setHTMLTitle("Login"); $HTML->importHTML("style/login/login.html"); if(isset($_POST['login'])) { $validator = new FormValidator(array( 'username' => array('required' => true, 'regex' => '/[^\\\/<>\s]{1,64} [^\\\/<>\s]{1,64}/'), 'password' => array('required' => true, 'regex' => '/.{1,1000}/') )); if(!$validator->isValid($_POST)) { $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername und Passwort an."); } else { $statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel FROM UserAccounts WHERE FirstName = ? AND LastName = ? LIMIT 1"); $statementUser->execute(explode(" ", trim($_POST['username']))); $RUNTIME['MESSAGE']['LOGINERROR'] = "Benutzername nicht gefunden!"; while($rowUser = $statementUser->fetch()) { $statementAuth = $RUNTIME['PDO']->prepare("SELECT passwordHash,passwordSalt FROM auth WHERE UUID = ? LIMIT 1"); $statementAuth->execute(array($rowUser['PrincipalID'])); $RUNTIME['DEBUG']['LOGIN']['UUID'] = $rowUser['PrincipalID']; while($rowAuth = $statementAuth->fetch()) { $passwordCorrect = false; if(strlen($rowAuth['passwordHash']) == 32) { if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) { $passwordCorrect = true; $newHash = password_hash($_POST['password'], PASSWORD_ARGON2ID); $updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?"); $updateHash->execute(array($newHash, '', $rowUser['PrincipalID'])); } } else { $passwordCorrect = password_verify($_POST['password'], $rowAuth['passwordHash']); } if($passwordCorrect) { session_unset(); // Unset pre-session variables, next request will generate a new CSRF token $_SESSION['USERNAME'] = trim($_POST['username']); $_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']); $_SESSION['LASTNAME'] = trim($rowUser['LastName']); $_SESSION['EMAIL'] = trim($rowUser['Email']); $_SESSION['PASSWORD'] = $rowAuth['passwordHash']; $_SESSION['SALT'] = $rowAuth['passwordSalt']; $_SESSION['UUID'] = $rowUser['PrincipalID']; $_SESSION['LEVEL'] = $rowUser['UserLevel']; $_SESSION['DISPLAYNAME'] = strtoupper(trim($_POST['username'])); $_SESSION['LOGIN'] = 'true'; header("Location: index.php?page=".urlencode($_REQUEST['page'])); die(); } } $RUNTIME['MESSAGE']['LOGINERROR'] = "Passwort falsch!"; } $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']); $HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username'])); } } if(isset($_REQUEST['page']) && preg_match('/[0-9a-zA-Z]{1-100}/', $_REQUEST['page']) && file_exists("./pages/".$_REQUEST['page'].".php")) $HTML->ReplaceLayoutInhalt("%%PAGENAME%%", urlencode($_REQUEST['page'])); $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", ""); $HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", ""); $HTML->ReplaceLayoutInhalt("%%PAGENAME%%", "dashboard"); $HTML->build(); echo $HTML->ausgabe(); ?>