Improve login security and efficiency
parent
eda4c5a030
commit
0991d5a487
|
@ -15,36 +15,28 @@
|
||||||
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername (Vor- und Nachname) und Passwort ein.");
|
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername (Vor- und Nachname) und Passwort ein.");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1");
|
$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel,passwordHash,passwordSalt FROM UserAccounts JOIN auth ON UserAccounts.PrincipalID = auth.UUID WHERE FirstName = ? AND LastName = ? LIMIT 1");
|
||||||
$statementUser->execute(explode(" ", trim($_POST['username'])));
|
$statementUser->execute(explode(" ", trim($_POST['username'])));
|
||||||
|
$res = ['passwordHash' => '', 'passwordSalt' => ''];
|
||||||
|
|
||||||
while($rowUser = $statementUser->fetch())
|
if($rowUser = $statementUser->fetch()) {
|
||||||
{
|
$res = $rowUser;
|
||||||
$statementAuth = $RUNTIME['PDO']->prepare("SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1");
|
}
|
||||||
$statementAuth->execute(array($rowUser['PrincipalID']));
|
|
||||||
|
|
||||||
$RUNTIME['DEBUG']['LOGIN']['UUID'] = $rowUser['PrincipalID'];
|
|
||||||
|
|
||||||
while($rowAuth = $statementAuth->fetch())
|
if(hash_equals(md5(md5($_POST['password']).":".$res['passwordSalt']), $res['passwordHash'])) {
|
||||||
{
|
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
|
||||||
if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash'])
|
$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);
|
||||||
{
|
$_SESSION['LASTNAME'] = trim($rowUser['LastName']);
|
||||||
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
|
$_SESSION['EMAIL'] = trim($rowUser['Email']);
|
||||||
$_SESSION['USERNAME'] = trim($_POST['username']);
|
$_SESSION['PASSWORD'] = $rowAuth['passwordHash'];
|
||||||
$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);
|
$_SESSION['SALT'] = $rowAuth['passwordSalt'];
|
||||||
$_SESSION['LASTNAME'] = trim($rowUser['LastName']);
|
$_SESSION['UUID'] = $rowUser['PrincipalID'];
|
||||||
$_SESSION['EMAIL'] = trim($rowUser['Email']);
|
$_SESSION['LEVEL'] = $rowUser['UserLevel'];
|
||||||
$_SESSION['PASSWORD'] = $rowAuth['passwordHash'];
|
$_SESSION['DISPLAYNAME'] = strtoupper($rowUser['FirstName'].' '.$rowUser['LastName']);
|
||||||
$_SESSION['SALT'] = $rowAuth['passwordSalt'];
|
$_SESSION['LOGIN'] = 'true';
|
||||||
$_SESSION['UUID'] = $rowUser['PrincipalID'];
|
|
||||||
$_SESSION['LEVEL'] = $rowUser['UserLevel'];
|
|
||||||
$_SESSION['DISPLAYNAME'] = strtoupper($rowUser['FirstName'].' '.$rowUser['LastName']);
|
|
||||||
$_SESSION['LOGIN'] = 'true';
|
|
||||||
|
|
||||||
header("Location: index.php?page=dashboard");
|
header("Location: index.php?page=dashboard");
|
||||||
die();
|
die();
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Benutzername und/oder Passwort falsch.");
|
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Benutzername und/oder Passwort falsch.");
|
||||||
|
@ -55,15 +47,12 @@
|
||||||
$HTML->ReplaceLayoutInhalt('%%LOGINMESSAGE%%', $_SESSION['loginMessage']);
|
$HTML->ReplaceLayoutInhalt('%%LOGINMESSAGE%%', $_SESSION['loginMessage']);
|
||||||
$HTML->ReplaceLayoutInhalt('%%MESSAGECOLOR%%', $_SESSION['loginMessageColor']);
|
$HTML->ReplaceLayoutInhalt('%%MESSAGECOLOR%%', $_SESSION['loginMessageColor']);
|
||||||
unset($_SESSION['loginMessage']);
|
unset($_SESSION['loginMessage']);
|
||||||
|
unset($_SESSION['loginMessageColor']);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(isset($_REQUEST['page']) && preg_match('/^[0-9a-zA-Z]{1-100}$/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
|
|
||||||
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));
|
|
||||||
|
|
||||||
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");
|
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");
|
||||||
$HTML->ReplaceLayoutInhalt("%%MESSAGECOLOR%%", "red");
|
$HTML->ReplaceLayoutInhalt("%%MESSAGECOLOR%%", "red");
|
||||||
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", "");
|
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", "");
|
||||||
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", "dashboard");
|
|
||||||
|
|
||||||
$HTML->build();
|
$HTML->build();
|
||||||
echo $HTML->ausgabe();
|
echo $HTML->ausgabe();
|
||||||
|
|
|
@ -135,7 +135,6 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
|
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
|
||||||
$_SESSION['USERNAME'] = trim($name);
|
|
||||||
$_SESSION['FIRSTNAME'] = trim($nameParts[0]);
|
$_SESSION['FIRSTNAME'] = trim($nameParts[0]);
|
||||||
$_SESSION['LASTNAME'] = trim($nameParts[1]);
|
$_SESSION['LASTNAME'] = trim($nameParts[1]);
|
||||||
$_SESSION['EMAIL'] = $email;
|
$_SESSION['EMAIL'] = $email;
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
<div class="limiter">
|
<div class="limiter">
|
||||||
<div class="container-login100">
|
<div class="container-login100">
|
||||||
<div class="wrap-login100 p-t-50 p-b-90">
|
<div class="wrap-login100 p-t-50 p-b-90">
|
||||||
<form class="login100-form validate-form flex-sb flex-w" action="index.php?page=%%PAGENAME%%" method="post">
|
<form class="login100-form validate-form flex-sb flex-w" action="index.php?page=login" method="post">
|
||||||
<span class="login100-form-title p-b-51">
|
<span class="login100-form-title p-b-51">
|
||||||
Login
|
Login
|
||||||
</span>
|
</span>
|
||||||
|
|
Loading…
Reference in New Issue