



And the following Login code:
//Login user
    if (isset($_POST['btnLogin'])) {
        $stmt = $conn->prepare("SELECT ID, password FROM user_account WHERE email=?");
        $stmt->bind_param("s", $email_);
        $email_ = $_POST['email'];
        $stmt->execute();
        $stmt->bind_result($ID, $password);
        $stmt->fetch();

        if (password_verify($_POST['password'], $password)) {
            $_SESSION['user_id'] = $ID;
            header("Location: /account/");
        } else {
            header("Location: /index#login-of-registreer");
        }
    }



Database table:
+------------+-----------------+------+-----+---------+----------------+
| Field      | Type            | Null | Key | Default | Extra          |
+------------+-----------------+------+-----+---------+----------------+
| ID         | bigint unsigned | NO   | PRI | NULL    | auto_increment |
| firstname  | varchar(250)    | NO   |     | NULL    |                |
| lastname   | varchar(250)    | NO   |     | NULL    |                |
| email      | varchar(250)    | NO   | UNI | NULL    |                |
| tel        | varchar(16)     | YES  |     | NULL    |                |
| password   | varchar(250)    | NO   |     | NULL    |                |
| address    | varchar(250)    | NO   |     | NULL    |                |
| postalcode | varchar(4)      | YES  |     | NULL    |                |
+------------+-----------------+------+-----+---------+----------------+



This code works perfectly in 99.9% of the cases. When entering the wrong mail/password you don't get access, and when entering a correct combination you get nicely redirected to your personal account space.
email is unique in the database table.

However, I have had one or two reports of a very strange case. It was of a user who tried to login, and got access to a very random user account.
Seems like the $_SESSION['user_id'] got assigned a random value.

What am I doing wrong in my code that this behaviour exists in some very rare cases? I am not able to reproduce it in any way.

Thanks!

This post has been edited by O'Niel: 05 July 2020 - 04:44 AM


Is This A Good Question/Topic? 0
  • +

Replies To: Login script gives access to wrong account in very rare cases

#2 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 15804
  • View blog
  • Posts: 63,308
  • Joined: 12-June 08

Re: Login script gives access to wrong account in very rare cases

Posted 05 July 2020 - 07:10 AM

Are you calling 'session_start' and 'session_destroy' in appropriate places?

Sounds like you are getting bleed over, or collisions, with session ids.
Was This Post Helpful? 0
  • +
  • -

#3 O'Niel   User is offline

  • D.I.C Addict

Reputation: 26
  • View blog
  • Posts: 598
  • Joined: 13-September 15

Re: Login script gives access to wrong account in very rare cases

Posted 05 July 2020 - 07:21 AM

I am calling session_start() at the very top of my codefile. The login and registration script are in the same codefile. I am only calling session_destroy when the user logs out.

This situation also sometimes occur:
session_start();

//...

include_once("file_with_also_session_start_on_top"); //So session_start() is double in this particular file

//...



But I don't see how that could cause this problem.
Was This Post Helpful? 0
  • +
  • -

#4 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 15804
  • View blog
  • Posts: 63,308
  • Joined: 12-June 08

Re: Login script gives access to wrong account in very rare cases

Posted 05 July 2020 - 07:32 AM

Hmm.. definitely sounds like some sort of weird session id collision is happening, or some sort of bleed over.

Are you getting a ton of traffic?

What version of php is this on?

May have some caching issues involved.

Ex:
https://bugs.php.net/bug.php?id=75496
Was This Post Helpful? 1
  • +
  • -

#5 O'Niel   User is offline

  • D.I.C Addict

Reputation: 26
  • View blog
  • Posts: 598
  • Joined: 13-September 15

Re: Login script gives access to wrong account in very rare cases

Posted 05 July 2020 - 10:37 AM

In the page you presented the reporter states that FastCGI caused the problem. I also have that enabled on my server (I can turn it off though).
Could this be the reason? If yes, what exactly is CGI?

And it's on PHP 7.3; and not getting that much traffic. Few hundred registrations a day.

This post has been edited by O'Niel: 05 July 2020 - 10:43 AM

Was This Post Helpful? 0
  • +
  • -

#6 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 15804
  • View blog
  • Posts: 63,308
  • Joined: 12-June 08

Re: Login script gives access to wrong account in very rare cases

Posted 05 July 2020 - 10:48 AM

I would give it a whirl and see what happens, and keep an eyeball on performance.

It would be a reasonable jump that if session info is accidentally bleeding over or colliding a cache would be a possible problem.

I'm not that hard core of a server geek to be able to rattle off a whole bunch on the topic, but CGI is the protocols to make things dynamic.

Ex: https://help.dreamho...astCGI-overview
Was This Post Helpful? 0
  • +
  • -

#7 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,573
  • Joined: 08-June 10

Re: Login script gives access to wrong account in very rare cases

Posted 05 July 2020 - 12:25 PM

View PostO, on 05 July 2020 - 07:37 PM, said:

what exactly is CGI?

(Fast)CGI is how the web server and PHP communicate (https://en.wikipedia.org/wiki/Common_Gateway_Interface). The other way is PHP-FPM (https://www.php.net/fpm), which is still related to CGI, though.

This post has been edited by Dormilich: 05 July 2020 - 12:25 PM

Was This Post Helpful? 2
  • +
  • -

#8 O'Niel   User is offline

  • D.I.C Addict

Reputation: 26
  • View blog
  • Posts: 598
  • Joined: 13-September 15

Re: Login script gives access to wrong account in very rare cases

Posted 05 July 2020 - 04:00 PM

So CGI is actually what enables my script to handle POST and GET requests? And when I disable it, it uses PHP-FPM. But if I'd be using Python or Rust as back-end, CGI would be obligated?

I disabled it by the way. My user-base is too small to test if this is a working solution. But if I don't have a new report in a few days, I'll let you know.
Was This Post Helpful? 0
  • +
  • -

#9 Ornstein   User is offline

  • D.I.C Head

Reputation: 105
  • View blog
  • Posts: 216
  • Joined: 13-May 15

Re: Login script gives access to wrong account in very rare cases

Posted 06 July 2020 - 02:48 AM

If I'm not wrong, the problem in the bug report was due to caching - especially caching the response which sets the session cookie - not Fast/CGI itself. Are you aware of any caching anywhere in the pipeline?

There's other edge cases that can potentially cause problems with sessions, but it might end up being quicker and easier to use some secure and reliable sessions package.

When you say you're trying to reproduce the problem, what exactly are you doing? I'd imagine this issue will only occur when two people visit the site (and/or log in) at pretty much exactly the same time - so unless you've written some code to automate that, you're probably not going to be able to reproduce it manually (e.g. in the browser).
Was This Post Helpful? 0
  • +
  • -

#10 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,573
  • Joined: 08-June 10

Re: Login script gives access to wrong account in very rare cases

Posted 06 July 2020 - 03:18 AM

View PostO, on 06 July 2020 - 01:00 AM, said:

But if I'd be using Python or Rust as back-end, CGI would be obligated?

Even those would have to use some kind of CGI if they need to be invoked by the web server.
Was This Post Helpful? 0
  • +
  • -

#11 O'Niel   User is offline

  • D.I.C Addict

Reputation: 26
  • View blog
  • Posts: 598
  • Joined: 13-September 15

Re: Login script gives access to wrong account in very rare cases

Posted 06 July 2020 - 09:49 AM

View PostOrnstein, on 06 July 2020 - 02:48 AM, said:

If I'm not wrong, the problem in the bug report was due to caching - especially caching the response which sets the session cookie - not Fast/CGI itself. Are you aware of any caching anywhere in the pipeline?

There's other edge cases that can potentially cause problems with sessions, but it might end up being quicker and easier to use some secure and reliable sessions package.

When you say you're trying to reproduce the problem, what exactly are you doing? I'd imagine this issue will only occur when two people visit the site (and/or log in) at pretty much exactly the same time - so unless you've written some code to automate that, you're probably not going to be able to reproduce it manually (e.g. in the browser).


I'm not aware of any caching. I tried logging in with two different accounts at the same time (separated on mobile and laptop) as an attempt to replicate the issue.
Was This Post Helpful? 0
  • +
  • -

#12 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3837
  • View blog
  • Posts: 13,998
  • Joined: 08-August 08

Re: Login script gives access to wrong account in very rare cases

Posted 11 July 2020 - 04:23 AM

I assume that password_verify($_POST['password'], $password) hashes password_verify($_POST['password'], $password) and compares it toe $password so I suggest that you instead hash $_POST['password'] and make that a parameter in your query. This will:
  • Reduce the amount of code, making it easier to debug.
  • Speed up your code a tiny bit.
  • Make it even less likely that there could be a bug causing two rows to be returned, pointing to a cache issue as the culprit.

Was This Post Helpful? 0
  • +
  • -

#13 O'Niel   User is offline

  • D.I.C Addict

Reputation: 26
  • View blog
  • Posts: 598
  • Joined: 13-September 15

Re: Login script gives access to wrong account in very rare cases

Posted 12 July 2020 - 05:49 PM

Could you elaborate a bit? @CTphpnwb
I didn't really get what you mean.

I by the way received a few peaks in registrations/logins, and got no complaints at all after disabling CGI.
I think the CGI function does some caching which makes the system fail.
Was This Post Helpful? 0
  • +
  • -

#14 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3837
  • View blog
  • Posts: 13,998
  • Joined: 08-August 08

Re: Login script gives access to wrong account in very rare cases

Posted 12 July 2020 - 07:10 PM

Do you know what password_verify() does?

Your query returns row(s) that match the email address. You then check the password. It would be easier and faster to return row(s) that match the email and the password. To do that, you'd need to hash the user supplied password and use the hash as an additional parameter in the query.

This would have the added benefit of shortening your code. Shorter code is generally easier to debug.

This post has been edited by CTphpnwb: 12 July 2020 - 07:11 PM

Was This Post Helpful? 0
  • +
  • -

#15 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,573
  • Joined: 08-June 10

Re: Login script gives access to wrong account in very rare cases

Posted 13 July 2020 - 12:46 AM

View PostCTphpnwb, on 13 July 2020 - 04:10 AM, said:

It would be easier and faster to return row(s) that match the email and the password. To do that, you'd need to hash the user supplied password and use the hash as an additional parameter in the query. This would have the added benefit of shortening your code. Shorter code is generally easier to debug.

Unfortunately that only works if you could do the password hashing on the database level, which AFAIK MySQL/MariaDB do not support (reason being that the bcrypt hash contains a random salt).

OTOH, the email address should really be a unique value (otherwise you cannot send an email to only a single recipient, think of password reset) so fetching by email would then result in a single row anyways.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2