Manager/pages/login.php

<?php
	$HTML = new HTML();
	$HTML->setHTMLTitle("Login");
	$HTML->importHTML("login.html");

	if($_SERVER['REQUEST_METHOD'] == 'POST')
	{
		include_once 'app/FormValidator.php';
		$validator = new FormValidator(array(
			'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/'),
			'password' => array('required' => true, 'regex' => '/.{1,1000}/')
		));
		
		if(!$validator->isValid($_POST)) {
			$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername und Passwort an.");
		}
		else {
			$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1");
			$statementUser->execute(explode(" ", trim($_POST['username']))); 

			$RUNTIME['MESSAGE']['LOGINERROR'] = "Benutzername nicht gefunden!";

			while($rowUser = $statementUser->fetch()) 
			{
				$statementAuth = $RUNTIME['PDO']->prepare("SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1");
				$statementAuth->execute(array($rowUser['PrincipalID'])); 
				
				$RUNTIME['DEBUG']['LOGIN']['UUID'] = $rowUser['PrincipalID'];

				while($rowAuth = $statementAuth->fetch()) 
				{
					$passwordCorrect = false;
					if(strlen($rowAuth['passwordHash']) == 32) {
						if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {
							$passwordCorrect = true;
							
							$newHash = password_hash($_POST['password'], PASSWORD_ARGON2ID);
							$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");
							$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));
						}
					}
					else {
						$passwordCorrect = password_verify($_POST['password'], $rowAuth['passwordHash']);
					}

					if($passwordCorrect)
					{
						session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
						$_SESSION['USERNAME'] = trim($_POST['username']);
						$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);
						$_SESSION['LASTNAME'] = trim($rowUser['LastName']);
						$_SESSION['EMAIL'] = trim($rowUser['Email']);
						$_SESSION['PASSWORD'] = $rowAuth['passwordHash'];
						$_SESSION['SALT'] = $rowAuth['passwordSalt'];
						$_SESSION['UUID'] = $rowUser['PrincipalID'];
						$_SESSION['LEVEL'] = $rowUser['UserLevel'];
						$_SESSION['DISPLAYNAME'] = strtoupper(trim($_POST['username']));
						$_SESSION['LOGIN'] = 'true';

						header("Location: index.php?page=".urlencode($_REQUEST['page']));
						die();
					}
				}

				$RUNTIME['MESSAGE']['LOGINERROR'] = "Passwort falsch!";
			}

			$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']); 
			$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username'])); 	
		}
	}

	if(isset($_REQUEST['page']) && preg_match('/[0-9a-zA-Z]{1-100}/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
		$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));

	$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", ""); 
	$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", ""); 
	$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", "dashboard"); 

	$HTML->build();
	echo $HTML->ausgabe();
?>
add files 2020-06-03 15:31:18 +00:00			`<?php`
			`$HTML = new HTML();`
			`$HTML->setHTMLTitle("Login");`
Fix include/template paths 2023-08-23 16:16:35 +00:00			`$HTML->importHTML("login.html");`
Validate user input in login form 2023-08-23 16:16:34 +00:00
Properly check request method in login form 2023-08-23 16:16:35 +00:00			`if($_SERVER['REQUEST_METHOD'] == 'POST')`
add files 2020-06-03 15:31:18 +00:00			`{`
Reflect directory structure changes 2023-08-23 16:16:35 +00:00			`include_once 'app/FormValidator.php';`
Validate user input in login form 2023-08-23 16:16:34 +00:00			`$validator = new FormValidator(array(`
Fix incorrect regex escaping 2023-08-23 16:16:35 +00:00			`'username' => array('required' => true, 'regex' => '/[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}/'),`
Fix various small errors 2023-08-23 16:16:34 +00:00			`'password' => array('required' => true, 'regex' => '/.{1,1000}/')`
Validate user input in login form 2023-08-23 16:16:34 +00:00			`));`

			`if(!$validator->isValid($_POST)) {`
			`$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername und Passwort an.");`
			`}`
			`else {`
Only fetch required rows from database 2023-08-23 16:16:34 +00:00			`$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1");`
add files 2020-06-03 15:31:18 +00:00			`$statementUser->execute(explode(" ", trim($_POST['username'])));`

			`$RUNTIME['MESSAGE']['LOGINERROR'] = "Benutzername nicht gefunden!";`

			`while($rowUser = $statementUser->fetch())`
			`{`
Only fetch required rows from database 2023-08-23 16:16:34 +00:00			`$statementAuth = $RUNTIME['PDO']->prepare("SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1");`
add files 2020-06-03 15:31:18 +00:00			`$statementAuth->execute(array($rowUser['PrincipalID']));`

			`$RUNTIME['DEBUG']['LOGIN']['UUID'] = $rowUser['PrincipalID'];`

			`while($rowAuth = $statementAuth->fetch())`
			`{`
Use Argon2id as password hashing algorithm 2023-08-23 16:16:34 +00:00			`$passwordCorrect = false;`
			`if(strlen($rowAuth['passwordHash']) == 32) {`
			`if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {`
			`$passwordCorrect = true;`

			`$newHash = password_hash($_POST['password'], PASSWORD_ARGON2ID);`
			`$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");`
			`$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));`
			`}`
			`}`
			`else {`
			`$passwordCorrect = password_verify($_POST['password'], $rowAuth['passwordHash']);`
			`}`

			`if($passwordCorrect)`
add files 2020-06-03 15:31:18 +00:00			`{`
Unset pre-session on login and registration 2023-08-23 16:16:34 +00:00			`session_unset(); // Unset pre-session variables, next request will generate a new CSRF token`
add files 2020-06-03 15:31:18 +00:00			`$_SESSION['USERNAME'] = trim($_POST['username']);`
			`$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);`
			`$_SESSION['LASTNAME'] = trim($rowUser['LastName']);`
			`$_SESSION['EMAIL'] = trim($rowUser['Email']);`
add password change 2020-08-02 02:44:32 +00:00			`$_SESSION['PASSWORD'] = $rowAuth['passwordHash'];`
			`$_SESSION['SALT'] = $rowAuth['passwordSalt'];`
add files 2020-06-03 15:31:18 +00:00			`$_SESSION['UUID'] = $rowUser['PrincipalID'];`
			`$_SESSION['LEVEL'] = $rowUser['UserLevel'];`
			`$_SESSION['DISPLAYNAME'] = strtoupper(trim($_POST['username']));`
			`$_SESSION['LOGIN'] = 'true';`
add admin menu 2020-08-04 09:44:59 +00:00
Sanitize 'page' GET parameter in login.php 2023-08-23 16:16:34 +00:00			`header("Location: index.php?page=".urlencode($_REQUEST['page']));`
add files 2020-06-03 15:31:18 +00:00			`die();`
			`}`
			`}`

			`$RUNTIME['MESSAGE']['LOGINERROR'] = "Passwort falsch!";`
			`}`

			`$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']);`
Always encode user input before including in HTML 2023-08-23 16:16:34 +00:00			`$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username']));`
add files 2020-06-03 15:31:18 +00:00			`}`
			`}`
Validate user input in login form 2023-08-23 16:16:34 +00:00
Fix various small errors 2023-08-23 16:16:34 +00:00			`if(isset($_REQUEST['page']) && preg_match('/[0-9a-zA-Z]{1-100}/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))`
Sanitize 'page' GET parameter in login.php 2023-08-23 16:16:34 +00:00			`$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));`
add files 2020-06-03 15:31:18 +00:00
			`$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");`
			`$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", "");`
			`$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", "dashboard");`

			`$HTML->build();`
			`echo $HTML->ausgabe();`
			`?>`