Hello
I've been working on a login script that is to authenticate a user with a password hashed with a unique ID. It's pretty standard stuff, I think.
I include a random value in a hidden input field in my login form, storing that same value in a PHP session. On form submit, I use JavaScript to hash a concatenated string of unique value + password, and post that hash as the password. I compare that posted value with a hash of the session value and the password, and if all is good, I've logged in without revealing the users password in the HTTP headers.
It works in FF and every other browser I've tried, but fails in Internet Explorer. I've spent the weekend Googling around, like you do, trying every trick I can find, to no avail.
Please help?!
Here's a simplified version of the script (not including the hashing function, which isn't necessary to replicate). It should work with a straight copy/paste:
<?php
$self = basename($_SERVER['SCRIPT_NAME']);
$username = 'username';
$password = 'password';
session_id();
session_start();
$sessionid = session_id();
$challenge = uniqid();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Session Test</title>
<script type="text/javascript">
//<![CDATA[
function submitLogin() {
var password = document.forms['loginform'].challenge.value + document.forms['loginform'].password.value;
document.forms['loginform'].password.value = password;
document.forms['loginform'].submit();
}
//]]>
</script>
</head>
<body>
<div>
<?php
if(isset($_POST['username'])) {
if($_POST['username'] == $username && $_SESSION['unique'] . $password == $_POST['password']) {
$comparison = "session . password: " . $_SESSION['unique'] . $password . "; " . "posted password: " . $_POST['password'];
$result = "success";
}
else {
$comparison = "session . password: " . $_SESSION['unique'] . $password . "; " . "posted password: " . $_POST['password'];
$result = "failure";
}
}
?>
<form id="loginform" onsubmit="submitLogin();" method="post" action="<?php echo $self; ?>" enctype="multipart/form-data">
<fieldset>
<input type="text" name="challenge" value="<?php echo $challenge; ?>" readonly="readonly" /><br />
<label for="username">Username: </label><br />
<input id="username" type="text" name="username" /><br />
<label for="password">Password: </label><br />
<input id="password" type="password" name="password" /><br />
<input type="submit" name="test" value="test" />
<br />
<?php if($sessionid) { ?>
<div>the session id was: <?php echo $sessionid; ?></div><br />
<br />
<div>comparison:<br />
<?php if($comparison) { ?>
<div><?php echo $comparison; ?></div><br />
<?php } ?>
</div>
<br />
<div>the session contained:
<?php echo "<pre>";
print_r($_SESSION);
echo "</pre>";
?>
</div>
<?php }
if($result) { ?>
<div>
<b><?php echo $result; ?></b>
</div>
<?php } ?>
</fieldset>
</form>
</div>
</body>
</html>
<?php
$_SESSION['unique'] = $challenge;
?>
Somehow, the JavaScript submit is causing $_SESSION['unique'] to equal a new $challenge, prior to the test.
Any help at all appreciated. I'm testing mainly in IE9, but it's the same in IE7 in Win7 Windows XP mode. I know this can't be a new problem, but I'm at a loss. IE6 works properly.
Thanks!
