Originally Posted by
dscvry
Atticus - does this describe the phenomenon:
"... for both customer and admin logins, only the very first attempt with correct data input is bringing up the message 'There was a security error while trying to login'. The password asterisks stay in place, and simply tapping return once more then gets you in to the store/admin with apparently full functionality."
Not sure why that happens, but it can be lived with if so ... (dscvry post above fr June 2008) - sweet if that's the issue.
I've been experiencing exactly the same problem as described above. I'm using a fresh installation of Zencart v1.38a, so all the security tokens are in place. The tutorial regarding this issue actually says to add
<?php echo zen_draw_hidden_field('securityToken', $_SESSION['securityToken']); ?>
after every occurence of the password field (zen_draw_password_field function). This is already present in
- /includes/templates/MY_TEMPLATE/templates/tpl_login_default.php and
- /includes/templates/MY_TEMPLATE/templates/tpl_timeout_default.php
My question is, where is it meant to go in /admin/login.php (see my code below)? There is no "zen_draw_password_field." I can only guess that the line <input type="hidden" name="securityToken" value="<?php echo $_SESSION['securityToken']; ?>"> is doing the same job. Is this correct?
I'm currently using my own customised template, and have made some cosmetic css alterations to the appearance of the admin login pages (see code plus jpg example below). Other addons that are installed include: About Us Page, Column Divider Pro, Column Layout Grid, CSS Menu, Flash Hacks, Newsletter Subscribe, Time Zone Offset and RFQ. The problem was also happening before AND after I had installed an SSL, and even after I've installed the latest security patch. I've read all the posts regarding this issue but none seem to really resolve this.
To me, it seems like a random occurence. It doesn't always happen but sometimes it even happens after I've just rebooted the computer or cleared the cache etc. I am able to get through past the login via the store front or admin after my second or third attempt and everything else seem to function without a problem thereafter. I've only come across this problem once in the store front when trying to log in as a customer. The message occurs more in the admin, maybe because I've been logging in to the admin section more than the store front.
I am happy to just ignore this occurence and simply just live with it as suggested, but I want to be sure that I am not ignoring a serious security issue that will come back to bite me later down the track after the store has gone live. I am actually just inclined to change the message from "There was a security error when trying to login" to a less menacing warning like "There was an error when trying to login" in order to prevent my client and the shop customers from panicking when seeing this message. At this point I am very hesitant to go live until this problem is completely resolved. So, if anyone has a solution, please, please share.
Code:
<?php
//
// +----------------------------------------------------------------------+
// |zen-cart Open Source E-commerce |
// +----------------------------------------------------------------------+
// | Copyright (c) 2003 The zen-cart developers |
// | |
// | http://www.zen-cart.com/index.php |
// | |
// | Portions Copyright (c) 2003 osCommerce |
// +----------------------------------------------------------------------+
// | This source file is subject to version 2.0 of the GPL license, |
// | that is bundled with this package in the file LICENSE, and is |
// | available through the world-wide-web at the following url: |
// | http://www.zen-cart.com/license/2_0.txt. |
// | If you did not receive a copy of the zen-cart license and are unable |
// | to obtain it through the world-wide-web, please send a note to |
// | [email protected] so we can mail you a copy immediately. |
// +----------------------------------------------------------------------+
// $Id: login.php 6522 2007-06-20 23:34:31Z wilt $
//
require('includes/application_top.php');
$message = false;
if (isset($_POST['submit'])) {
$admin_name = zen_db_prepare_input($_POST['admin_name']);
$admin_pass = zen_db_prepare_input($_POST['admin_pass']);
$sql = "select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . " where admin_name = '" . zen_db_input($admin_name) . "'";
$result = $db->Execute($sql);
if ((!isset($_SESSION['securityToken']) || !isset($_POST['securityToken'])) || ($_SESSION['securityToken'] !== $_POST['securityToken'])) {
$message = true;
$pass_message = ERROR_SECURITY_ERROR;
}
if (!($admin_name == $result->fields['admin_name'])) {
$message = true;
$pass_message = ERROR_WRONG_LOGIN;
}
if (!zen_validate_password($admin_pass, $result->fields['admin_pass'])) {
$message = true;
$pass_message = ERROR_WRONG_LOGIN;
}
if ($message == false) {
$_SESSION['admin_id'] = $result->fields['admin_id'];
if (SESSION_RECREATE == 'True') {
zen_session_recreate();
}
zen_redirect(zen_href_link(FILENAME_DEFAULT, '', 'SSL'));
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE; ?></title>
<link href="includes/stylesheet.css" rel="stylesheet" type="text/css" />
</head>
<body id="login" onload="document.getElementById('admin_name').focus()">
<form name="login" action="<?php echo zen_href_link(FILENAME_LOGIN, '', 'SSL'); ?>" method = "POST">
<fieldset>
<!--<legend><?php echo HEADING_TITLE; ?></legend>-->
<span class="loginMessage"><?php echo $pass_message; ?></span>
<br /><br />
<label class="loginLabel" for="admin_name"><?php echo TEXT_ADMIN_NAME; ?></label>
<input style="float: left" type="text" id="admin_name" name="admin_name" value="<?php echo zen_output_string($admin_name); ?>" />
<br class="clearBoth" />
<label class="loginLabel" for="admin_pass"><?php echo TEXT_ADMIN_PASS; ?></label>
<input style="float: left" type="password" id="admin_pass" name="admin_pass" value="<?php echo zen_output_string($admin_pass); ?>" />
<br class="clearBoth" />
<input type="hidden" name="securityToken" value="<?php echo $_SESSION['securityToken']; ?>">
<input type="submit" name="submit" class="button" value="Login" />
<br /><br />
<?php echo '<a class="resend_password" href="' . zen_href_link(FILENAME_PASSWORD_FORGOTTEN, '', 'SSL') . '">' . TEXT_PASSWORD_FORGOTTEN . '</a>'; ?>
<br />
<br />
<br />
<!--<?php /*?> <span class="loginMessage"><?php echo $pass_message; ?></span><?php */?>-->
</fieldset>
</form>
</body>
</html>
<?php require('includes/application_bottom.php'); ?>
Bookmarks