Improve login security and efficiency
parent
eda4c5a030
commit
0991d5a487
|
@ -15,36 +15,28 @@
|
|||
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername (Vor- und Nachname) und Passwort ein.");
|
||||
}
|
||||
else {
|
||||
$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1");
|
||||
$statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel,passwordHash,passwordSalt FROM UserAccounts JOIN auth ON UserAccounts.PrincipalID = auth.UUID WHERE FirstName = ? AND LastName = ? LIMIT 1");
|
||||
$statementUser->execute(explode(" ", trim($_POST['username'])));
|
||||
$res = ['passwordHash' => '', 'passwordSalt' => ''];
|
||||
|
||||
while($rowUser = $statementUser->fetch())
|
||||
{
|
||||
$statementAuth = $RUNTIME['PDO']->prepare("SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1");
|
||||
$statementAuth->execute(array($rowUser['PrincipalID']));
|
||||
if($rowUser = $statementUser->fetch()) {
|
||||
$res = $rowUser;
|
||||
}
|
||||
|
||||
$RUNTIME['DEBUG']['LOGIN']['UUID'] = $rowUser['PrincipalID'];
|
||||
if(hash_equals(md5(md5($_POST['password']).":".$res['passwordSalt']), $res['passwordHash'])) {
|
||||
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
|
||||
$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);
|
||||
$_SESSION['LASTNAME'] = trim($rowUser['LastName']);
|
||||
$_SESSION['EMAIL'] = trim($rowUser['Email']);
|
||||
$_SESSION['PASSWORD'] = $rowAuth['passwordHash'];
|
||||
$_SESSION['SALT'] = $rowAuth['passwordSalt'];
|
||||
$_SESSION['UUID'] = $rowUser['PrincipalID'];
|
||||
$_SESSION['LEVEL'] = $rowUser['UserLevel'];
|
||||
$_SESSION['DISPLAYNAME'] = strtoupper($rowUser['FirstName'].' '.$rowUser['LastName']);
|
||||
$_SESSION['LOGIN'] = 'true';
|
||||
|
||||
while($rowAuth = $statementAuth->fetch())
|
||||
{
|
||||
if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash'])
|
||||
{
|
||||
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
|
||||
$_SESSION['USERNAME'] = trim($_POST['username']);
|
||||
$_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']);
|
||||
$_SESSION['LASTNAME'] = trim($rowUser['LastName']);
|
||||
$_SESSION['EMAIL'] = trim($rowUser['Email']);
|
||||
$_SESSION['PASSWORD'] = $rowAuth['passwordHash'];
|
||||
$_SESSION['SALT'] = $rowAuth['passwordSalt'];
|
||||
$_SESSION['UUID'] = $rowUser['PrincipalID'];
|
||||
$_SESSION['LEVEL'] = $rowUser['UserLevel'];
|
||||
$_SESSION['DISPLAYNAME'] = strtoupper($rowUser['FirstName'].' '.$rowUser['LastName']);
|
||||
$_SESSION['LOGIN'] = 'true';
|
||||
|
||||
header("Location: index.php?page=dashboard");
|
||||
die();
|
||||
}
|
||||
}
|
||||
header("Location: index.php?page=dashboard");
|
||||
die();
|
||||
}
|
||||
|
||||
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Benutzername und/oder Passwort falsch.");
|
||||
|
@ -55,15 +47,12 @@
|
|||
$HTML->ReplaceLayoutInhalt('%%LOGINMESSAGE%%', $_SESSION['loginMessage']);
|
||||
$HTML->ReplaceLayoutInhalt('%%MESSAGECOLOR%%', $_SESSION['loginMessageColor']);
|
||||
unset($_SESSION['loginMessage']);
|
||||
unset($_SESSION['loginMessageColor']);
|
||||
}
|
||||
|
||||
if(isset($_REQUEST['page']) && preg_match('/^[0-9a-zA-Z]{1-100}$/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php"))
|
||||
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page']));
|
||||
|
||||
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "");
|
||||
$HTML->ReplaceLayoutInhalt("%%MESSAGECOLOR%%", "red");
|
||||
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", "");
|
||||
$HTML->ReplaceLayoutInhalt("%%PAGENAME%%", "dashboard");
|
||||
|
||||
$HTML->build();
|
||||
echo $HTML->ausgabe();
|
||||
|
|
|
@ -135,7 +135,6 @@
|
|||
}
|
||||
|
||||
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
|
||||
$_SESSION['USERNAME'] = trim($name);
|
||||
$_SESSION['FIRSTNAME'] = trim($nameParts[0]);
|
||||
$_SESSION['LASTNAME'] = trim($nameParts[1]);
|
||||
$_SESSION['EMAIL'] = $email;
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
<div class="limiter">
|
||||
<div class="container-login100">
|
||||
<div class="wrap-login100 p-t-50 p-b-90">
|
||||
<form class="login100-form validate-form flex-sb flex-w" action="index.php?page=%%PAGENAME%%" method="post">
|
||||
<form class="login100-form validate-form flex-sb flex-w" action="index.php?page=login" method="post">
|
||||
<span class="login100-form-title p-b-51">
|
||||
Login
|
||||
</span>
|
||||
|
|
Loading…
Reference in New Issue