Fat Free Login

[v.]

Hi,

I have decided to put this online since many people have been asking for a thing like this, but also to let others check my code for errors and security issues.

My first officially launched application is the Fat Free Login script: https://github.com/fatfreelogin/Fat-Free-Login

Feel free to comment, correct, break down and abuse this.

[SI]

Hi, 

iam new in F3, so i decide to try this app to familiarize with F3.

but i got this error when i trying this application. I got this error when i want to login with admin:fatfre123. how to correct this error?

can you help me resolve this error?

There has been a problem

It's not you, it's us. Something went terribly wrong and we should fix that.

best regards

[bob]

Hi v.

as you proposed I felt free to abuse and make a pull request. Just adjusted it to work with composers's autoload and newer version of PHPMailer.

bob

[bob]

You probably have not installed a mysql database yet. since this is required also

[v.]

Nice one bob, I am sorry to say I accidently updated the readme file in your branch... I undid it though.

[v.]

Please post the error you can find in the logs folder error file.

did you install the mysql database in the db folder?

I realize this was not mentioned in the readme file (I have updated it).

On Monday, April 15, 2019 at 6:16:16 AM UTC+2, SI wrote:

[Andrew Brookes]

  just wondered what you think of sqlite3 as an alternative to MySQl ; i find it easier for development but recognize it might be less secure, i'm  using it anyway  live on a web using f3 login here:  http://ghanahomefood.com/login . I have sql injection covered (i think)

Had a quick look at controller code and see your using brcypt. I'm using that as well but also using a salt like this:

            $crypt = \Bcrypt::instance();
             $salt = $f3->get('salt');
            $this->cryptTheirName =   $crypt->hash($this->theirName,$salt)   ;
            $this->cryptTheirPassword = $crypt->hash($this->theirPassword,$salt);

[ved]

Quick FYI: The Bcrypt class has been deprecated on v3.6.0

Please use the native PHP implementation whenever possible.

As for using sqlite instead of mysql, that shouldn't be an issue since it is also supported by PHP's PDO drivers which is what F3 uses.

[v.]

Why would you use an additional salt when you use BCrypt?

From my understanding BCrypt already uses an integrated salt.

[v.]

Thanks Ved, I was not aware of this. Why has this been decided?

I will update the code whenever I find some time.

[Andrew Brookes]

On Thursday, April 25, 2019 at 8:04:43 AM UTC, v. wrote:

Why would you use an additional salt when you use BCrypt?

From my understanding BCrypt already uses an integrated salt.

  the default  if i am reading this  code from bcrypt.php in lib , function hash($pw,$salt=NULL,$cost=self::COST) is that salt is an option .its arbituary any way since the class states : Lightweight password hashing library (PHP 5.5+ only)
*    @deprecated Use http://php.net/manual/en/ref.password.php instead

[v.]

As proposed by ved I have updated the script to use php password hashing functions and no longer bcrypt