How can I optimize my login script?

Question

I've created an Ajax login for my website but I feel like I can optimize it, but I'm not sure how and where.

Questions:

• How can I optimize my code?
• Is the code secure? Any ways to break it (injection, etc)?

Also, when I attempt to log in, it currently takes about 1 second to process the login (on localhost). Is this long?

Here's my Ajax call:

$(document).ready(function() {
  $(document).on("submit", "form", function(event) {
    event.preventDefault();
    $.ajax({
      url: 'assets/php/login_script.php',
      type: 'POST',
      data: $(this).serialize(),
      success: function(data) {
        if (data == true) {
          window.location.href = "index.php";
        } else {
          $("input[name=password_field]").focus();
          $(".error").html(data);
        }
      }
    });
  });
});

Here's the PHP script:

<?php

  include_once("access.php");

  $cxn = mysqli_connect($host, $user, $pass, $db) or die ("Couldn't connect to the server. Please try again.");

  $username = $_POST["username"];
  $password = $_POST["password"];
  $date = date('Y-m-d h:i:s', time());
  $ip_address = get_ip_address();
  $expire = time() + 86400 * 365;

  $options = array('cost' => 12);
  $hash_password = password_hash($password, PASSWORD_BCRYPT, $options);

  /* Log the login request. */
  $stmt = $cxn->prepare("INSERT INTO login_logs (log_id, username, password, datetime, ip_address) VALUES ('', ?, ?, ?, ?)");
  $stmt->bind_param('ssss', $username, $hash_password, $date, $ip_address);
  $stmt->execute();

  /* Get user information from database. */
  $stmt = $cxn->prepare('SELECT * FROM users WHERE username = ?');
  $stmt->bind_param('s', $username);
  $stmt->execute();
  $result = $stmt->get_result();

  /* If a result exists, continue. */
  if ($result->num_rows > 0) {
    while ($row = $result->fetch_assoc()) {
      $db_username = $row['username'];
      $db_password = $row['password'];
      $random_hash = password_hash(time() . $db_username . time(), PASSWORD_BCRYPT, $options); 

      /* Password matches. */
      if (password_verify($password, $db_password)) {

        /* Get user's cookie information in database. */
        $stmt2 = $cxn->prepare("SELECT * FROM cookies WHERE username = ?");
        $stmt2->bind_param('s', $db_username);
        $stmt2->execute();
        $result2 = $stmt2->get_result();

        /* If a result exists, update the cookie. */
        if ($result2->num_rows > 0) {
          $stmt = $cxn->prepare("UPDATE cookies SET hash = ? WHERE username = ?");
          $stmt->bind_param('ss', $random_hash, $db_username);
          $stmt->execute();

          setcookie("user", $db_username, $expire, "/");
          setcookie("hash", $random_hash, $expire, "/");
        } else {
          $stmt = $cxn->prepare("INSERT INTO cookies (cookie_id, username, hash) VALUES ('', ?, ?)");
          $stmt->bind_param('ss', $db_username, $random_hash);
          $stmt->execute();

          setcookie("user", $db_username, $expire, "/");
          setcookie("hash", $random_hash, $expire, "/");
        }

        echo true;
      } else {
        echo "Incorrect credentials.";
      }
    }
  } else {
    echo "Incorrect credentials.";
  }

  function get_ip_address() {
    $ip_address = '';
    if (getenv('HTTP_CLIENT_IP'))
      $ip_address = getenv('HTTP_CLIENT_IP');
    else if(getenv('HTTP_X_FORWARDED_FOR'))
      $ip_address = getenv('HTTP_X_FORWARDED_FOR');
    else if(getenv('HTTP_X_FORWARDED'))
      $ip_address = getenv('HTTP_X_FORWARDED');
    else if(getenv('HTTP_FORWARDED_FOR'))
      $ip_address = getenv('HTTP_FORWARDED_FOR');
    else if(getenv('HTTP_FORWARDED'))
      $ip_address = getenv('HTTP_FORWARDED');
    else if(getenv('REMOTE_ADDR'))
      $ip_address = getenv('REMOTE_ADDR');
    else
      $ip_address = 'UNKNOWN';

    return $ip_address; 
  }

?>

How can I optimize my script to look better, be faster, etc?

Answer 1

The problem with your one second delay is the connection to localhost , this is an issue with PDO. Simply change localhost to 127.0.0.1 to solve the delay issue.

The rest of the code looks nice and clean to me, good job. :)

Answer 2

Looks generally good. Couple of things at first glance:

Your greater than 0 is redundant in your if statement:

if ($result->num_rows) {
if ($result2->num_rows) {

One would assume your username is unique. As such, you shouldn't need to loop the results.

Assuming your _id fields are autoincrement primary key fields, you don't need to specify them in the queries. Ie remove them from the fields and values list.

Examine your use of the IP address. You're using it here to ensure login security but you're taking it from a range of user supplied headers. I'd suggest that, unless there's a good reason to get the 'real' IP, you should just use REMOTE_ADDR.

Your "SELECT cookie, did I select something? UPDATE or INSERT" logic could be cut down by using an INSERT INTO ... ON DUPLICATE KEY UPDATE ... See the MySQL manual on INSERT for the syntax.

You're using cookies to store the username/hash. Consider if you really need to do this as it adds complexity to your logic of having to check that the username in the cookie is what it's supposed to be each time it's required. If you can get away with using $_SESSION, I'd suggest doing so.