fg_membersite.php

Hi,

you can find a fork of the original code on GitHub, which has been updated to MySQLi, here's the link to the code:

• https://github.com/ug2215/RegistrationForm

The upgraded fork was started after the pull request was not merged, as you can read here:

• https://github.com/simfatic/RegistrationForm/pull/11

Bye!

Yes, i tried it some time ago, with no luck.
Tried it again today, and be able to registration, but when try to logon, it just flash back to logon again without any errormessage.
Logon-page starts like this:

<?PHP
require_once("include/membersite_config.php");

if($fgmembersite->CheckLogin())
{
    $fgmembersite->RedirectToURL("/hpp/index.html");
}
if(isset($_POST['submitted']))
{
   if($fgmembersite->Login())
   {
        $fgmembersite->RedirectToURL("/hpp/main.php");
   }
}
$CSRFtoken = $_SESSION['CSRFtoken'];
require 'navigatestart.php';
?>

You could try to add some conditions to the methods involved in the process, to see if you can track down the error, otherwise try to contact the current maintainer, to see if he can suggest you how to fix it.

Yep, found it.
When i place conditions, removing lines from start like if($fgmembersite->CheckLogin()). Noticed that required page headers said "Hello" without CheckLogin. Then this same line in loginNoClientHashing.php-file pick to my eye. Why it is there, when we are just start to login!
Removing rows in this file:

if($fgmembersite->CheckLogin())
{
    $fgmembersite->RedirectToURL("login-home.php");
}

fix the issue. Now it is working!
So, in original download files, includes this fault.
Thanks for comments cereal. I try conditions, and found the error much quicker :-)

No!
I was enjoying too soon of working system.
It works when it likes so. Yesterday evening and this morning it works. Currently it doesn't allow login at all, and when trying to create new members with registration, emails are not sent. Change password request doesn't work at all.
Hard to get fault position. I feel that it is somewhere in session, or salt-functions. This is area, what is quite complex for me.
Maybe something with time or timezones. My production env is in cloud-environment at London and sandbox in my laptop. In laptop env, this was not working at all from start, when updated new files.

Which PHP version are you using? Note that the fork is using at least a function available only on PHP 5.5.0+, hash_pbkdf2 used to hash the password:

• http://php.net/hash-pbkdf2

Consider that I haven't tested the original code neither this fork, so I'm not sure the latter is fully functional.

Look, I hate to have a negative attitude but, in this case, consider that this library:

• is not documented
• is not actively maintained
• embeds an outdated (2007) class dependency (PHPMailer v 2.0.9) in the package, while the latest version is currently 5.2.14 and now available through composer

Ok, PHPMailer should be easy to upgrade but, in my opinion, the main library should use a generic interface, so that you could easily switch the underlying code.

In such situation, I would prefer to start from scratch rather than trying to fix and build my own system, it's a lot easier.

If you're still interested then wait for other responses, you could receive better advices.
Bye!

Yep, i added reply to fork, that have anyone continued with it.
Meanwhile i go grazy here. Login was now successfull. I hate when you cannot trust to code.
Now i think that this unstability has to be in session-function. It has been denied login earlier, and after some time, it allows it.
Added my timezone to membersite_config.php as:
date_default_timezone_set('Europe/Helsinki')
This keep time in correct state now.
And yes, my local test env works now as well. But how long, lets see...

I have php version 5.6.26 in use

Ok, session destroyed after configured 60-minutes, and cannot login-effect is on.
This part of fg_membership.php could be the reason of this:

function CheckLogin()
    {
        // Check that they at least have a session, and if not, create it
        if(!isset($_SESSION)){ 
            session_set_cookie_params(3600,'/','',true,true); // make it expire after 1 hour
            session_start(); 
        }

        // If they do not have a CSRF token, set that too; if we are requiring them.
        if ($this->CSRFTokenRequired) {
            if (!isset($_SESSION['CSRFtoken'])) {
                $token = hash("sha512",mt_rand(0,mt_getrandmax()));
                $_SESSION['CSRFtoken'] = $token;
            }
        }

        // This would mean that they are not logged in, as we set this when a user logs in
        if(empty($_SESSION['username']))
        {
            http_response_code(401);
            return false;
        }

        // They were properly logged in, but that was too long ago (sessionLifeTime) so they need to login again
        if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $this->sessionLifeTime)) {
            /* last request was more than sessionLifeTime ago*/
            session_destroy(); // destroy session data in storage
            http_response_code(401);
            return false;
        }

        // They are properly logged in, so let's update their session timers as appropriate.
        $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
        if (!isset($_SESSION['CREATED'])) {
            $_SESSION['CREATED'] = time();
        } else if (time() - $_SESSION['CREATED'] > $this->sessionLifeTime) {
            /* session started more than sessionLifeTime ago*/
            session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
            $_SESSION['CREATED'] = time(); // update creation time
        }

        return true;
    }

Any session gurus? How to fix this, that it wont let session be in destroyed-state. Working like it was to be originally?

When i login with old-site, what uses old version of membersite, login is successful. After i logout from old-site and try new site login, it is working. This oldsite generated session clears up sessions.
So the fault is in session functions in new version of fg_membersite.
I could try to replace session parts of code with old version, but rather figure out, what is wrong in new code, because it is more advanced.

Testing testing...
Jumping over session_set_cookie_params, allows login, even it was just a minute ago denied.
Dummy question. Do i need cookie expiration necessarily?

    function Login()
    {
        if(empty($_POST['username']))
        {
            $this->HandleError("UserName is empty!");
            return false;
        }

        if(empty($_POST['password']))
        {
            $this->HandleError("Password is empty!");
            return false;
        } 

        if(!isset($_SESSION)) {
//            session_set_cookie_params(3600,'/','',true,true); // make it expire after 1 hour
            session_start();
            if ($this->CSRFTokenRequired) {
                $token = hash("sha512",mt_rand(0,mt_getrandmax()));
                $_POST['CSRFtoken'] = $_SESSION['CSRFtoken'] = $token;
            }
        }

function CheckLogin() sets this same after login. Samekind of error as was with login-script... Doing things before the first steps are not yet done.

Well...
As eMail-functions doesn't work also with this script, i found a fix for that as well.
Skipping all "// $mailer->From = $this->GetFromAddress();" lines, enables sending eMails.
GetFromAddress doesn't work with any combination of using $host or what ever. Doesn't get this variable value to mailer From-tag.
Removing these lines, doesn't put effect to received eMail. From is there anyway.

Oh what a task to put this working. Im now allmost in completion, and happy that i got current level of more secured membersite-pages.
Let's see, iif i found still more unstability from fg_membersite ;-)

More bugs found...
If you want to reset password function work, remove

// BUG: I'm not sure this would work; if the boolean value false was returned, would it still be the boolean value false after being Sanitized?
      $username = SanitizeUsername($this->GetUsernameFromEmail($confirmedemail))

        to
       $username = $this->GetUsernameFromEmail($confirmedemail))

function NotifyOfnewpwd, is not working still, but you know the change of password, because you had the reset-link in eMail allready....