1
0
Fork 0

Improve login security and efficiency

master
Anonymous Contributor 2023-08-23 18:16:36 +02:00
parent eda4c5a030
commit 0991d5a487
3 changed files with 21 additions and 33 deletions

View File

@ -15,36 +15,28 @@
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername (Vor- und Nachname) und Passwort ein."); $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername (Vor- und Nachname) und Passwort ein.");
} }
else { else {
$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1"); $statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel,passwordHash,passwordSalt FROM UserAccounts JOIN auth ON UserAccounts.PrincipalID = auth.UUID WHERE FirstName = ? AND LastName = ? LIMIT 1");
$statementUser->execute(explode(" ", trim($_POST['username']))); $statementUser->execute(explode(" ", trim($_POST['username'])));
$res = ['passwordHash' => '', 'passwordSalt' => ''];
while($rowUser = $statementUser->fetch()) if($rowUser = $statementUser->fetch()) {
{ $res = $rowUser;
$statementAuth = $RUNTIME['PDO']->prepare("SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1"); }
$statementAuth->execute(array($rowUser['PrincipalID']));
$RUNTIME['DEBUG']['LOGIN']['UUID'] = $rowUser['PrincipalID'];
while($rowAuth = $statementAuth->fetch()) if(hash_equals(md5(md5($_POST['password']).":".$res['passwordSalt']), $res['passwordHash'])) {
{ session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) $_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);
{ $_SESSION['LASTNAME'] = trim($rowUser['LastName']);
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token $_SESSION['EMAIL'] = trim($rowUser['Email']);
$_SESSION['USERNAME'] = trim($_POST['username']); $_SESSION['PASSWORD'] = $rowAuth['passwordHash'];
$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']); $_SESSION['SALT'] = $rowAuth['passwordSalt'];
$_SESSION['LASTNAME'] = trim($rowUser['LastName']); $_SESSION['UUID'] = $rowUser['PrincipalID'];
$_SESSION['EMAIL'] = trim($rowUser['Email']); $_SESSION['LEVEL'] = $rowUser['UserLevel'];
$_SESSION['PASSWORD'] = $rowAuth['passwordHash']; $_SESSION['DISPLAYNAME'] = strtoupper($rowUser['FirstName'].' '.$rowUser['LastName']);
$_SESSION['SALT'] = $rowAuth['passwordSalt']; $_SESSION['LOGIN'] = 'true';
$_SESSION['UUID'] = $rowUser['PrincipalID'];
$_SESSION['LEVEL'] = $rowUser['UserLevel'];
$_SESSION['DISPLAYNAME'] = strtoupper($rowUser['FirstName'].' '.$rowUser['LastName']);
$_SESSION['LOGIN'] = 'true';
header("Location: index.php?page=dashboard"); header("Location: index.php?page=dashboard");
die(); die();
}
}
} }
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Benutzername und/oder Passwort falsch."); $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Benutzername und/oder Passwort falsch.");
@ -55,15 +47,12 @@
$HTML->ReplaceLayoutInhalt('%%LOGINMESSAGE%%', $_SESSION['loginMessage']); $HTML->ReplaceLayoutInhalt('%%LOGINMESSAGE%%', $_SESSION['loginMessage']);
$HTML->ReplaceLayoutInhalt('%%MESSAGECOLOR%%', $_SESSION['loginMessageColor']); $HTML->ReplaceLayoutInhalt('%%MESSAGECOLOR%%', $_SESSION['loginMessageColor']);
unset($_SESSION['loginMessage']); unset($_SESSION['loginMessage']);
unset($_SESSION['loginMessageColor']);
} }
if(isset($_REQUEST['page']) && preg_match('/^[0-9a-zA-Z]{1-100}$/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", ""); $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");
$HTML->ReplaceLayoutInhalt("%%MESSAGECOLOR%%", "red"); $HTML->ReplaceLayoutInhalt("%%MESSAGECOLOR%%", "red");
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", ""); $HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", "");
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", "dashboard");
$HTML->build(); $HTML->build();
echo $HTML->ausgabe(); echo $HTML->ausgabe();

View File

@ -135,7 +135,6 @@
} }
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
$_SESSION['USERNAME'] = trim($name);
$_SESSION['FIRSTNAME'] = trim($nameParts[0]); $_SESSION['FIRSTNAME'] = trim($nameParts[0]);
$_SESSION['LASTNAME'] = trim($nameParts[1]); $_SESSION['LASTNAME'] = trim($nameParts[1]);
$_SESSION['EMAIL'] = $email; $_SESSION['EMAIL'] = $email;

View File

@ -22,7 +22,7 @@
<div class="limiter"> <div class="limiter">
<div class="container-login100"> <div class="container-login100">
<div class="wrap-login100 p-t-50 p-b-90"> <div class="wrap-login100 p-t-50 p-b-90">
<form class="login100-form validate-form flex-sb flex-w" action="index.php?page=%%PAGENAME%%" method="post"> <form class="login100-form validate-form flex-sb flex-w" action="index.php?page=login" method="post">
<span class="login100-form-title p-b-51"> <span class="login100-form-title p-b-51">
Login Login
</span> </span>