fixed login security issue by switching to using sessions

core.php

@@ -6,18 +6,27 @@ $start_time = time(true);
 ///////////////////////////////////////////////////////////////////////////////////////////////
 /////////////// Do not edit below this line unless you know what you are doing! ///////////////
 ///////////////////////////////////////////////////////////////////////////////////////////////
-$version = "0.5";
+session_start();
 ///////// Login System /////////
-if(!isset($_COOKIE[$cookieprefix . "-user"]) and
-  !isset($_COOKIE[$cookieprefix . "-pass"]))
+//clear expired sessions
+if(isset($_SESSION["$sessionprefix-expiretime"]) and
+   $_SESSION["$sessionprefix-expiretime"] < time())
+{
+	//clear the session variables
+	$_SESSION = [];
+	session_destroy();
+}
+
+if(!isset($_SESSION[$sessionprefix . "-user"]) and
+  !isset($_SESSION[$sessionprefix . "-pass"]))
 {
 	//the user is not logged in
 	$isloggedin = false;
 }
 else
 {
-	$user = $_COOKIE[$cookieprefix . "-user"];
-	$pass = $_COOKIE[$cookieprefix . "-pass"];
+	$user = $_SESSION[$sessionprefix . "-user"];
+	$pass = $_SESSION[$sessionprefix . "-pass"];
 	if($users[$user] == $pass)
 	{
 		//the user is logged in
@@ -26,12 +35,13 @@ else
 	else
 	{
 		//the user's login details are invalid (what is going on here?)
-		//unset the cookie and the variables, treat them as an anonymous user, and get out of here
+		//unset the session variables, treat them as an anonymous user, and get out of here
 		$isloggedin = false;
 		unset($user);
 		unset($pass);
-		setcookie($cookieprefix . "-user", null, -1, "/");
-		setcookie($cookieprefix . "-pass", null, -1, "/");
+		//clear the session data
+		$_SESSION = []; //delete al lthe variables
+		session_destroy(); //destroy the session
 	}
 }
 //check to see if the currently logged in user is an admin
@@ -680,6 +690,7 @@ switch($_GET["action"])
 	 *     %checklogin%                   |___/
 	 */
 	case "checklogin":
+		//actually do the login
 		if(isset($_POST["user"]) and isset($_POST["pass"]))
 		{
 			//the user wants to log in
@@ -689,8 +700,9 @@ switch($_GET["action"])
 			{
 				$isloggedin = true;
 				$expiretime = time() + 60*60*24*30; //30 days from now
-				setcookie($cookieprefix . "-user", $user, $expiretime, "/");
-				setcookie($cookieprefix . "-pass", hash("sha256", $pass), $expiretime, "/");
+				$_SESSION["$sessionprefix-user"] = $user;
+				$_SESSION["$sessionprefix-pass"] = hash("sha256", $pass);
+				$_SESSION["$sessionprefix-expiretime"] = $expiretime;
 				//redirect to wherever the user was going
 				http_response_code(302);
 				if(isset($_POST["goto"]))
@@ -726,8 +738,10 @@ switch($_GET["action"])
 		$isloggedin = false;
 		unset($user);
 		unset($pass);
-		setcookie($cookieprefix . "-user", null, -1, "/");
-		setcookie($cookieprefix . "-pass", null, -1, "/");
+		//clear the session variables
+		$_SESSION = [];
+		session_destroy();
+		
 		exit(renderpage("Logout Successful", "<h1>Logout Successful</h1>
 	<p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>"));
 		break;

index.php

@@ -91,10 +91,11 @@ th { text-align: left; }
 //default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23
 $favicon = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAB3VBMVEXhERHbKCjeVVXjb2/kR0fhKirdHBziDg6qAADaHh7qLy/pdXXUNzfMAADYPj7ZPDzUNzfbHx/fERHpamrqMTHgExPdHx/bLCzhLS3fVFTjT0/ibm7kRkbiLi7aKirdISHeFBTqNDTpeHjgERHYJCTVODjYQkLaPj6/AADVOTnpbW3cIyPdFRXcJCThMjLiTU3ibW3fVVXaKyvcERH4ODj+8fH/////fHz+Fxf4KSn0UFD/CAj/AAD/Xl7/wMD/EhL//v70xMT/+Pj/iYn/HBz/g4P/IyP/Kyv/7Oz0QUH/9PT/+vr/ior/Dg7/vr7/aGj/QED/bGz/AQH/ERH/Jib/R0f/goL/0dH/qan/YWH/7e3/Cwv4R0f/MTH/enr/vLz/u7v/cHD/oKD/n5//aWn+9/f/k5P/0tL/trb/QUH/cXH/dHT/wsL/DQ3/p6f/DAz/1dX/XV3/kpL/i4v/Vlb/2Nj/9/f/pKT+7Oz/V1f/iIj/jIz/r6//Zmb/lZX/j4//T0//Dw/4MzP/GBj/+fn/o6P/TEz/xMT/b2//Tk7/OTn/HR3/hIT/ODj/Y2P/CQn/ZGT/6Oj0UlL/Gxv//f3/Bwf/YmL/6+v0w8P/Cgr/tbX0QkL+9fX4Pz/qNzd0dFHLAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfeCxINNSdmw510AAAA5ElEQVQYGQXBzSuDAQCA8eexKXOwmSZepa1JiPJxsJOrCwcnuchBjg4O/gr7D9zk4uAgJzvuMgcTpYxaUZvSm5mUj7TX7ycAqvoLIJBwStVbP0Hom1Z/ejoxrbaR1Jz6nWinbKWttGRgMSSjanPktRY6mB9WtRNTn7Ilh7LxnNpKq2/x5LnBitfz+hx0qxUaxhZ6vwqq9bx6f2XXvuUl9SVQS38NR7cvln3v15tZ9bQpuWDtZN3Lgh5DWJex3Y+z1KrVhw21+CiM74WZo83DiXq0dVBDYNJkFEU7WrwDAZhRtQrwDzwKQbT6GboLAAAAAElFTkSuQmCC";
 
-//the prefix that should be used in the cookie names
+//the prefix that should be used in the names of the session variables.
 //defaults to an all lower case version of the site name with all non alphanumeric characters removed
-//remember that changing this will log everyone out since the login cookie's name will have changed
-$cookieprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
+//remember that changing this will log everyone out since the session varibles' name will have changed
+//normally you wouldn't have to change this - this setting is left over from when we used a cookie to store login details
+$sessionprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
 
 /*
 Actions:
@@ -123,18 +124,27 @@ Actions:
 ///////////////////////////////////////////////////////////////////////////////////////////////
 /////////////// Do not edit below this line unless you know what you are doing! ///////////////
 ///////////////////////////////////////////////////////////////////////////////////////////////
-$version = "0.5";
+session_start();
 ///////// Login System /////////
-if(!isset($_COOKIE[$cookieprefix . "-user"]) and
-  !isset($_COOKIE[$cookieprefix . "-pass"]))
+//clear expired sessions
+if(isset($_SESSION["$sessionprefix-expiretime"]) and
+   $_SESSION["$sessionprefix-expiretime"] < time())
+{
+	//clear the session variables
+	$_SESSION = [];
+	session_destroy();
+}
+
+if(!isset($_SESSION[$sessionprefix . "-user"]) and
+  !isset($_SESSION[$sessionprefix . "-pass"]))
 {
 	//the user is not logged in
 	$isloggedin = false;
 }
 else
 {
-	$user = $_COOKIE[$cookieprefix . "-user"];
-	$pass = $_COOKIE[$cookieprefix . "-pass"];
+	$user = $_SESSION[$sessionprefix . "-user"];
+	$pass = $_SESSION[$sessionprefix . "-pass"];
 	if($users[$user] == $pass)
 	{
 		//the user is logged in
@@ -143,12 +153,13 @@ else
 	else
 	{
 		//the user's login details are invalid (what is going on here?)
-		//unset the cookie and the variables, treat them as an anonymous user, and get out of here
+		//unset the session variables, treat them as an anonymous user, and get out of here
 		$isloggedin = false;
 		unset($user);
 		unset($pass);
-		setcookie($cookieprefix . "-user", null, -1, "/");
-		setcookie($cookieprefix . "-pass", null, -1, "/");
+		//clear the session data
+		$_SESSION = []; //delete al lthe variables
+		session_destroy(); //destroy the session
 	}
 }
 //check to see if the currently logged in user is an admin
@@ -797,6 +808,7 @@ switch($_GET["action"])
 	 *     %checklogin%                   |___/
 	 */
 	case "checklogin":
+		//actually do the login
 		if(isset($_POST["user"]) and isset($_POST["pass"]))
 		{
 			//the user wants to log in
@@ -806,8 +818,9 @@ switch($_GET["action"])
 			{
 				$isloggedin = true;
 				$expiretime = time() + 60*60*24*30; //30 days from now
-				setcookie($cookieprefix . "-user", $user, $expiretime, "/");
-				setcookie($cookieprefix . "-pass", hash("sha256", $pass), $expiretime, "/");
+				$_SESSION["$sessionprefix-user"] = $user;
+				$_SESSION["$sessionprefix-pass"] = hash("sha256", $pass);
+				$_SESSION["$sessionprefix-expiretime"] = $expiretime;
 				//redirect to wherever the user was going
 				http_response_code(302);
 				if(isset($_POST["goto"]))
@@ -843,8 +856,10 @@ switch($_GET["action"])
 		$isloggedin = false;
 		unset($user);
 		unset($pass);
-		setcookie($cookieprefix . "-user", null, -1, "/");
-		setcookie($cookieprefix . "-pass", null, -1, "/");
+		//clear the session variables
+		$_SESSION = [];
+		session_destroy();
+		
 		exit(renderpage("Logout Successful", "<h1>Logout Successful</h1>
 	<p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>"));
 		break;

settings.fragment.php

@@ -88,10 +88,11 @@ th { text-align: left; }
 //default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23
 $favicon = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAB3VBMVEXhERHbKCjeVVXjb2/kR0fhKirdHBziDg6qAADaHh7qLy/pdXXUNzfMAADYPj7ZPDzUNzfbHx/fERHpamrqMTHgExPdHx/bLCzhLS3fVFTjT0/ibm7kRkbiLi7aKirdISHeFBTqNDTpeHjgERHYJCTVODjYQkLaPj6/AADVOTnpbW3cIyPdFRXcJCThMjLiTU3ibW3fVVXaKyvcERH4ODj+8fH/////fHz+Fxf4KSn0UFD/CAj/AAD/Xl7/wMD/EhL//v70xMT/+Pj/iYn/HBz/g4P/IyP/Kyv/7Oz0QUH/9PT/+vr/ior/Dg7/vr7/aGj/QED/bGz/AQH/ERH/Jib/R0f/goL/0dH/qan/YWH/7e3/Cwv4R0f/MTH/enr/vLz/u7v/cHD/oKD/n5//aWn+9/f/k5P/0tL/trb/QUH/cXH/dHT/wsL/DQ3/p6f/DAz/1dX/XV3/kpL/i4v/Vlb/2Nj/9/f/pKT+7Oz/V1f/iIj/jIz/r6//Zmb/lZX/j4//T0//Dw/4MzP/GBj/+fn/o6P/TEz/xMT/b2//Tk7/OTn/HR3/hIT/ODj/Y2P/CQn/ZGT/6Oj0UlL/Gxv//f3/Bwf/YmL/6+v0w8P/Cgr/tbX0QkL+9fX4Pz/qNzd0dFHLAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfeCxINNSdmw510AAAA5ElEQVQYGQXBzSuDAQCA8eexKXOwmSZepa1JiPJxsJOrCwcnuchBjg4O/gr7D9zk4uAgJzvuMgcTpYxaUZvSm5mUj7TX7ycAqvoLIJBwStVbP0Hom1Z/ejoxrbaR1Jz6nWinbKWttGRgMSSjanPktRY6mB9WtRNTn7Ilh7LxnNpKq2/x5LnBitfz+hx0qxUaxhZ6vwqq9bx6f2XXvuUl9SVQS38NR7cvln3v15tZ9bQpuWDtZN3Lgh5DWJex3Y+z1KrVhw21+CiM74WZo83DiXq0dVBDYNJkFEU7WrwDAZhRtQrwDzwKQbT6GboLAAAAAElFTkSuQmCC";
 
-//the prefix that should be used in the cookie names
+//the prefix that should be used in the names of the session variables.
 //defaults to an all lower case version of the site name with all non alphanumeric characters removed
-//remember that changing this will log everyone out since the login cookie's name will have changed
-$cookieprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
+//remember that changing this will log everyone out since the session varibles' name will have changed
+//normally you wouldn't have to change this - this setting is left over from when we used a cookie to store login details
+$sessionprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
 
 /*
 Actions: