My login will not work and i do not see why? [PLEASE-HELP]

Question

For come reason my login does not work I am using PHP and JavaScript to do so.

PHP:

$users = sql("SELECT * FROM USERS WHERE SITE_ID='${CONFIG["ID"]}'");
if($_REQUEST["logindata"]){
    $logindata = $_REQUEST["logindata"];
    $now = array_shift(explode(" ",microtime()));
    if($_REQUEST["time"] < strtotime("+10 sec",$now) && $_REQUEST["time"] > strtotime("-10 sec",$now))
        exit(json_encode(array("TYPE"=>"FUNCTION","FUNCTION"=>"(\$login.failed(\"Time out for this request.. (Go away bots)\"))")));
    foreach($users as $user){
        if(hash_hmac("sha1",$user["LOGIN_SALT"],hash_hmac("sha1",$_SERVER["REMOTE_ADDR"],$_REQUEST["time"])) == $logindata){
            $_SESSION = $user;
            $_SESSION["ACTIVE_IP"] = $IP;
            sql("UPDATE USERS SET ACTIVE_IP='${IP}' WHERE LOGIN_SALT='${user["LOGIN_SALT"]}'",0);
            $result = json_encode(array("TYPE"=>"FUNCTION","FUNCTION"=>"(\$login.success())"));
        }
    }
    !$result ? $result = json_encode(array("TYPE"=>"FUNCTION","FUNCTION"=>"(\$login.failed())")) : void;
}

JavaScript:

    login: (function () {
        $("#ajax_loading").fadeIn("fast");
        $("[type=submit]").fadeOut("fast");
        $tmp.time = "" + (new Date()).valueOf();
        return $functions.request({
            type: "plugin",
            plugin: "login",
            time: $tmp.time,
            logindata: $.sha1($.sha1($.sha1($("#username").val(),$("#password").val()),$client.domain),$.sha1($client.IP,$tmp.time))
        });
    }),

The $.sha1 function, if one string is given it is a sha1 of it and if two it will give a hmac_sha1 result.

Answer 1

First of all: take a look at the times and compare them.

(new Date()).valueOf();

-will give you microseconds, while

array_pop(explode(" ",microtime()));

-will return only the seconds. So your comparison will never match.

But at all it's no good idea to compare client-time and the serversided time, because you assume, that both have the same correct time set, and are located in the same timezone.

If you really like to do that comparision, provide a serverside timestamp to javascript at the begin, and add before submitting the seconds elapsed to that timestamp and use this as $tmp.time

However you will do it, things like time, domain or IP are almost useless if you send them, while they are not reliable and can be faked very easy.

What else: you better use hashes that your DBMS can handle on it's own, so you can fetch the 1 user you like to find directly with the Query and dont have to loop through all users