mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-12-25 14:45:02 +00:00
fixed login security issue by switching to using sessions
This commit is contained in:
parent
f40864f0cc
commit
c9a2d1e3f4
3 changed files with 60 additions and 30 deletions
38
core.php
38
core.php
|
@ -6,18 +6,27 @@ $start_time = time(true);
|
|||
///////////////////////////////////////////////////////////////////////////////////////////////
|
||||
/////////////// Do not edit below this line unless you know what you are doing! ///////////////
|
||||
///////////////////////////////////////////////////////////////////////////////////////////////
|
||||
$version = "0.5";
|
||||
session_start();
|
||||
///////// Login System /////////
|
||||
if(!isset($_COOKIE[$cookieprefix . "-user"]) and
|
||||
!isset($_COOKIE[$cookieprefix . "-pass"]))
|
||||
//clear expired sessions
|
||||
if(isset($_SESSION["$sessionprefix-expiretime"]) and
|
||||
$_SESSION["$sessionprefix-expiretime"] < time())
|
||||
{
|
||||
//clear the session variables
|
||||
$_SESSION = [];
|
||||
session_destroy();
|
||||
}
|
||||
|
||||
if(!isset($_SESSION[$sessionprefix . "-user"]) and
|
||||
!isset($_SESSION[$sessionprefix . "-pass"]))
|
||||
{
|
||||
//the user is not logged in
|
||||
$isloggedin = false;
|
||||
}
|
||||
else
|
||||
{
|
||||
$user = $_COOKIE[$cookieprefix . "-user"];
|
||||
$pass = $_COOKIE[$cookieprefix . "-pass"];
|
||||
$user = $_SESSION[$sessionprefix . "-user"];
|
||||
$pass = $_SESSION[$sessionprefix . "-pass"];
|
||||
if($users[$user] == $pass)
|
||||
{
|
||||
//the user is logged in
|
||||
|
@ -26,12 +35,13 @@ else
|
|||
else
|
||||
{
|
||||
//the user's login details are invalid (what is going on here?)
|
||||
//unset the cookie and the variables, treat them as an anonymous user, and get out of here
|
||||
//unset the session variables, treat them as an anonymous user, and get out of here
|
||||
$isloggedin = false;
|
||||
unset($user);
|
||||
unset($pass);
|
||||
setcookie($cookieprefix . "-user", null, -1, "/");
|
||||
setcookie($cookieprefix . "-pass", null, -1, "/");
|
||||
//clear the session data
|
||||
$_SESSION = []; //delete al lthe variables
|
||||
session_destroy(); //destroy the session
|
||||
}
|
||||
}
|
||||
//check to see if the currently logged in user is an admin
|
||||
|
@ -680,6 +690,7 @@ switch($_GET["action"])
|
|||
* %checklogin% |___/
|
||||
*/
|
||||
case "checklogin":
|
||||
//actually do the login
|
||||
if(isset($_POST["user"]) and isset($_POST["pass"]))
|
||||
{
|
||||
//the user wants to log in
|
||||
|
@ -689,8 +700,9 @@ switch($_GET["action"])
|
|||
{
|
||||
$isloggedin = true;
|
||||
$expiretime = time() + 60*60*24*30; //30 days from now
|
||||
setcookie($cookieprefix . "-user", $user, $expiretime, "/");
|
||||
setcookie($cookieprefix . "-pass", hash("sha256", $pass), $expiretime, "/");
|
||||
$_SESSION["$sessionprefix-user"] = $user;
|
||||
$_SESSION["$sessionprefix-pass"] = hash("sha256", $pass);
|
||||
$_SESSION["$sessionprefix-expiretime"] = $expiretime;
|
||||
//redirect to wherever the user was going
|
||||
http_response_code(302);
|
||||
if(isset($_POST["goto"]))
|
||||
|
@ -726,8 +738,10 @@ switch($_GET["action"])
|
|||
$isloggedin = false;
|
||||
unset($user);
|
||||
unset($pass);
|
||||
setcookie($cookieprefix . "-user", null, -1, "/");
|
||||
setcookie($cookieprefix . "-pass", null, -1, "/");
|
||||
//clear the session variables
|
||||
$_SESSION = [];
|
||||
session_destroy();
|
||||
|
||||
exit(renderpage("Logout Successful", "<h1>Logout Successful</h1>
|
||||
<p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>"));
|
||||
break;
|
||||
|
|
45
index.php
45
index.php
|
@ -91,10 +91,11 @@ th { text-align: left; }
|
|||
//default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23
|
||||
$favicon = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAB3VBMVEXhERHbKCjeVVXjb2/kR0fhKirdHBziDg6qAADaHh7qLy/pdXXUNzfMAADYPj7ZPDzUNzfbHx/fERHpamrqMTHgExPdHx/bLCzhLS3fVFTjT0/ibm7kRkbiLi7aKirdISHeFBTqNDTpeHjgERHYJCTVODjYQkLaPj6/AADVOTnpbW3cIyPdFRXcJCThMjLiTU3ibW3fVVXaKyvcERH4ODj+8fH/////fHz+Fxf4KSn0UFD/CAj/AAD/Xl7/wMD/EhL//v70xMT/+Pj/iYn/HBz/g4P/IyP/Kyv/7Oz0QUH/9PT/+vr/ior/Dg7/vr7/aGj/QED/bGz/AQH/ERH/Jib/R0f/goL/0dH/qan/YWH/7e3/Cwv4R0f/MTH/enr/vLz/u7v/cHD/oKD/n5//aWn+9/f/k5P/0tL/trb/QUH/cXH/dHT/wsL/DQ3/p6f/DAz/1dX/XV3/kpL/i4v/Vlb/2Nj/9/f/pKT+7Oz/V1f/iIj/jIz/r6//Zmb/lZX/j4//T0//Dw/4MzP/GBj/+fn/o6P/TEz/xMT/b2//Tk7/OTn/HR3/hIT/ODj/Y2P/CQn/ZGT/6Oj0UlL/Gxv//f3/Bwf/YmL/6+v0w8P/Cgr/tbX0QkL+9fX4Pz/qNzd0dFHLAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfeCxINNSdmw510AAAA5ElEQVQYGQXBzSuDAQCA8eexKXOwmSZepa1JiPJxsJOrCwcnuchBjg4O/gr7D9zk4uAgJzvuMgcTpYxaUZvSm5mUj7TX7ycAqvoLIJBwStVbP0Hom1Z/ejoxrbaR1Jz6nWinbKWttGRgMSSjanPktRY6mB9WtRNTn7Ilh7LxnNpKq2/x5LnBitfz+hx0qxUaxhZ6vwqq9bx6f2XXvuUl9SVQS38NR7cvln3v15tZ9bQpuWDtZN3Lgh5DWJex3Y+z1KrVhw21+CiM74WZo83DiXq0dVBDYNJkFEU7WrwDAZhRtQrwDzwKQbT6GboLAAAAAElFTkSuQmCC";
|
||||
|
||||
//the prefix that should be used in the cookie names
|
||||
//the prefix that should be used in the names of the session variables.
|
||||
//defaults to an all lower case version of the site name with all non alphanumeric characters removed
|
||||
//remember that changing this will log everyone out since the login cookie's name will have changed
|
||||
$cookieprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
|
||||
//remember that changing this will log everyone out since the session varibles' name will have changed
|
||||
//normally you wouldn't have to change this - this setting is left over from when we used a cookie to store login details
|
||||
$sessionprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
|
||||
|
||||
/*
|
||||
Actions:
|
||||
|
@ -123,18 +124,27 @@ Actions:
|
|||
///////////////////////////////////////////////////////////////////////////////////////////////
|
||||
/////////////// Do not edit below this line unless you know what you are doing! ///////////////
|
||||
///////////////////////////////////////////////////////////////////////////////////////////////
|
||||
$version = "0.5";
|
||||
session_start();
|
||||
///////// Login System /////////
|
||||
if(!isset($_COOKIE[$cookieprefix . "-user"]) and
|
||||
!isset($_COOKIE[$cookieprefix . "-pass"]))
|
||||
//clear expired sessions
|
||||
if(isset($_SESSION["$sessionprefix-expiretime"]) and
|
||||
$_SESSION["$sessionprefix-expiretime"] < time())
|
||||
{
|
||||
//clear the session variables
|
||||
$_SESSION = [];
|
||||
session_destroy();
|
||||
}
|
||||
|
||||
if(!isset($_SESSION[$sessionprefix . "-user"]) and
|
||||
!isset($_SESSION[$sessionprefix . "-pass"]))
|
||||
{
|
||||
//the user is not logged in
|
||||
$isloggedin = false;
|
||||
}
|
||||
else
|
||||
{
|
||||
$user = $_COOKIE[$cookieprefix . "-user"];
|
||||
$pass = $_COOKIE[$cookieprefix . "-pass"];
|
||||
$user = $_SESSION[$sessionprefix . "-user"];
|
||||
$pass = $_SESSION[$sessionprefix . "-pass"];
|
||||
if($users[$user] == $pass)
|
||||
{
|
||||
//the user is logged in
|
||||
|
@ -143,12 +153,13 @@ else
|
|||
else
|
||||
{
|
||||
//the user's login details are invalid (what is going on here?)
|
||||
//unset the cookie and the variables, treat them as an anonymous user, and get out of here
|
||||
//unset the session variables, treat them as an anonymous user, and get out of here
|
||||
$isloggedin = false;
|
||||
unset($user);
|
||||
unset($pass);
|
||||
setcookie($cookieprefix . "-user", null, -1, "/");
|
||||
setcookie($cookieprefix . "-pass", null, -1, "/");
|
||||
//clear the session data
|
||||
$_SESSION = []; //delete al lthe variables
|
||||
session_destroy(); //destroy the session
|
||||
}
|
||||
}
|
||||
//check to see if the currently logged in user is an admin
|
||||
|
@ -797,6 +808,7 @@ switch($_GET["action"])
|
|||
* %checklogin% |___/
|
||||
*/
|
||||
case "checklogin":
|
||||
//actually do the login
|
||||
if(isset($_POST["user"]) and isset($_POST["pass"]))
|
||||
{
|
||||
//the user wants to log in
|
||||
|
@ -806,8 +818,9 @@ switch($_GET["action"])
|
|||
{
|
||||
$isloggedin = true;
|
||||
$expiretime = time() + 60*60*24*30; //30 days from now
|
||||
setcookie($cookieprefix . "-user", $user, $expiretime, "/");
|
||||
setcookie($cookieprefix . "-pass", hash("sha256", $pass), $expiretime, "/");
|
||||
$_SESSION["$sessionprefix-user"] = $user;
|
||||
$_SESSION["$sessionprefix-pass"] = hash("sha256", $pass);
|
||||
$_SESSION["$sessionprefix-expiretime"] = $expiretime;
|
||||
//redirect to wherever the user was going
|
||||
http_response_code(302);
|
||||
if(isset($_POST["goto"]))
|
||||
|
@ -843,8 +856,10 @@ switch($_GET["action"])
|
|||
$isloggedin = false;
|
||||
unset($user);
|
||||
unset($pass);
|
||||
setcookie($cookieprefix . "-user", null, -1, "/");
|
||||
setcookie($cookieprefix . "-pass", null, -1, "/");
|
||||
//clear the session variables
|
||||
$_SESSION = [];
|
||||
session_destroy();
|
||||
|
||||
exit(renderpage("Logout Successful", "<h1>Logout Successful</h1>
|
||||
<p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>"));
|
||||
break;
|
||||
|
|
|
@ -88,10 +88,11 @@ th { text-align: left; }
|
|||
//default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23
|
||||
$favicon = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAB3VBMVEXhERHbKCjeVVXjb2/kR0fhKirdHBziDg6qAADaHh7qLy/pdXXUNzfMAADYPj7ZPDzUNzfbHx/fERHpamrqMTHgExPdHx/bLCzhLS3fVFTjT0/ibm7kRkbiLi7aKirdISHeFBTqNDTpeHjgERHYJCTVODjYQkLaPj6/AADVOTnpbW3cIyPdFRXcJCThMjLiTU3ibW3fVVXaKyvcERH4ODj+8fH/////fHz+Fxf4KSn0UFD/CAj/AAD/Xl7/wMD/EhL//v70xMT/+Pj/iYn/HBz/g4P/IyP/Kyv/7Oz0QUH/9PT/+vr/ior/Dg7/vr7/aGj/QED/bGz/AQH/ERH/Jib/R0f/goL/0dH/qan/YWH/7e3/Cwv4R0f/MTH/enr/vLz/u7v/cHD/oKD/n5//aWn+9/f/k5P/0tL/trb/QUH/cXH/dHT/wsL/DQ3/p6f/DAz/1dX/XV3/kpL/i4v/Vlb/2Nj/9/f/pKT+7Oz/V1f/iIj/jIz/r6//Zmb/lZX/j4//T0//Dw/4MzP/GBj/+fn/o6P/TEz/xMT/b2//Tk7/OTn/HR3/hIT/ODj/Y2P/CQn/ZGT/6Oj0UlL/Gxv//f3/Bwf/YmL/6+v0w8P/Cgr/tbX0QkL+9fX4Pz/qNzd0dFHLAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfeCxINNSdmw510AAAA5ElEQVQYGQXBzSuDAQCA8eexKXOwmSZepa1JiPJxsJOrCwcnuchBjg4O/gr7D9zk4uAgJzvuMgcTpYxaUZvSm5mUj7TX7ycAqvoLIJBwStVbP0Hom1Z/ejoxrbaR1Jz6nWinbKWttGRgMSSjanPktRY6mB9WtRNTn7Ilh7LxnNpKq2/x5LnBitfz+hx0qxUaxhZ6vwqq9bx6f2XXvuUl9SVQS38NR7cvln3v15tZ9bQpuWDtZN3Lgh5DWJex3Y+z1KrVhw21+CiM74WZo83DiXq0dVBDYNJkFEU7WrwDAZhRtQrwDzwKQbT6GboLAAAAAElFTkSuQmCC";
|
||||
|
||||
//the prefix that should be used in the cookie names
|
||||
//the prefix that should be used in the names of the session variables.
|
||||
//defaults to an all lower case version of the site name with all non alphanumeric characters removed
|
||||
//remember that changing this will log everyone out since the login cookie's name will have changed
|
||||
$cookieprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
|
||||
//remember that changing this will log everyone out since the session varibles' name will have changed
|
||||
//normally you wouldn't have to change this - this setting is left over from when we used a cookie to store login details
|
||||
$sessionprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
|
||||
|
||||
/*
|
||||
Actions:
|
||||
|
|
Loading…
Reference in a new issue