1

I'm not looking for anyone to do all the legwork for me, but I have an open source project that works perfectly on most servers, but one person's server, when you go to register or login, the page just refreshes instead of logging in. Nothing is getting to the database.

a var_dump of $_POST looks like everything is great and I've stripped out as many of the data verification in the form, but no dice.

Are there tools in Chrome or Firefox/Firebug to help me figure out what's going on? A console log in Chrome just basically tells me that the page has been reloaded, but nothing else. None of my errors are coming back on the page. It's just a simple page refresh.

This is the unedited (minus a bunch of html) login file. It's based on an old system called UserCake. Most of this is legacy code. I'm going to completely rewrite the project from scratch. 

<?php require_once("models/top-nav.php"); ?>

<!-- If you are going to include the sidebar, do it here -->
<?php //require_once("models/left-nav.php"); ?>
</div>
<!-- /.navbar-collapse -->
</nav>
<!-- PHP GOES HERE -->
<?php
//Prevent the user visiting the logged in page if he/she is already logged in
if(isUserLoggedIn()) { header("Location: account.php"); die(); }

//Forms posted
if(!empty($_POST))
{
    $token = $_POST['csrf'];
    if(!Token::check($token)){
        die('Token doesn\'t match!');
    }
    //reCAPTCHA 2.0 check
    // empty response
    $response = null;

    // check secret key
    $reCaptcha = new ReCaptcha($privatekey);

    // if submitted check response
    if ($_POST["g-recaptcha-response"]) {
        $response = $reCaptcha->verifyResponse(
            $_SERVER["REMOTE_ADDR"],
            $_POST["g-recaptcha-response"]
        );
    }
    if ($response != null && $response->success) {

    $errors = array();
    $username = sanitize2(trim($_POST["username"]));
    $password = trim($_POST["password"]);

    //Perform some validation
    //Feel free to edit / change as required
    if($username == "")
    {
        $errors[] = lang("ACCOUNT_SPECIFY_USERNAME");
    }
    if($password == "")
    {
        $errors[] = lang("ACCOUNT_SPECIFY_PASSWORD");
    }

        //A security note here, never tell the user which credential was incorrect
        if(!usernameExists($username))
        {
        $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
        }
        else
        {
            $userdetails = fetchUserDetails($username);
            //See if the user's account is activated
            if($userdetails["active"]==0)
            {
                $errors[] = lang("ACCOUNT_INACTIVE");
            }
            else
            {
                //- THE OLD SYSTEM IS BEING REMOVED - Hash the password and use the salt from the database to compare the password.
                //$entered_pass = generateHash($password,$userdetails["password"]);
                $entered_pass = password_verify($password,$userdetails["password"]);


                if($entered_pass != $userdetails["password"])
                {

                    $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID"); //MAKE UPGRADE CHANGE HERE

                }
                else
                {
                    //Passwords match! we're good to go'

                    //Construct a new logged in user object
                    //Transfer some db data to the session object
                    $loggedInUser = new loggedInUser();
                    $loggedInUser->email = $userdetails["email"];
                    $loggedInUser->user_id = $userdetails["id"];
                    $loggedInUser->hash_pw = $userdetails["password"];
                    $loggedInUser->title = $userdetails["title"];
                    $loggedInUser->displayname = $userdetails["display_name"];
                    $loggedInUser->username = $userdetails["user_name"];


                    //Update last sign in
                    $loggedInUser->updateLastSignIn();
                    $_SESSION["userCakeUser"] = $loggedInUser;

                    //Redirect to user account page
                    header("Location: account.php");
                    die();
                }
            }
        }
    }
}

?>


<?php
echo resultBlock($errors,$successes);
echo "
<div id='regbox'>
<form name='login' action='".$_SERVER['PHP_SELF']."' method='post'>
<p>
";
?>
<label>Username:</label>
<input  class='form-control' type='text' name='username' />
</p>
<p>
<label>Password:</label>
<input  class='form-control'  type='password' name='password' />
</p>
<p><label>Please enter the words as they appear:</label>
    <div class="g-recaptcha" data-sitekey="<?php echo $publickey; ?>"></div>
</p>
<p>
<label>&nbsp;</label>
<input class='btn btn-primary' type='submit' value='Login' class='submit' />
</p>
<input type="hidden" name="csrf" value="<?=Token::generate();?>" >
</form>
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
<!-- footer -->
<?php require_once("models/footer.php"); ?>
Dan Hoover
  • 235
  • 1
  • 14
  • Network inspector tab in Chrome debugger tools/Firebug. Debug your app on the HTTP level. Not much more we can say about this here. – deceze Jan 12 '16 at 15:45
  • Nothing specific (so not a good SO question - expect it to be closed) but you can check error logs on that server for a start. Also, check network tools in chrome and see if there isnt a rouge redirect or similar – Steve Jan 12 '16 at 15:46
  • Add error reporting to the top of your file(s) right after your opening PHP tag for example ` – Funk Forty Niner Jan 12 '16 at 15:46
  • Console log won't tell you anything about PHP. It will only tell you about JavaScript. We need to see some of you HTML and PHP. – durbnpoisn Jan 12 '16 at 15:47
  • could be that that server doesn't support certain *possibly* deprecated functions. Your question is thin on details as to what that server is, which platform, what it supports and what it doesn't, etc. – Funk Forty Niner Jan 12 '16 at 15:53
  • Part of the problem is that I don't KNOW much about the server. It belongs to someone who downloaded my software. I just have ftp/mysql access and a browser. Just trying to make the software better. I will enable the extra error reporting and I've been going through every screen that firebug and chrome have and I'm not seeing anything that looks like an error. I know the question was bad, but I'm working on it. – Dan Hoover Jan 12 '16 at 15:58
  • you'll have to send them something to check their server then and show them about the error reporting stuff I gave you above and to check for errors on the MySQL side of things. Not much else I can do here to help, sorry Dan. – Funk Forty Niner Jan 12 '16 at 16:01
  • You did it Fred-ii I forgot all about adding the extra error reporting! Thank you. I got a https:// wrapper is disabled in the server configuration by allow_url_fopen=0 error. That's obviously going to help a ton! – Dan Hoover Jan 12 '16 at 16:05
  • That's great Dan and you're welcome, I'm glad we've gotten somewhere. What would you like to do with the question now? my posting an answer about error reporting and your comment? – Funk Forty Niner Jan 12 '16 at 16:06
  • Yes. Your answer was correct and it helped tremendously. Thanks everyone for not closing the question! – Dan Hoover Jan 12 '16 at 16:35
  • I posted an answer below along with the comment you left. You can accept it if you wish, in order to mark it as solved. You don't have to, but it just lets everyone know that the question was solved. *Cheers* Dan and you're welcome. Glad to have been of help. – Funk Forty Niner Jan 12 '16 at 16:40
  • Along the lines of figuring out what's going on... changing php.ini to say allow_url_fopen = On doesn't fix the problem and .htaccess php_value allow_url_fopen On gives me an error 500. Any ideas? – Dan Hoover Jan 12 '16 at 16:52
  • I wound up adding ini_set("allow_url_fopen", 1); to the top of the login and register forms and that seemed to fix the problem on this server. Does anyone see that causing problems on other servers? – Dan Hoover Jan 12 '16 at 17:05

1 Answers1

0

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

To which the OP responded with:

"You did it Fred-ii I forgot all about adding the extra error reporting! Thank you. I got a https:// wrapper is disabled in the server configuration by allow_url_fopen=0 error. That's obviously going to help a ton! – Dan Hoover'

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141