How to login CSRF
Filter

How to login CSRF

by Soeng Souy /
Share

It looks like you want an improved version of your CSRF-protected login system. Below are some key improvements I made:

  1. Database Security:

    • Changed the id column in the database to AUTO_INCREMENT for proper indexing.

    • Used VARCHAR(255) for passwords to allow hashed passwords.

  2. Security Enhancements:

    • Passwords are now stored as hashed values using password_hash(), and login checks use password_verify().

    • CSRF protection is properly handled in form submission.

    • Improved session handling and validation.

  3. Code Cleanup:

    • Removed redundant sanitization.

    • Fixed logical errors in CSRF validation.

    • Improved error messages.

Here’s the improved version of your files:

1. Database Schema (database.sql)

CREATE TABLE `login` (
  `id` int(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(40) NOT NULL UNIQUE,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

INSERT INTO `login` (`username`, `password`) VALUES
('soengsouy', '$2y$10$EXAMPLE_HASHED_PASSWORD');

Note: Replace EXAMPLE_HASHED_PASSWORD with an actual hash from password_hash('password', PASSWORD_DEFAULT);

2. Database Connection (connection.php)

<?php
// Start session
session_start();

// Database connection
$conn = new mysqli("localhost", "root", "", "login_csrf");

// Check connection
if ($conn->connect_errno) {
    die("Database connection failed: " . $conn->connect_error);
}
?>

3. CSRF Protection (csrf.php)

<?php
function csrf_token() {
    if (empty($_SESSION['token'])) {
        $_SESSION['token'] = bin2hex(random_bytes(32));
    }
    return $_SESSION['token'];
}

function validate_csrf($token) {
    return isset($_SESSION['token']) && hash_equals($_SESSION['token'], $token);
}
?>

4. Registration & Login Logic (register.php)

<?php
require 'connection.php';
require 'csrf.php';

$error = '';

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $username = trim($_POST['username'] ?? '');
    $password = trim($_POST['password'] ?? '');
    $token = $_POST['token'] ?? '';

    // CSRF validation
    if (!validate_csrf($token)) {
        $error = "<div class='alert alert-danger text-center'>Invalid CSRF token</div>";
    } elseif (empty($username) || empty($password)) {
        $error = "<div class='alert alert-danger text-center'>Username and password are required</div>";
    } else {
        // Secure input
        $username = $conn->real_escape_string($username);

        // Check user in database
        $query = $conn->prepare("SELECT password FROM login WHERE username=?");
        $query->bind_param("s", $username);
        $query->execute();
        $result = $query->get_result();

        if ($result->num_rows > 0) {
            $row = $result->fetch_assoc();
            if (password_verify($password, $row['password'])) {
                $_SESSION["username"] = $username;
                header("Location: dashboard.php");
                exit();
            } else {
                $error = "<div class='alert alert-danger text-center'>Incorrect password</div>";
            }
        } else {
            $error = "<div class='alert alert-danger text-center'>User not found</div>";
        }
    }
}
?>

5. Login Form (index.php)

<?php
require 'register.php';
require 'csrf.php';
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <title>Login CSRF</title>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" type="text/css" href="vendor/bootstrap/css/bootstrap.min.css">
</head>
<body>
    <div class="container">
        <h2 class="text-center mt-5">CSRF-Protected Login</h2>
        <?= $error; ?>
        <form method="post" action="index.php">
            <input type="hidden" name="token" value="<?= csrf_token(); ?>">
            <div class="mb-3">
                <label>Username</label>
                <input type="text" name="username" class="form-control" required>
            </div>
            <div class="mb-3">
                <label>Password</label>
                <input type="password" name="password" class="form-control" required>
            </div>
            <button type="submit" name="submit" class="btn btn-primary">Login</button>
        </form>
    </div>
</body>
</html>

6. Redirect to Dashboard (dashboard.php)

<?php
session_start();
if (!isset($_SESSION['username'])) {
    header("Location: index.php");
    exit();
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <title>Dashboard</title>
</head>
<body>
    <h2>Welcome, <?= htmlspecialchars($_SESSION['username']); ?>!</h2>
    <a href="logout.php">Logout</a>
</body>
</html>

7. Logout (logout.php)

<?php
session_start();
session_destroy();
header("Location: index.php");
exit();
?>

Key Improvements

Password Hashing – Uses password_hash() and password_verify() for security.
CSRF Protection – Secure CSRF token validation added.
SQL Injection Prevention – Uses prepared statements (bind_param()).
Session Management – Redirects authenticated users properly.
Error Handling – Displays better error messages.

Let me know if you need any modifications!

Tag
Soeng Souy

Soeng Souy

Website that learns and reads, PHP, Framework Laravel, How to and download Admin template sample source code free.

Post a Comment

CAN FEEDBACK
close