After typing in username and password I redirect the user to a page where a text message is send that he has to fill in (for some not a good 2FA but thats not the discussion :)
What should happen is this: webpage gets loaded with a form and a text message is send to the user at the same time. User types in the code he received in the text message. Codes are compared and user gets redirected.
The part of the text sending works but after that something goes wrong. I logged everything and see that the comparison itself works but different values are compared as another (second) text is send. I do not know why this is? Why is it sending a second text after the post is submitted?
<?php
// Initialize the session
session_start();
// Check if the user is already logged in, if yes then redirect him to welcome page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
header("location: index.php");
exit;
}
error_reporting(E_ALL);
error_reporting(-1);
ini_set('error_reporting', E_ALL);
ini_set('error_log', 'error.log');
// SMS script
$otp = rand(100000,999999);
error_log($otp);
$mobiel = $_SESSION["mobielnummer"] ;
$tekst = "Je beveiligingscode is : ".$otp."";
$api_key = '****';
$verzoek = "https://*****************" ;
$xml = file_get_contents($verzoek);
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Check if bevcode is empty
if(!empty(trim($_POST["bevcode"]))){
$bevcode = trim($_POST["bevcode"]);
// compare vars
if ($bevcode === $otp) {
$_SESSION["smsoke"] = true;
header("location: home.php");
}
else {
$login_err = "Dit is een onjuiste code.";
error_log($bevcode);
error_log($otp);
}
}
}
?>
CodePudding user response:
Are you posting the form to the same page the form is on? Where are you saving the text message code? I would not post form to the same page.
CodePudding user response:
Computers are very literal about doing what you tell them. To you, it's obvious that the first block of code should run only the first time, and the second block from then on; but to a computer, the first block isn't in an if statement, so will run every time.
So your code currently does this the first time a user requests it:
- Generate a random number
- Send that random number by SMS
- The user didn't submit a number, so skip that block
Then they submit the form, and you get a second request, where this happens (note carefully the order things happen):
- The user submits the number they were previously sent
- Generate a new random number
- Send the new random number by SMS
- The user submitted a number, so compare it against the new random number, which you only just generated it; it's not going to match
What you want to happen is for either one block or the other to execute; you can use your existing if($_SERVER["REQUEST_METHOD"] == "POST" for this, just move all the random number choosing and SMS sending part into an else block underneath it.
Then you'll have this on the first request:
- User didn't submit a form, so skip the if block but go into the else block
- Generate a random number
- Send it via SMS
And in the second request:
- User submitted a form, so go into the if block
- Compare the submitted number against ... something
- Skip the else block
You'll notice you now don't actually have a number to compare against; you want to compare against the number you picked in the first request, but you didn't save that anywhere. You need to store it in a session, or a database, or a file, so that you know what the correct answer is for this particular user.