1144 comments found.
Hi Milos,
Thanks for the great security system.
I would like to use your security system for the back end of my dashboard. For extra security I would like to place most of the files above the root, outside of the public folder.
- Is this easily done and do you recommend this?
- Which files can I place above the root and which files must be in the public folder?
- Do I need to make changes to certain paths?
I hope to hear from you.
Thanks in advance. Fred.
Hey Fred,
I’m glad you like the app. 
Please take a look to the documentation, since everything is explained there related to moving files above document root (which is highly recommended btw): https://docs.vanguardapp.io/installation.html#application-url
Regards,
Milos
Hi Milos,
Thanks for the quick reply.
I have purchased Advanced Security for the security of mu dashboard. Your reply is related to the Vanguard app. Do you recommend this for the back end of a dashboard?
Regards, Fred.
Hey Fred,
Ah, you are right. I’m sorry about that, I haven’t noticed that you were asking about AS.
For AS you can move most of the files from “ASEngine” folder (everything except ASAjax.php file) out of document root, as well as complete “vendor” folder. After that you will need to update the path to AS.php file in all files where it is used (ASEngine/ASAjax.php and files like login.php, index.php etc). You don’t have to move other files out of document root.
About using Vanguard over AS, it really depends on what your are going to build and on your knowledge of PHP (and Laravel framework, which is used by Vanguard). If you don’t need some advanced features that Vanguard provides, AS is the way to go.
Regards,
Milos
Hello,
I got your awesome system a few months ago an it was easily integrated into my existing website without diving deep into the technical details of the system itself as I only needed a secured membership area to hold simple content for registered users…
Now I am planning to extend on that and create a simple web app with your system in the core, but I am having hard time wrapping my head around the general flow of data and how everything works….
I believe that if I understood a single complete data route for any scenario I’ll be able to understand how everything else works, so may you help me out with that by explaining the registration scenario? I guess there are only two possible data routes when a user clicks the register button: 1- registration error scenario: javascript/jquery function(s) will validate user input > error response generated > other js functions will update the current registration form using ajax (php isn’t involved at all in this cycle?) 2- registration successful scenario: javascript/jqueryfunction(s) will validate user input > no error detected > send success message and use php/js to update mysql database > redirect
I tried understanding the flow of data using network tab in chrome’s dev tools, but all I got was ASAjax.php only in the case of a successful registration, so the full data route is still vague to me, hopefully you can tell me which js and php files are used in the case of successful registration in the order they are triggered
I hope I was able to explain what i need in a clear matter, many thanks in advance
Hey,
I’m glad you like the script!
Well the whole registration scenario is pretty simple, when you fill out the registration form and click “Create Account” button, an on button click callback function is executed (check register.js file), which first do some basic javascript validation and then executes register.registerUser javascript function and send an AJAX request to the server (to ASAjax.php file with action : "registerUser" parameter).
In ASAjax.php file, this action parameter is being checked and according to that parameter specific handler is called. Server then validates this register request again and create user if everything is ok (check register method inside ASRegister class).
Hopefully this will guide you and help you to properly understand how everything works.
Regards,
Milos
Hey Milos,
That definitely helped a lot, I am now starting to understand the modular hierarchy of your system by tracing the data route with respect to the order you explained above, and I guess I’ll eventually be able to build my web app with your system in the core…
Thanks a lot my friend, for both your support and the system itself, have a great day.
Hi Milos,
Hope you are doing well. I have a small issue and would like to have your suggestion.
One of my user tried to login, but after she hit Login, the button label changed to Logging in… (button disabled), and then the page was refresh to the login page with empty user and pass forms. It is very interesting was that in my admin panel, her Last login time was still updated whenever she tried. So, I think she was forced to logout immediately after logging in successfully. However, at the same time, she asked her friend to login using her account, and that friend had no problem with that account. I also succeeded login using her account at the same time.
I guess something wrong with her browser and it couldn’t start session. But it’s only my guess. What do you think?
Regards, Phu
Hey Phu,
Well yeah, it looks like session cookie is not kept by the browser for some reason. So I would say that it is specific to her browser only. Which browser does she use? If you can, ask her to try using some other browser to see if she can log in in that case.
Regards,
Milos
Hi Milos,
Thanks for your quick response. She was using Edge on her laptop. She also tried on mobile Chrome but same thing happened. I asked her to install Chrome on her laptop, but haven’t heard from her again. I also think the problem is on her browser’s side, not the server. What you think reasons that cause this kind of problem, I mean can you guess what’s wrong with the browser?
Hey,
Well I cannot be sure what is the problem, but it has something to do with session cookie for sure. Maybe it is not configured to allow cookies, or something like that. If here “last_login” timestamp is being updated it means that she is being authenticated properly. Since nobody else is experiencing the same issues, it makes sense that the problem is with her browser.
Regards,
Milos
Hi Milos,
Hope you are doing well. I would like to ask for your advice on a small issue.
I understand that the statement $db = app(‘db’) is used to query tables in the AS Database which was created during the installation. I have another website on the same server, and now I want to access that website’s database (MySQL as well) when I am in an AS Session. how could I accomplish this?, for example something like $db1 = app(‘db1’) which points to another website’s database.
Thanks so much!!
Hi Milos,
I have one more question in the meantime. How could I know the list of users who are currently being logged in to the website?
Thanks so much!
Hey,
Well you will have to bind that “db1” database to the container, the same way that “db” is bound. Check the AS.php file and you will see how it works. Eventually, you should just copy the code and update the credentials that are being passed to the constructor of ASDatabase class.
About your second question, it is not possible to list currently logged users in AS out of the box. If you would want to implement that, you should implement database session driver (to make all sessions be stored in database instead of plain file, which is PHP default session driver) and assign sessions to specific user after successful authentication.
Regards,
Milos
Thanks so much for your help. I am clear abt this.
Hi, we are having trouble getting AS Engine to work for local development. Any ideas on how to do it? It looks like the database connection fails
Hey,
Well I’ll need some more info about the issue so I can help. Have you stuck on installation step where you need to provide database credentials?
Regards,
Milos
Hello Milos, long time no see. I know my support has expired, but I would really appreciate if you could help me.
I did a fresh install and I already had an SSL Cert, forced HTTPS url etc.
I could not get the script to install while using HTTPS, I had to remove the line from .htaccess to get it to install.
Now when I try to login, the page hangs (click the button and the spinners spins forever), no errors, I have tried HTTP and HTTPS, nothing.
Any help is much appreciated.
Thank you
Hey,
I’m really sorry but, if you need my help, please extend your support.
Thanks for understanding.
Regards,
Milos
hello dear milos I install this script on my main Domain, its working Good I have a some sub domain, I want to copy some of your code to subdomains that just to loading database data. when I open my site and one of sub domains in time I get this error :Warning: session_start(): open(/var/cpanel/php/sessions/ea3/sess_356f2c3bbae4718162af1aa487d2768b, O_RDWR) failed: Permission denied (13) in /home/cstuhdedu/public_html/barewbar/ASEngine/ASSession.php(1) : eval()’d code(3) : eval()’d code on line 34
Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/cstuhdedu/public_html/barewbar/ASEngine/ASSession.php(1) : eval()’d code(3) : eval()’d code:34) in /home/cstuhdedu/public_html/barewbar/ASEngine/ASSession.php(1) : eval()’d code(3) : eval()’d code on line 34 . so I have to question: how can I fix this error? and what folder and file need to (just loading and show datas) in your script?
regards
Hey,
Well from what I can see from the error above, you have some permission issues and session cannot be started properly. That’s probably because your are including the code from your main domain on your subdomain, which is probably running under different system user.
If you just want to load database data, you don’t need to start the session on your subdomains, then you can create another file that is similar to ASEngine/AS.php file but without ASSession::startSession(); code inside it. This will allow you to use all the AS classes inside your subdomain projects, but it won’t start the session so you won’t see these permissions errors.
However, since it won’t start the session, it means that you won’t be able to see the authenticated user etc. If you still need this feature, then the easiest way for you is to install AS separately on your subdomain.
Regards,
Milos
thanks and regards dear milos
Hi, I need help,
I have an SSL certificate, my website runs under HTTPS protocol, how can I work with that? right now, only some https pages work, others don’t, and if I write http instead of https it works,
Any ideas?
Now it doesn’t work at all. I get this message on login.php page: Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/albertam/public_html/login.php:12) in /home/albertam/public_html/ASEngine/ASSession.php on line 34
Hey,
There is nothing particular that you have to do to make it work over HTTPS. Just update WEBSITE_DOMAIN and SCRIPT_URL constants inside the ASConfig.php file to use https instead of http. If you want to force your users to use the website via https only, you can do the redirects by updating .htaccess file (if you are using Apache) or nginx config file for nginx.
About the error you are getting, you must include AS.php file at the very top of the page, and there should not be any html (not even an empty space) before it, as it is explained inside the docs.
Regards,
Milos
What happens if I re-install everything and do all the process from scratch? can I do that? I believe I messed it all up
Ok, I re-installed everything and configured it and I get this error when I try to login:
ReferenceError: CryptoJS is not defined[Saber más] login.js:46:5 login.loginUser https://www.mydomain.com/ASLibrary/js/login.js:46:5 <anónimo> https://www.mydomain.com/ASLibrary/js/login.js:26:13 dispatch https://www.mydomain.com/assets/js/jquery.min.js:3:8497 add/r.handle https://www.mydomain.com/assets/js/jquery.min.js:3:5235
Hey,
CryptoJS is defined inside js file called assets/js/sha512.js, which is included at the bottom of the login.php page.
Now, the only possible reasons why it doesn’t work for you are:
1) It is not being loaded since your server configuration (or files/folders permissions) does not allow that file to be loaded. You can easily see that inside the browser’s console when you access the login page.
2) You have removed the script code from the bottom of login.php page.
So, make sure that all javascript files are loaded properly and that you haven’t removed any code from original AS script.
Regards,
Milos
Hi, this is urgent for me. I have purchased again another license of the login system, and I followed all the instructions and when I finished the installation the program said everything was ok. But the tables in the database were not created so I cannot login nor register… What can I do?
Please help me
Thanks in advance!
I installed again with full granted privileges for my database user and it installed the tables correctly but, now I cannot login nor register, what can it be?
Same as phungoctran, I just figured it out
Thank you anyway
Hey, Thanks for developing this script.
I have a question regarding the csrf protection. When i do an ajax call to a custom script, the csfr token is applied in the GET query – eg. xxx.php?_as_csrf_token=9f072a7d9c82c5aea9e7e53dce8d253f3eb5eb67&q=MYQUERY
I didnt see any entry in the database in relevance of this token. Can this token be used to secure ajax responses from the same host, ord do you prefer to make use of an custom nonce function?
Best, Jeffrey
Hey Jeffrey,
CSRF token is automatically set on each AJAX request you make to the server. It is not stored inside the db and it is generated per user session, which means that if you log out and log in again your CSRF token will be different.
It’s not the same as API tokens that you would use to secure your API, if that is what you are asking. You can learn more about CSRF protection here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Regards,
Milos
If I want to save and load the user language preference to DB what would be the best way to do it?
Also before the login we don’t know the user preference, so he need to select a language or use the cookies to show the form in proper language, so is there any good reason to save the value to BD?
Hey,
Well you will add new column into as_users table where you will save the language, and then fetch it on every request and set the interface language by calling ASLang::setLanguage() method.
However, as you said, if user is not logged in then you won’t be able to see which language he has selected, and you will have to rely on language cookie if it exist. If cookie does not exist, then you will have to display him default language.
Since this is the default behavior of the AS script (it will set the cookie whenever user change the language), I don’t see any good reason on modifying it and storing the language inside the DB.
Regards,
Milos
Hi there,
I’m encountering issues on the demo, logging in with Twitter. After authorizing the app on Twitter, I get redirected to the demo and immediately get this error:
Wrong social auth token!
Hey,
Thanks for letting me know. Will check it ASAP.
What about other social auth providers (Facebook and Google+), do you have the same issues with them?
Regards,
Milos
why cant i use datepicker in a form?
Hey,
Well it probably has nothing to do with AS script. Just make sure that you include your datepicker plugin after jQuery is included and everything should work.
Regards,
Milos
Hello, i just bought your script. I Can query install page, on second step it only shows 500 requirements ok. But i can not see any text. On third step it is not installing the database, i can also not see the db failure only a red container. Can you help? Thanks.
Hey,
Does you server meet the requirements in terms of PHP version? If it does, can you please provide the URL to where you have uploaded your script so I can take a look and see what can be a problem?
Regards,
Milos
Hi Milos,
Today I tried to include the AS.php to a php file created by myself, let say upload.php. Any time I include by
include ’../ASEngine/AS.php’;
then my upload.php script stops at the include statement, and the error is file not found.
Because I am 100% sure that the include path is correct, I tried to comment the last 2 lines of AS.php, then my code runs well without error. The last 2 lines of AS.php read:
if ($_SERVER[‘REQUEST_METHOD’] == ‘POST’ && ! ASCsrf::validate($_POST)) { die(‘Invalid CSRF token.’);
Could you please explain why I comment these IF, then everything is fine?
I include AS.php many places in other php files, but this is the first time I face this error when trying to include in upload.php? Does that mean there is a bug in the upload.php file that I write today?
Thanks so much!
More info: the upload.php is receiving data from POST method at the beginning of it.
Hey,
You are probably not sending the CSRF token while you are uploading the file, and since you probably don’t use AJAX for that, it is not being sent automatically.
Check my answer here to see what you need to do to fix it: https://codecanyon.net/item/advanced-security-php-registerlogin-system/5282621/comments?page=41&filter=all#comment_16062833
Regards,
Milos
Hi Milos,
Honestly I don’t really get your point in the link you provided. Do you have any link that has more details about CSRF in your app?
I also have a couple of questions:
1. In other php files that I developed, I used GET method and had no problem with CSRF. Should I change from POST to GET in this situation?
2. Do you have an example for a proper way of submit form and file using ajax combined with your app?
I am quite new to webapp so having a lot of questions! Hope you don’t mind and Thanks so much!
Hey,
Let me explain it a bit more. All POST requests to the application (those are requests that can change the application state) must contain valid CSRF token. If you are using ajax for sending requests it is automatically configured to send CSRF token on each request (check ASLibrary/js/js-bootstrap.php file to see how) so you don’t have to worry about sending it manually.
However, if you want to submit a form without using ajax, then you need to add the hidden input field which contains CSRF token, and to slightly modify ASCsrf class, like it is explained on the link I provided above.
About other questions,
1) You don’t have to change anything. CSRF token is required for POST requests only since those should be the requests that can change application state (update the database etc).
2) Unfortunately I don’t have such example, but it should not be a problem since that request should be the same as any other ajax file upload request. Don’t forget to turn on the Debug mode (http://docs.as-php.com/developer-guide.html) while you are developing some new features and, if you have problems with ajax requests and CSRF, make that CSRF is being sent properly.
Regards,
Milos
Hi Milos,
I successfully sent and processed POST request with CSRF protection not using your AJAX method. Thanks for your support so far. I have a small question. When I add the hidden field as you suggested, end-user would see this in the HTML code of the page:
<input type="hidden" id="csrf" name="_as_csrf_token" value="88540cefbef2fcaa09e7dfe7cf77dc716a9ae5bc" />
Is there any potential thread if they know the token?
Thanks and Regards,
Another quick question: Why don’t you check CSRF token for GET request?
Hey,
Having a token in hidden input field is completely fine approach. The token is different for each session, so there is no threat if someone see his token inside the HTML.
CSRF protection only makes sense for requests that change the application state (requests that usually write some data to db), and get request should not change your app state. Check the following url to learn more about CSRF: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Regards,
Milos
Milos,
Thanks for your explanation and the helpful link. Now I understand more about CSRF. In my app, however, before figuring out how to implement your CSRF code with POST method, I was using all GET method to request data and also to write data to database. Because at the end of AS.php, you never checked for GET request to the server, so even when I am using GET to make change to the server, CSRF has no use. What I mean is that I can use GET http request to make change to database, therefore should we consider CSRF for GET as well?
Hey,
Well yeah, if you are using $_GET requests for changing the application state, you will should add CSRF for those requests too. However, I highly recommend to switch those requests to POST.
Regards,
Milos
Hi Milos.
Here is the code:
<?php include 'templates/footer.php'; ?>
<script src="assets/js/sha512.js" type="text/javascript" charset="utf-8"></script>
<script src="ASLibrary/js/asengine.js" type="text/javascript" charset="utf-8"></script>
<script src="ASLibrary/js/index.js" type="text/javascript" charset="utf-8"></script>
<script src="ASLibrary/js/profile.js" type="text/javascript" charset="utf-8"></script>
<script src="https://gitcdn.github.io/bootstrap-toggle/2.2.2/js/bootstrap-toggle.min.js"></script>
<script>
$( document ).ready(function() {
//Tratando do formulário de opções
$('#form-zera-options').submit(function(e){
e.preventDefault(); // Prevent Default Submission
$.ajax({
url: 'edital-user-options.php',
type: 'POST',
data: $(this).serialize(), // it will serialize the form data
dataType: 'html'
})
.done(function(data){
$('#op-atualizadas').fadeOut('slow', function() {
$('#op-atualizadas').fadeIn('slow').html(data);
});
})
.fail(function(){
alert('Ajax falhou...');
});
//this.reset();
});
});
</script>
Well, the answer is “Invalid CSRF token.”
Console shows no CSRF being sent. I this related to the jquery function that serialize form data? If not, why?
Thanks.
Hey,
Thanks for providing the code here. Yes, it looks like when you send serialized form it doesn’t append CSRF token to the data being sent to the server.
One easy solution for you is to add the following hidden input field inside your ”#form-zera-options” form, like following:
<form>
//...
<input type="hidden" name="<?= ASCsrf::TOKEN_NAME ?>" value="<?= ASCsrf::getToken() ?>" />
//...
</form>This means that once form is serialized, CSRF token will be serialized too and sent automatically to the server.
Regards,
Milos
Great idea! Thanks.
Hi,
I recently purchase your app (my code is 5b5fb876-e65b-49fc-a445-bd6aedfedde5) , but the facebook login is not working (is the first that i tried and and did not try the other social login) The error message is “Wrong social auth token!”
Tell me if you need more log/test.
Regards.
Hey,
Can you provide the link to your application so I can see what can be a problem with it? Are you able to log in as administrator?
Regards,
Milos
I am not seeing a sample in the documentation on how to secure a page. Please help. I have only 1 page to secure with 2 users.
Hey,
I’m sorry, it looks like I forgot to add that to this version of the docs.
Basically, it is the same way as any page inside the script is protected. You just need to add the following code at the very top of your page:<?php
include dirname(__FILE__) . '/ASEngine/AS.php';
if (! app('login')->isLoggedIn()) {
redirect("login.php");
}
This means that if user is not logged in, and he try to access the protected page, he will be automatically redirected to the login page.
Regards,
Milos
Thanks for the help. I’ve gotten it to work but it is redirecting to the folder that the AS app is residing in and looking for the original file which is in the folder one level up.
I got it figured out
Trying to add an item to the navigation if user is logged in. Found this code in the docs
$role = app(‘current_user’)->role;
<?php if($role != ‘user’): ?>
Leave comment
<textarea id=”comment-text”></textarea> <button class=”btn btn-success” id=”comment”>Comment</button> <?php else: ?>You can’t post comments here until admin change your role.
<?php endif; ?>but where do I put it, and does it need to be in some sort of container?
Hey,
Which navigation exactly? If it is sidebar, then check templates/sidebar.php file and you will see how those sidebar items are being rendered. If you want to modify the header, check templates/header.php file.
The code you posted above is just an example of how you can render something according to the user’s role. If you want to check if user is logged in, then just use app('login')->isLoggedIn() which will return true if user is logged in.
Regards,
Milos
I have purchased the register/login system. I understand that this is specially designed to use with ajax. But I was wondering if there is any way to use without ajax like just a normal form submission. One more question that is how can I send email in my local. I have installed in my local and now when I am using forget password thing it gives me an error message. (Fatal error: Uncaught exception ‘Exception’ with message ‘E-Mail could not be sent. Info: Could not instantiate mail function.) Many thanks.
Hey,
Of course that you can use it without ajax, just in that case don’t forget to include the csrf token in each form you create, like following:
<input type="hidden" name="<?= ASCsrf::getTokenName() ?>" value="<?= ASCsrf::getToken() ?>" /> isValidRequest method there to look like following: private static function isValidRequest()
{
return self::isValidReferer();
}About emails, you will have to use some external SMTP server to send emails from localhost.
Regards,
Milos
Hi, Milos. How are you?
Well, I have a problem here. I have a file with a form. I am sending this form through AJAX. I have other file that receives this form data to send an email with it. The email function is inside ASemail class (ASemail.php file). I wrote it, based on the confirmationEmail function that was already there.
The file where the form and the jquery AJAX function are has the template/header.php file. I tested sending the form and echoing an “OK” string whithout refreshing the page and everyting went fine.
Then I placed the mail function on it, including first the /ASEngine/AS.php file. Now I get Invalid CSRF token as a response from the AJAX function.
Here´s the file that is processing form data:
include_once dirname(__FILE__) . '/ASEngine/AS.php';
if(!isset($_POST['mailuser']) || 'sim' != $_POST['mailuser']) {
echo "No way";
return;
}
if(empty($_POST['titulo']) || empty($_POST['mensagem'])) {
echo "No way";
return;
}
$titulo = trim($_POST['titulo']); //title
$mensagem = trim($_POST['mensagem']); //message
$mailer = app('mailer');
$mailer->userEmail('xxxxx@gmail.com', 'Joe', $titulo, $mensagem);
echo "Mensagem enviada!"; //message sent
exit;
BTW, I tested this mail function, placing it at another file and calling it directly on loading the file (with harcoded values) and the email was sent.
So I guess the problem is, the file that processes form data receives the CSRF token but do not send it to the ASEmail.php file. Is that correct? How to solve this?
Thanks for any help.
Regards,
Mauro
Hey Mauro,
Sorry for a bit late response, I was out of town for few days.
The issue is probably because CSRF token is not being sent at all, since you haven’t included ASLibrary/js/js-bootstrap.php script on your page from which you send the AJAX request.
Take a look at templates/footer.php and you will see how this script is included. Make sure that it is included on your page too and also make sure that it is included after jquery, since it has jquery dependency.
Let me know if it work.
Regards,
Milos
No, Milos. The footer file is there.
As I said before, I tested making a simple AJAX call – echoing a string – first and it went well.
The problem happens when I include the AS.php file on the file that receives the AJAX call. This if statement (AS.php, line 111) makes the script die:
if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! ASCsrf::validate($_POST)) {
die('Invalid CSRF token.');
}
So I came up with the following solution:
Instead of including the AS.php file, I am using this code on the file that receives the AJAX call:
include_once dirname(__FILE__) . "/vendor/autoload.php";
$container = new Pimple\Container();
$container['mailer'] = $container->factory(function () {
return new ASEmail;
});
ASContainer::setContainer($container);
$mailer = app('mailer');
$mailer->userEmail('xxxxxxx@gmail.com', 'xxxxxx', $titulo, $mensagem);
echo "Mensagem enviada!"; //message sent
exit;
Basically, I grabbed the code from the AS.php without the line that would validate the CSRF token.
Is that bad? Any other solution?
Regards
Hey,
It’s not a good idea to remove CSRF protection.
Can you please provide me the url to your script so I can take a look and see why CSRF token is not being sent?
Regards,
Milos
“It’s not a good idea to remove CSRF protection.”
But it is a protected page, that can only be seen by admin (me). With this form I am sending messages to registered users.
I would need to give you access as admin to see that…
How would you check that? I can do it and show you the results.
Hey,
In that case it’s not a big deal, but just make sure that only you can submit the ajax request, since from above code anyone can submit the ajax request (check ASAjax.php file since there is “onlyAdmin” method that you can use).
Regards,
Milos
