setHTMLTitle("Login"); $HTML->importHTML("login.html"); if($_SERVER['REQUEST_METHOD'] == 'POST') { include_once 'app/FormValidator.php'; $validator = new FormValidator(array( 'username' => array('required' => true, 'regex' => '/^[^\\/<>\s]{1,64} [^\\/<>\s]{1,64}$/'), 'password' => array('required' => true, 'regex' => '/^.{1,1000}$/') )); if(!$validator->isValid($_POST)) { $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Bitte gebe Benutzername (Vor- und Nachname) und Passwort ein."); } else { $statementUser = $RUNTIME['PDO']->prepare("SELECT PrincipalID,FirstName,LastName,Email,UserLevel,passwordHash,passwordSalt FROM UserAccounts JOIN auth ON UserAccounts.PrincipalID = auth.UUID WHERE FirstName = ? AND LastName = ? LIMIT 1"); $statementUser->execute(explode(" ", trim($_POST['username']))); $res = ['passwordHash' => '', 'passwordSalt' => '']; if($rowUser = $statementUser->fetch()) { $res = $rowUser; } if(hash_equals(md5(md5($_POST['password']).":".$res['passwordSalt']), $res['passwordHash'])) { session_unset(); // Unset pre-session variables, next request will generate a new CSRF token $_SESSION['FIRSTNAME'] = trim($rowUser['FirstName']); $_SESSION['LASTNAME'] = trim($rowUser['LastName']); $_SESSION['EMAIL'] = trim($rowUser['Email']); $_SESSION['PASSWORD'] = $rowAuth['passwordHash']; $_SESSION['SALT'] = $rowAuth['passwordSalt']; $_SESSION['UUID'] = $rowUser['PrincipalID']; $_SESSION['LEVEL'] = $rowUser['UserLevel']; $_SESSION['DISPLAYNAME'] = strtoupper($rowUser['FirstName'].' '.$rowUser['LastName']); $_SESSION['LOGIN'] = 'true'; header("Location: index.php?page=dashboard"); die(); } $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", "Benutzername und/oder Passwort falsch."); $HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username'])); } } else if(isset($_SESSION) && isset($_SESSION['loginMessage'])) { $HTML->ReplaceLayoutInhalt('%%LOGINMESSAGE%%', $_SESSION['loginMessage']); $HTML->ReplaceLayoutInhalt('%%MESSAGECOLOR%%', $_SESSION['loginMessageColor']); unset($_SESSION['loginMessage']); unset($_SESSION['loginMessageColor']); } $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", ""); $HTML->ReplaceLayoutInhalt("%%MESSAGECOLOR%%", "red"); $HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", ""); $HTML->build(); echo $HTML->ausgabe(); ?>