The error is incorrect username or password even I've entered the correct credentials

Question

I've created my own way of login.php using hash & salt. When I input new admin account, the password and seems to be working fine on my phpmyadmin but when I calling the hash and salt in my login, the "User doesn't exist" seems to be good. The error is always "Incorrect username & password" even I've entered the right crendentials. I've already used this script at my previous login system but I don't know why it's now working now.

Here's my login.php

<?php
include_once('config.php');
session_start();
$username = $_POST['username'];
$password = $_POST['password'];

$username = mysqli_real_escape_string($mysqli,$username);

$query = $mysqli->query("SELECT password,salt FROM admin WHERE username='$username'");

$numrows = mysqli_num_rows($query);

if($username == "" && $password =="") {
    echo '<center>';
    echo '<h3>Please Fill in the blank form</h3>';
    echo '<button type="button" class="btn btn-primary" id="goback" >Log In Again</button>';
    echo '</center>';
} else if($numrows!=0) {
    $userData = mysqli_fetch_array($query, MYSQL_ASSOC);
    $hash = hash('sha256', $userData['salt'] . hash('sha256', $password));

    if($hash != $userData['password']) {
        echo '<center>';
        echo '<h3>Incorrent username or password</h3>';
        echo '<button type="button" class="btn btn-primary" id="goback" >Log In Again</button>';
        echo '</center>';
    } else {
        header('Location: firstpagesurvey.html');
    }
} else {
    die('
        <center>
        <h3>Username does\'t exists</h3>
        <button type="button" class="btn btn-primary" id="goback" >Log In Again</button>
        </center>
    ');
}
?>

Here's the create_admin action

<?php
include_once('config.php');
session_start();

$username = $_POST['username'];
$password = $_POST['password'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];

$hash = hash('sha256', $password);

function createSalt(){
    $text = md5(uniqid(rand(), true));
    return substr($text,0,3);
}

$salt = createSalt();

$password = hash('sha256', $hash.$salt);

$username = $mysqli->real_escape_string($username);

$query = $mysqli->query("INSERT INTO `admin`(`username`,`password`,`firstname`,`lastname`,`salt`) VALUES('$username','$password','$firstname','$lastname','$salt')");

$mysqli->close();

header('Location: success.php');

?>

Answer 1

Yeah I've figured it out... Thanks! The sequence should be base on the create_acc.php

$password = hash('sha256', $salt.$hash);

Login.php

$hash = hash('sha256', $userData['salt'] . hash('sha256', $password));

Answer 2

It would be much easier and much safer, if you would use the built-in password function password_hash(). Because the salt is included in the resulting hash-value, you could also do without a separate database field for the salt.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

This would not only create a cryptographically safe salt, it would also use a hash function with a cost factor (BCrypt). Double hashing is often offered out of the box by password-cracker tools. The SHA-* algorithm is too fast and therefore can be brute-forced too easily.

Answer 3

in create page make hash( hash(password).salt) but login page make hash( salt.password).

in your create_admin action, you make hashed password

your code is

$password = hash('sha256', $hash.$salt); 
/*and*/
$hash is $hash = hash('sha256', $password);

this mean in create_page your hashing is hash( hash(password), salt)

but your login.php

your code is

$hash = hash('sha256', $userData['salt'] . hash('sha256', $password));

this mean in login your hashing is hash( salt, hash(password) )

in short, your hashing order between create_admin and login is wrong.

Answer 4

I think the issue is when you create your password.

$hash = hash('sha256', $password);

IS NOT EQUALS

$hash = hash('sha256', $userData['salt'] . hash('sha256', $password));

Therefore; you need to modify the way how you encrypt the password or modify the way yo are authenticating