1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-25 05:22:59 +00:00

fixed login security issue by switching to using sessions

This commit is contained in:
Starbeamrainbowlabs 2015-01-10 10:52:03 +00:00
parent f40864f0cc
commit c9a2d1e3f4
3 changed files with 60 additions and 30 deletions

View file

@ -6,18 +6,27 @@ $start_time = time(true);
/////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////
/////////////// Do not edit below this line unless you know what you are doing! /////////////// /////////////// Do not edit below this line unless you know what you are doing! ///////////////
/////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////
$version = "0.5"; session_start();
///////// Login System ///////// ///////// Login System /////////
if(!isset($_COOKIE[$cookieprefix . "-user"]) and //clear expired sessions
!isset($_COOKIE[$cookieprefix . "-pass"])) if(isset($_SESSION["$sessionprefix-expiretime"]) and
$_SESSION["$sessionprefix-expiretime"] < time())
{
//clear the session variables
$_SESSION = [];
session_destroy();
}
if(!isset($_SESSION[$sessionprefix . "-user"]) and
!isset($_SESSION[$sessionprefix . "-pass"]))
{ {
//the user is not logged in //the user is not logged in
$isloggedin = false; $isloggedin = false;
} }
else else
{ {
$user = $_COOKIE[$cookieprefix . "-user"]; $user = $_SESSION[$sessionprefix . "-user"];
$pass = $_COOKIE[$cookieprefix . "-pass"]; $pass = $_SESSION[$sessionprefix . "-pass"];
if($users[$user] == $pass) if($users[$user] == $pass)
{ {
//the user is logged in //the user is logged in
@ -26,12 +35,13 @@ else
else else
{ {
//the user's login details are invalid (what is going on here?) //the user's login details are invalid (what is going on here?)
//unset the cookie and the variables, treat them as an anonymous user, and get out of here //unset the session variables, treat them as an anonymous user, and get out of here
$isloggedin = false; $isloggedin = false;
unset($user); unset($user);
unset($pass); unset($pass);
setcookie($cookieprefix . "-user", null, -1, "/"); //clear the session data
setcookie($cookieprefix . "-pass", null, -1, "/"); $_SESSION = []; //delete al lthe variables
session_destroy(); //destroy the session
} }
} }
//check to see if the currently logged in user is an admin //check to see if the currently logged in user is an admin
@ -680,6 +690,7 @@ switch($_GET["action"])
* %checklogin% |___/ * %checklogin% |___/
*/ */
case "checklogin": case "checklogin":
//actually do the login
if(isset($_POST["user"]) and isset($_POST["pass"])) if(isset($_POST["user"]) and isset($_POST["pass"]))
{ {
//the user wants to log in //the user wants to log in
@ -689,8 +700,9 @@ switch($_GET["action"])
{ {
$isloggedin = true; $isloggedin = true;
$expiretime = time() + 60*60*24*30; //30 days from now $expiretime = time() + 60*60*24*30; //30 days from now
setcookie($cookieprefix . "-user", $user, $expiretime, "/"); $_SESSION["$sessionprefix-user"] = $user;
setcookie($cookieprefix . "-pass", hash("sha256", $pass), $expiretime, "/"); $_SESSION["$sessionprefix-pass"] = hash("sha256", $pass);
$_SESSION["$sessionprefix-expiretime"] = $expiretime;
//redirect to wherever the user was going //redirect to wherever the user was going
http_response_code(302); http_response_code(302);
if(isset($_POST["goto"])) if(isset($_POST["goto"]))
@ -726,8 +738,10 @@ switch($_GET["action"])
$isloggedin = false; $isloggedin = false;
unset($user); unset($user);
unset($pass); unset($pass);
setcookie($cookieprefix . "-user", null, -1, "/"); //clear the session variables
setcookie($cookieprefix . "-pass", null, -1, "/"); $_SESSION = [];
session_destroy();
exit(renderpage("Logout Successful", "<h1>Logout Successful</h1> exit(renderpage("Logout Successful", "<h1>Logout Successful</h1>
<p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>")); <p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>"));
break; break;

View file

@ -91,10 +91,11 @@ th { text-align: left; }
//default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23 //default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23
$favicon = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAB3VBMVEXhERHbKCjeVVXjb2/kR0fhKirdHBziDg6qAADaHh7qLy/pdXXUNzfMAADYPj7ZPDzUNzfbHx/fERHpamrqMTHgExPdHx/bLCzhLS3fVFTjT0/ibm7kRkbiLi7aKirdISHeFBTqNDTpeHjgERHYJCTVODjYQkLaPj6/AADVOTnpbW3cIyPdFRXcJCThMjLiTU3ibW3fVVXaKyvcERH4ODj+8fH/////fHz+Fxf4KSn0UFD/CAj/AAD/Xl7/wMD/EhL//v70xMT/+Pj/iYn/HBz/g4P/IyP/Kyv/7Oz0QUH/9PT/+vr/ior/Dg7/vr7/aGj/QED/bGz/AQH/ERH/Jib/R0f/goL/0dH/qan/YWH/7e3/Cwv4R0f/MTH/enr/vLz/u7v/cHD/oKD/n5//aWn+9/f/k5P/0tL/trb/QUH/cXH/dHT/wsL/DQ3/p6f/DAz/1dX/XV3/kpL/i4v/Vlb/2Nj/9/f/pKT+7Oz/V1f/iIj/jIz/r6//Zmb/lZX/j4//T0//Dw/4MzP/GBj/+fn/o6P/TEz/xMT/b2//Tk7/OTn/HR3/hIT/ODj/Y2P/CQn/ZGT/6Oj0UlL/Gxv//f3/Bwf/YmL/6+v0w8P/Cgr/tbX0QkL+9fX4Pz/qNzd0dFHLAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfeCxINNSdmw510AAAA5ElEQVQYGQXBzSuDAQCA8eexKXOwmSZepa1JiPJxsJOrCwcnuchBjg4O/gr7D9zk4uAgJzvuMgcTpYxaUZvSm5mUj7TX7ycAqvoLIJBwStVbP0Hom1Z/ejoxrbaR1Jz6nWinbKWttGRgMSSjanPktRY6mB9WtRNTn7Ilh7LxnNpKq2/x5LnBitfz+hx0qxUaxhZ6vwqq9bx6f2XXvuUl9SVQS38NR7cvln3v15tZ9bQpuWDtZN3Lgh5DWJex3Y+z1KrVhw21+CiM74WZo83DiXq0dVBDYNJkFEU7WrwDAZhRtQrwDzwKQbT6GboLAAAAAElFTkSuQmCC"; $favicon = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAB3VBMVEXhERHbKCjeVVXjb2/kR0fhKirdHBziDg6qAADaHh7qLy/pdXXUNzfMAADYPj7ZPDzUNzfbHx/fERHpamrqMTHgExPdHx/bLCzhLS3fVFTjT0/ibm7kRkbiLi7aKirdISHeFBTqNDTpeHjgERHYJCTVODjYQkLaPj6/AADVOTnpbW3cIyPdFRXcJCThMjLiTU3ibW3fVVXaKyvcERH4ODj+8fH/////fHz+Fxf4KSn0UFD/CAj/AAD/Xl7/wMD/EhL//v70xMT/+Pj/iYn/HBz/g4P/IyP/Kyv/7Oz0QUH/9PT/+vr/ior/Dg7/vr7/aGj/QED/bGz/AQH/ERH/Jib/R0f/goL/0dH/qan/YWH/7e3/Cwv4R0f/MTH/enr/vLz/u7v/cHD/oKD/n5//aWn+9/f/k5P/0tL/trb/QUH/cXH/dHT/wsL/DQ3/p6f/DAz/1dX/XV3/kpL/i4v/Vlb/2Nj/9/f/pKT+7Oz/V1f/iIj/jIz/r6//Zmb/lZX/j4//T0//Dw/4MzP/GBj/+fn/o6P/TEz/xMT/b2//Tk7/OTn/HR3/hIT/ODj/Y2P/CQn/ZGT/6Oj0UlL/Gxv//f3/Bwf/YmL/6+v0w8P/Cgr/tbX0QkL+9fX4Pz/qNzd0dFHLAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfeCxINNSdmw510AAAA5ElEQVQYGQXBzSuDAQCA8eexKXOwmSZepa1JiPJxsJOrCwcnuchBjg4O/gr7D9zk4uAgJzvuMgcTpYxaUZvSm5mUj7TX7ycAqvoLIJBwStVbP0Hom1Z/ejoxrbaR1Jz6nWinbKWttGRgMSSjanPktRY6mB9WtRNTn7Ilh7LxnNpKq2/x5LnBitfz+hx0qxUaxhZ6vwqq9bx6f2XXvuUl9SVQS38NR7cvln3v15tZ9bQpuWDtZN3Lgh5DWJex3Y+z1KrVhw21+CiM74WZo83DiXq0dVBDYNJkFEU7WrwDAZhRtQrwDzwKQbT6GboLAAAAAElFTkSuQmCC";
//the prefix that should be used in the cookie names //the prefix that should be used in the names of the session variables.
//defaults to an all lower case version of the site name with all non alphanumeric characters removed //defaults to an all lower case version of the site name with all non alphanumeric characters removed
//remember that changing this will log everyone out since the login cookie's name will have changed //remember that changing this will log everyone out since the session varibles' name will have changed
$cookieprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename)); //normally you wouldn't have to change this - this setting is left over from when we used a cookie to store login details
$sessionprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
/* /*
Actions: Actions:
@ -123,18 +124,27 @@ Actions:
/////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////
/////////////// Do not edit below this line unless you know what you are doing! /////////////// /////////////// Do not edit below this line unless you know what you are doing! ///////////////
/////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////
$version = "0.5"; session_start();
///////// Login System ///////// ///////// Login System /////////
if(!isset($_COOKIE[$cookieprefix . "-user"]) and //clear expired sessions
!isset($_COOKIE[$cookieprefix . "-pass"])) if(isset($_SESSION["$sessionprefix-expiretime"]) and
$_SESSION["$sessionprefix-expiretime"] < time())
{
//clear the session variables
$_SESSION = [];
session_destroy();
}
if(!isset($_SESSION[$sessionprefix . "-user"]) and
!isset($_SESSION[$sessionprefix . "-pass"]))
{ {
//the user is not logged in //the user is not logged in
$isloggedin = false; $isloggedin = false;
} }
else else
{ {
$user = $_COOKIE[$cookieprefix . "-user"]; $user = $_SESSION[$sessionprefix . "-user"];
$pass = $_COOKIE[$cookieprefix . "-pass"]; $pass = $_SESSION[$sessionprefix . "-pass"];
if($users[$user] == $pass) if($users[$user] == $pass)
{ {
//the user is logged in //the user is logged in
@ -143,12 +153,13 @@ else
else else
{ {
//the user's login details are invalid (what is going on here?) //the user's login details are invalid (what is going on here?)
//unset the cookie and the variables, treat them as an anonymous user, and get out of here //unset the session variables, treat them as an anonymous user, and get out of here
$isloggedin = false; $isloggedin = false;
unset($user); unset($user);
unset($pass); unset($pass);
setcookie($cookieprefix . "-user", null, -1, "/"); //clear the session data
setcookie($cookieprefix . "-pass", null, -1, "/"); $_SESSION = []; //delete al lthe variables
session_destroy(); //destroy the session
} }
} }
//check to see if the currently logged in user is an admin //check to see if the currently logged in user is an admin
@ -797,6 +808,7 @@ switch($_GET["action"])
* %checklogin% |___/ * %checklogin% |___/
*/ */
case "checklogin": case "checklogin":
//actually do the login
if(isset($_POST["user"]) and isset($_POST["pass"])) if(isset($_POST["user"]) and isset($_POST["pass"]))
{ {
//the user wants to log in //the user wants to log in
@ -806,8 +818,9 @@ switch($_GET["action"])
{ {
$isloggedin = true; $isloggedin = true;
$expiretime = time() + 60*60*24*30; //30 days from now $expiretime = time() + 60*60*24*30; //30 days from now
setcookie($cookieprefix . "-user", $user, $expiretime, "/"); $_SESSION["$sessionprefix-user"] = $user;
setcookie($cookieprefix . "-pass", hash("sha256", $pass), $expiretime, "/"); $_SESSION["$sessionprefix-pass"] = hash("sha256", $pass);
$_SESSION["$sessionprefix-expiretime"] = $expiretime;
//redirect to wherever the user was going //redirect to wherever the user was going
http_response_code(302); http_response_code(302);
if(isset($_POST["goto"])) if(isset($_POST["goto"]))
@ -843,8 +856,10 @@ switch($_GET["action"])
$isloggedin = false; $isloggedin = false;
unset($user); unset($user);
unset($pass); unset($pass);
setcookie($cookieprefix . "-user", null, -1, "/"); //clear the session variables
setcookie($cookieprefix . "-pass", null, -1, "/"); $_SESSION = [];
session_destroy();
exit(renderpage("Logout Successful", "<h1>Logout Successful</h1> exit(renderpage("Logout Successful", "<h1>Logout Successful</h1>
<p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>")); <p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>"));
break; break;

View file

@ -88,10 +88,11 @@ th { text-align: left; }
//default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23 //default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23
$favicon = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAB3VBMVEXhERHbKCjeVVXjb2/kR0fhKirdHBziDg6qAADaHh7qLy/pdXXUNzfMAADYPj7ZPDzUNzfbHx/fERHpamrqMTHgExPdHx/bLCzhLS3fVFTjT0/ibm7kRkbiLi7aKirdISHeFBTqNDTpeHjgERHYJCTVODjYQkLaPj6/AADVOTnpbW3cIyPdFRXcJCThMjLiTU3ibW3fVVXaKyvcERH4ODj+8fH/////fHz+Fxf4KSn0UFD/CAj/AAD/Xl7/wMD/EhL//v70xMT/+Pj/iYn/HBz/g4P/IyP/Kyv/7Oz0QUH/9PT/+vr/ior/Dg7/vr7/aGj/QED/bGz/AQH/ERH/Jib/R0f/goL/0dH/qan/YWH/7e3/Cwv4R0f/MTH/enr/vLz/u7v/cHD/oKD/n5//aWn+9/f/k5P/0tL/trb/QUH/cXH/dHT/wsL/DQ3/p6f/DAz/1dX/XV3/kpL/i4v/Vlb/2Nj/9/f/pKT+7Oz/V1f/iIj/jIz/r6//Zmb/lZX/j4//T0//Dw/4MzP/GBj/+fn/o6P/TEz/xMT/b2//Tk7/OTn/HR3/hIT/ODj/Y2P/CQn/ZGT/6Oj0UlL/Gxv//f3/Bwf/YmL/6+v0w8P/Cgr/tbX0QkL+9fX4Pz/qNzd0dFHLAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfeCxINNSdmw510AAAA5ElEQVQYGQXBzSuDAQCA8eexKXOwmSZepa1JiPJxsJOrCwcnuchBjg4O/gr7D9zk4uAgJzvuMgcTpYxaUZvSm5mUj7TX7ycAqvoLIJBwStVbP0Hom1Z/ejoxrbaR1Jz6nWinbKWttGRgMSSjanPktRY6mB9WtRNTn7Ilh7LxnNpKq2/x5LnBitfz+hx0qxUaxhZ6vwqq9bx6f2XXvuUl9SVQS38NR7cvln3v15tZ9bQpuWDtZN3Lgh5DWJex3Y+z1KrVhw21+CiM74WZo83DiXq0dVBDYNJkFEU7WrwDAZhRtQrwDzwKQbT6GboLAAAAAElFTkSuQmCC"; $favicon = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAB3VBMVEXhERHbKCjeVVXjb2/kR0fhKirdHBziDg6qAADaHh7qLy/pdXXUNzfMAADYPj7ZPDzUNzfbHx/fERHpamrqMTHgExPdHx/bLCzhLS3fVFTjT0/ibm7kRkbiLi7aKirdISHeFBTqNDTpeHjgERHYJCTVODjYQkLaPj6/AADVOTnpbW3cIyPdFRXcJCThMjLiTU3ibW3fVVXaKyvcERH4ODj+8fH/////fHz+Fxf4KSn0UFD/CAj/AAD/Xl7/wMD/EhL//v70xMT/+Pj/iYn/HBz/g4P/IyP/Kyv/7Oz0QUH/9PT/+vr/ior/Dg7/vr7/aGj/QED/bGz/AQH/ERH/Jib/R0f/goL/0dH/qan/YWH/7e3/Cwv4R0f/MTH/enr/vLz/u7v/cHD/oKD/n5//aWn+9/f/k5P/0tL/trb/QUH/cXH/dHT/wsL/DQ3/p6f/DAz/1dX/XV3/kpL/i4v/Vlb/2Nj/9/f/pKT+7Oz/V1f/iIj/jIz/r6//Zmb/lZX/j4//T0//Dw/4MzP/GBj/+fn/o6P/TEz/xMT/b2//Tk7/OTn/HR3/hIT/ODj/Y2P/CQn/ZGT/6Oj0UlL/Gxv//f3/Bwf/YmL/6+v0w8P/Cgr/tbX0QkL+9fX4Pz/qNzd0dFHLAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfeCxINNSdmw510AAAA5ElEQVQYGQXBzSuDAQCA8eexKXOwmSZepa1JiPJxsJOrCwcnuchBjg4O/gr7D9zk4uAgJzvuMgcTpYxaUZvSm5mUj7TX7ycAqvoLIJBwStVbP0Hom1Z/ejoxrbaR1Jz6nWinbKWttGRgMSSjanPktRY6mB9WtRNTn7Ilh7LxnNpKq2/x5LnBitfz+hx0qxUaxhZ6vwqq9bx6f2XXvuUl9SVQS38NR7cvln3v15tZ9bQpuWDtZN3Lgh5DWJex3Y+z1KrVhw21+CiM74WZo83DiXq0dVBDYNJkFEU7WrwDAZhRtQrwDzwKQbT6GboLAAAAAElFTkSuQmCC";
//the prefix that should be used in the cookie names //the prefix that should be used in the names of the session variables.
//defaults to an all lower case version of the site name with all non alphanumeric characters removed //defaults to an all lower case version of the site name with all non alphanumeric characters removed
//remember that changing this will log everyone out since the login cookie's name will have changed //remember that changing this will log everyone out since the session varibles' name will have changed
$cookieprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename)); //normally you wouldn't have to change this - this setting is left over from when we used a cookie to store login details
$sessionprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
/* /*
Actions: Actions: