problem when logging into form with php

Asked

Viewed 594 times

0

I developed a php login system in this website no database with a fixed password localhost everything works normally more when I uped the files to the server and try to access it arrives to load the page but returns to the beginning and in url of the browser appears that it is not safe has how to fix it follows the images and the source code.inserir a descrição da imagem aqui in the image above appears next to the URL it’s not safe and it won’t let me log in to the page main.php remembering that localhost works normally

Login:

<form action="login.php" method="post" name="login" id="login" class="login form-login" onsubmit="return validaCampo(); return false;">
                <div class="box-form-login">
                    <div class="text-left">
                        <h4 class="title">Painel do cliente</h4>
                        <p class="text">Para ter acesso a todo o conteúdo do Fábio Rabin basta acessar o painel com o
                            usuário e senha enviados para o seu email.
                        </p>
                    </div>
                    <div class="row">
                        <div class="col-sm-8 col-xs-12">
                            <div class="form-group">
                                <input type="text" name="user" id="user" class="form-control user" placeholder="Digite seu nome" />
                            </div>
                        </div>
                    </div>

                    <div class="row">
                        <div class="col-sm-8 col-xs-12">
                            <div class="form-group">
                                <input type="password" name="pass" id="pass" class="form-control user" placeholder="Digite sua senha" />
                            </div>
                        </div>
                    </div>
                    <div class="row">
                        <div class="col-sm-8 col-xs-12">
                            <input type="submit" value="Entrar" class="btn btn-primary send">
                        </div>
                    </div>
                </div>
            </form>

login.php:

<?php
error_reporting(0);
ini_set("display_errors", 0);
?>
<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
include("bd.php");
if ($valida[$user] == $pass) {
    setcookie("logado", "1");
    echo "<script>location.href='main.php'</script>";
} else {
   /* echo "Usuário ou senha incorretos!";
    echo "<br>";
    echo "<a href=login>";
    echo "Clique aqui</a> para tentar novamente.";
    echo "</a></font>";*/
}
?>

<div class="container-fluid no-padding">
    <div class="row">
        <div class="bg-color hidden-xs hidden-sm">

        </div>
        <div class="col-md-10 col-sm-12 col-xs-12 text-center pull-right">
            <p class="title">Poxa vida!<br> Seu usuário ou senha estão incorretos!<br/> <span><a href="login">- Clique aqui e tente novamente -</a></span></p>
        </div>
    </div>
</div>

main.php:

    <?php
if (IsSet($_COOKIE["logado"])) {
} else {
        echo '<meta http-equiv="refresh" content="0;url=login">';
    exit;

}
?>
<html>
<head>
</head>
<body>

<div class="container-fluid">
    <div class="row">
        <div class="col-md-12 text-right">
            <a href="logout.php" class="link-logout">X</a>
        </div>
    </div>

    <div class="row">
        <!--<img src="img/img-download.png" class="img-responsive img-download hidden-xs hidden-sm"
             alt="Faça o download dos conteúdos"/>-->
        <div class="col-md-6 col-md-offset-4 col-sm-7 col-sm-offset-3 col-xs-12 col-xs-offset-0">
            <div class="box-download">
                <p class="text"><span>E ai cara seja bem-vindo!</span><br/>Aqui você vai encontrar todo o conteúdo necessário sobre o Fábio Rabin, basta
                    clicar no botão abaixo e efetuar o download.</p>
                <a href="conteudo.zip" class="content-download">Baixar conteúdo</a>
            </div>
        </div>
    </div>
</div>

</body>
</html>

logout.php:

<?php
setcookie("logado", "");
?>
<html>
<head>
    <script language="JavaScript">
        function deleteCookie(nome) {
            var exdate = new Date();
            exdate.setTime(exdate.getTime() + (-1 * 24 * 3600
                * 5000));
            document.cookie = nome + "=" + escape("") + ((-1
                == null) ? "" : "; expires=" + exdate);
        }
    </script>
</head>
<body>
<div class="container">
    <div class="row">
        <div class="col-md-12 text-center">
            <p class="text"><span>Você desconectou!</span><br>
                Aguarde, você será redirecionado <br>para página inicial.</p>

            <p>Se demorar muito <a href="login">clique aqui</a></p>
        </div>
    </div>
</div>

<script language="JavaScript">
    deleteCookie("logado");
</script>

</body>
</html>

bd.php(this is where I put user and password fixed)

<?php
$valida[fabiorabin] = "download123";
?>
  • 1

    It looks like "unsafe" because it doesn’t have HTTPS/TLS, this is what Chrome analyzes only, any login page without HTTPS is unsafe, by Chrome logic. But ironically the system is also very insecure, since comparisons with ==, using only a cookie to validate (anyone can give a document.cookie = "logado=1";) and flat text password storage.

2 answers

2

"Not Safe" means your website has no security protocol SSL. You can get this protocol on some free and paid hosting sites, as suggested by @Inkeliz. But that’s not why you can’t log in. What happens is you’re releasing the environment (main.php) through cookies. And if in your browser is disabled this permission, you cannot enter it, to make the subsequent verification.

I managed to log in quietly.

inserir a descrição da imagem aqui

My suggestion. Work with $_SESSION of php that you won’t have this problem.

  • Note: it is possible to have for free using Let’s Encrypt. Including using the Caddy, instead of Nginx/Apache, it already uses Let’s Encrypt.

  • @Inkeliz, good. I’ll edit.

2

Google announced on its blog with the following article "Moving to a Safer Web", in which he explained that in January 2017 there was an update in Google Chrome 56, which marks HTTP pages that collect passwords or credit cards as UNSAFE in the url bar and with red security padlock.

Until then, only HTTP pages requesting information such as passwords and credit cards appeared as unsecured pages. However, Google Chrome’s long-term plan is to mark all HTTP sites as unsafe or unprotected.

See what Google has to say on the subject: HTTPS on major websites

For developers and webmasters:

There is a test site that has two pages, an HTTP http://www.httpvshttps.com/ and another HTTPS https://www.httpvshttps.com/ , and switching between them is shown in the current session of the browser the difference in the loading of both.

In view of the above and if you don’t have a website that is secure and not ranked in Google’s search engine, run to hire an SSL security seal and install HTTPS on your site. :)

Browser other questions tagged

You are not signed in. Login or sign up in order to post.