-2

I have an AWS Lightsail LAMP stack (not WordPress) and coded a simple login/session to a subdirectory of the main site because it's just for me, and not for normal website users.

When I access the site with its static IP address, the login works properly and it redirects to home.php, but when I use the website's name instead, the redirect doesn't work and it just reloads index.php.

/backstage/index.php

<?php

ob_start();
$is_invalid = false;

if ($_SERVER["REQUEST_METHOD"] === "POST") {
    
    $mysqli = require __DIR__ . "/database.php";

    $email = $mysqli->real_escape_string($_POST["email"]);
    $password = $mysqli->real_escape_string($_POST["password"]);
    
    $sql = sprintf("SELECT * FROM user
                    WHERE email = '%s'", $email);
    
    $result = $mysqli->query($sql);
    $user = $result->fetch_assoc();
    
    if ($user) {
        if (password_verify($password, $user["password_hash"])) {
            
            session_start();
            session_regenerate_id();
            
            $_SESSION["user_id"] = $user["id"];
            
            // if the user and password match, this should redirect 
            header("Location: home.php");
            exit;
        }else {
            die("bad password");
            exit;
        }
    }else {
        die("bad user");
        exit;
    }    
    $is_invalid = true;
}

?>
<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
    <meta charset="UTF-8">
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/water.css@2/out/water.css">
</head>
<body>
    <h1>Login</h1>
 
    <?php if ($is_invalid): ?>
        <em>Invalid login</em>
    <?php endif; ?>
    
    <form method="post">
        <label for="email">email</label>
        <input type="email" name="email" id="email"
               value="<?= htmlspecialchars($_POST["email"] ?? "") ?>">
        
        <label for="password">Password</label>
        <input type="password" name="password" id="password">
        
        <button>Log in</button>
    </form>
</body>
</html>

This is what I see in the apache access_log:

x0.x76.x13.x07 - - [24/Feb/2023:21:42:57 +0000] "POST /backstage/index.php HTTP/1.1" 302 -
x4.x52.x3.x77 - - [24/Feb/2023:21:42:58 +0000] "GET /backstage/home.php HTTP/1.1" 302 -

Also, there's nothing fancy in the DNS records, just a CNAME record that points www traffic to the non-www page.

Is this a PHP error, a DNS problem, a CloudFront issue, or something else completely?

pizzafilms
  • 3,829
  • 4
  • 24
  • 39
  • Why are the client IP addresses different in the two requests? Which one corresponds to your PC? – Barmar Feb 24 '23 at 22:06
  • 2
    There's no reason to call `mysqli_real_escape_string()` on the password, since you're not putting it in a SQL query. – Barmar Feb 24 '23 at 22:08
  • 2
    Your script is vulnerable to [SQL Injection Attack](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even if [you are escaping variables, its not safe](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string%5D)! You should always use [prepared statements and parameterized queries](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either MYSQLI or PDO instead of concatenating variables into the query. – Barmar Feb 24 '23 at 22:08
  • Yeah, that struck me as odd too. Neither one is the IP I use to login to. Maybe this has something to do with CloudFront. – pizzafilms Feb 24 '23 at 22:08
  • That's possible, it's probably acting as a reverse proxy. – Barmar Feb 24 '23 at 22:10
  • Are those apache logs from when it works or when it fails? Because it looks like it's redirecting to home.php. – Barmar Feb 24 '23 at 22:11
  • That's when it fails. It SHOULD redirect to home.php, but it's not. – pizzafilms Feb 24 '23 at 22:13
  • The `302` code is another redirect. So when it goes to home.php it returns another redirect. This may be a problem with your .htaccess. – Barmar Feb 24 '23 at 22:15
  • I can't figure out where the .htaccess file is on this machine. It's a AWS Lightsail LAMP stack from Bitnami. – pizzafilms Feb 24 '23 at 22:17
  • @Barmar It was a CloudFront issue. CloudFront was not forwarding cookies. I changed that setting and it works. Thanks for the help. – pizzafilms Feb 28 '23 at 19:04

1 Answers1

0

Turns out the problem was a CloudFront issue. CloudFront was not forwarding cookies. So I modified the cache settings to also forward cookies and that fixed it.

pizzafilms
  • 3,829
  • 4
  • 24
  • 39