1
0
Fork 0
Manager/pages/login.php

82 lines
3.2 KiB
PHP
Raw Normal View History

2020-06-03 15:31:18 +00:00
<?php
$HTML = new HTML();
$HTML->setHTMLTitle("Login");
2023-08-23 16:16:35 +00:00
$HTML->importHTML("login.html");
2023-08-23 16:16:34 +00:00
2020-06-03 15:31:18 +00:00
if(isset($_POST['login']))
{
2023-08-23 16:16:35 +00:00
include_once 'app/FormValidator.php';
2023-08-23 16:16:34 +00:00
$validator = new FormValidator(array(
2023-08-23 16:16:35 +00:00
'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/'),
2023-08-23 16:16:34 +00:00
'password' => array('required' => true, 'regex' => '/.{1,1000}/')
2023-08-23 16:16:34 +00:00
));
if(!$validator->isValid($_POST)) {
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername und Passwort an.");
}
else {
2023-08-23 16:16:34 +00:00
$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1");
2020-06-03 15:31:18 +00:00
$statementUser->execute(explode(" ", trim($_POST['username'])));
$RUNTIME['MESSAGE']['LOGINERROR'] = "Benutzername nicht gefunden!";
while($rowUser = $statementUser->fetch())
{
2023-08-23 16:16:34 +00:00
$statementAuth = $RUNTIME['PDO']->prepare("SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1");
2020-06-03 15:31:18 +00:00
$statementAuth->execute(array($rowUser['PrincipalID']));
$RUNTIME['DEBUG']['LOGIN']['UUID'] = $rowUser['PrincipalID'];
while($rowAuth = $statementAuth->fetch())
{
$passwordCorrect = false;
if(strlen($rowAuth['passwordHash']) == 32) {
if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {
$passwordCorrect = true;
$newHash = password_hash($_POST['password'], PASSWORD_ARGON2ID);
$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");
$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));
}
}
else {
$passwordCorrect = password_verify($_POST['password'], $rowAuth['passwordHash']);
}
if($passwordCorrect)
2020-06-03 15:31:18 +00:00
{
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
2020-06-03 15:31:18 +00:00
$_SESSION['USERNAME'] = trim($_POST['username']);
$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);
$_SESSION['LASTNAME'] = trim($rowUser['LastName']);
$_SESSION['EMAIL'] = trim($rowUser['Email']);
2020-08-02 02:44:32 +00:00
$_SESSION['PASSWORD'] = $rowAuth['passwordHash'];
$_SESSION['SALT'] = $rowAuth['passwordSalt'];
2020-06-03 15:31:18 +00:00
$_SESSION['UUID'] = $rowUser['PrincipalID'];
$_SESSION['LEVEL'] = $rowUser['UserLevel'];
$_SESSION['DISPLAYNAME'] = strtoupper(trim($_POST['username']));
$_SESSION['LOGIN'] = 'true';
2020-08-04 09:44:59 +00:00
header("Location: index.php?page=".urlencode($_REQUEST['page']));
2020-06-03 15:31:18 +00:00
die();
}
}
$RUNTIME['MESSAGE']['LOGINERROR'] = "Passwort falsch!";
}
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']);
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username']));
2020-06-03 15:31:18 +00:00
}
}
2023-08-23 16:16:34 +00:00
2023-08-23 16:16:34 +00:00
if(isset($_REQUEST['page']) && preg_match('/[0-9a-zA-Z]{1-100}/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));
2020-06-03 15:31:18 +00:00
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", "");
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", "dashboard");
$HTML->build();
echo $HTML->ausgabe();
?>