logSys icon indicating copy to clipboard operation
logSys copied to clipboard
verified publisher icon subins2000

I actually still get this error after the fix ? LS.php has:

Open sscotti opened this issue 6 years ago • 6 comments 

                if ($remember_me === true && $this->config['features']['remember_me'] === true) {
                    $iv               = openssl_random_pseudo_bytes(openssl_cipher_iv_length('AES-128-CBC'));
                    $rememberMeCookie = base64_encode(openssl_encrypt($userID, 'AES-128-CBC', $this->config['keys']['cookie'], 0, $iv)) . ':|:' . base64_encode($iv);

Error is:

Warning: openssl_decrypt(): IV passed is only 15 bytes long, cipher expects an IV of precisely 16 bytes, padding with \0 in /Applications/MAMP/htdocs/secure-login-system-2018-04-10/vendor/francium/logsys/src/Fr/LS.php on line 520

sscotti avatar Feb 22 '19 23:02 sscotti

This appears to still be an issue -- on iPad at least, works without issue on my desktop PC. Might have to do with how Safari is handling the cookie.

reddingwebpro avatar Oct 15 '19 01:10 reddingwebpro

@sscotti. This appears to be corrected now. Please give it a try

reddingwebpro avatar Oct 15 '19 19:10 reddingwebpro

I still get the error

Warning: openssl_decrypt(): IV passed is only 15 bytes long, cipher expects an IV of precisely 16 bytes, padding with \0 in ../vendor/francium/logsys/src/Fr/LS.php on line 520

TechOverflow avatar Dec 03 '19 18:12 TechOverflow

I had the same error and it stopped showing out when I changed the separator on lines 509 and 702. I complicated it a bit. Before: $rememberMeParts = explode(':|:', urldecode($rememberMe)); Now: $rememberMeParts = explode(':::|||:::', urldecode($rememberMe));

noise3 avatar May 04 '20 19:05 noise3

Edit: See comment below!

~~Error is still present (logSys 1.0.1, PHP 8.1).~~

~~As far as I understood, the problem appears if $iv contains : (See also https://stackoverflow.com/a/37440351.)~~

~~Could it be a solution, to re-generate random bytes until $iv does not contain :?~~ https://github.com/subins2000/logSys/blob/3ade16283e8c8f6bd8bd1371ae2f6a25d5e3769c/src/Fr/LS.php#L701

allofmex avatar Dec 06 '21 18:12 allofmex

Forget my comment before. It took me a while, but I found the problem:

https://github.com/subins2000/logSys/blob/3ade16283e8c8f6bd8bd1371ae2f6a25d5e3769c/src/Fr/LS.php#L509

Please just remove urldecode, the data in $_COOKIE is already urldecoded.

https://www.w3schools.com/php/php_cookies.asp Note: The value of the cookie is automatically URLencoded when sending the cookie, and automatically decoded when received (to prevent URLencoding, use setrawcookie() instead).

Background:

The openssl_decrypt warning appears, whenever the base64 encoded $rememberMeCookie results in a string containing a + character.

Example:

  • cookie will be send correctly to browser ...:|:...cHS+y28z/VQ
  • browser will correctly submit it back to server
  • server urldecodes it correctly back to ...:|:...cHS+y28z/VQ and stores in $_COOKIE
  • And then line 701 does a second urldecode, which results in ...:|:...cHS y28z/VQ

By the way:

base64_encode of openssl_encrypt's result should not be needed. https://github.com/subins2000/logSys/blob/3ade16283e8c8f6bd8bd1371ae2f6a25d5e3769c/src/Fr/LS.php#L702

It is base64 already as long as no OPENSSL_RAW_DATA option is set.

Encrypts given data with given method and key, returns a raw or base64 encoded string (https://www.php.net/manual/en/function.openssl-encrypt.php)

allofmex avatar Dec 11 '21 16:12 allofmex