Skip to content

Commit

Permalink
fixed login security issue by switching to using sessions
Browse files Browse the repository at this point in the history
  • Loading branch information
sbrl committed Jan 10, 2015
1 parent f40864f commit c9a2d1e
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 30 deletions.
38 changes: 26 additions & 12 deletions core.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,18 +6,27 @@
///////////////////////////////////////////////////////////////////////////////////////////////
/////////////// Do not edit below this line unless you know what you are doing! ///////////////
///////////////////////////////////////////////////////////////////////////////////////////////
$version = "0.5";
session_start();
///////// Login System /////////
if(!isset($_COOKIE[$cookieprefix . "-user"]) and
!isset($_COOKIE[$cookieprefix . "-pass"]))
//clear expired sessions
if(isset($_SESSION["$sessionprefix-expiretime"]) and
$_SESSION["$sessionprefix-expiretime"] < time())
{
//clear the session variables
$_SESSION = [];
session_destroy();
}

if(!isset($_SESSION[$sessionprefix . "-user"]) and
!isset($_SESSION[$sessionprefix . "-pass"]))
{
//the user is not logged in
$isloggedin = false;
}
else
{
$user = $_COOKIE[$cookieprefix . "-user"];
$pass = $_COOKIE[$cookieprefix . "-pass"];
$user = $_SESSION[$sessionprefix . "-user"];
$pass = $_SESSION[$sessionprefix . "-pass"];
if($users[$user] == $pass)
{
//the user is logged in
Expand All @@ -26,12 +35,13 @@
else
{
//the user's login details are invalid (what is going on here?)
//unset the cookie and the variables, treat them as an anonymous user, and get out of here
//unset the session variables, treat them as an anonymous user, and get out of here
$isloggedin = false;
unset($user);
unset($pass);
setcookie($cookieprefix . "-user", null, -1, "/");
setcookie($cookieprefix . "-pass", null, -1, "/");
//clear the session data
$_SESSION = []; //delete al lthe variables
session_destroy(); //destroy the session
}
}
//check to see if the currently logged in user is an admin
Expand Down Expand Up @@ -680,6 +690,7 @@ function human_time_since($time)
* %checklogin% |___/
*/
case "checklogin":
//actually do the login
if(isset($_POST["user"]) and isset($_POST["pass"]))
{
//the user wants to log in
Expand All @@ -689,8 +700,9 @@ function human_time_since($time)
{
$isloggedin = true;
$expiretime = time() + 60*60*24*30; //30 days from now
setcookie($cookieprefix . "-user", $user, $expiretime, "/");
setcookie($cookieprefix . "-pass", hash("sha256", $pass), $expiretime, "/");
$_SESSION["$sessionprefix-user"] = $user;
$_SESSION["$sessionprefix-pass"] = hash("sha256", $pass);
$_SESSION["$sessionprefix-expiretime"] = $expiretime;
//redirect to wherever the user was going
http_response_code(302);
if(isset($_POST["goto"]))
Expand Down Expand Up @@ -726,8 +738,10 @@ function human_time_since($time)
$isloggedin = false;
unset($user);
unset($pass);
setcookie($cookieprefix . "-user", null, -1, "/");
setcookie($cookieprefix . "-pass", null, -1, "/");
//clear the session variables
$_SESSION = [];
session_destroy();

exit(renderpage("Logout Successful", "<h1>Logout Successful</h1>
<p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>"));
break;
Expand Down
45 changes: 30 additions & 15 deletions index.php
Original file line number Diff line number Diff line change
Expand Up @@ -91,10 +91,11 @@
//default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23
$favicon = "";

//the prefix that should be used in the cookie names
//the prefix that should be used in the names of the session variables.
//defaults to an all lower case version of the site name with all non alphanumeric characters removed
//remember that changing this will log everyone out since the login cookie's name will have changed
$cookieprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
//remember that changing this will log everyone out since the session varibles' name will have changed
//normally you wouldn't have to change this - this setting is left over from when we used a cookie to store login details
$sessionprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));

/*
Actions:
Expand Down Expand Up @@ -123,18 +124,27 @@
///////////////////////////////////////////////////////////////////////////////////////////////
/////////////// Do not edit below this line unless you know what you are doing! ///////////////
///////////////////////////////////////////////////////////////////////////////////////////////
$version = "0.5";
session_start();
///////// Login System /////////
if(!isset($_COOKIE[$cookieprefix . "-user"]) and
!isset($_COOKIE[$cookieprefix . "-pass"]))
//clear expired sessions
if(isset($_SESSION["$sessionprefix-expiretime"]) and
$_SESSION["$sessionprefix-expiretime"] < time())
{
//clear the session variables
$_SESSION = [];
session_destroy();
}

if(!isset($_SESSION[$sessionprefix . "-user"]) and
!isset($_SESSION[$sessionprefix . "-pass"]))
{
//the user is not logged in
$isloggedin = false;
}
else
{
$user = $_COOKIE[$cookieprefix . "-user"];
$pass = $_COOKIE[$cookieprefix . "-pass"];
$user = $_SESSION[$sessionprefix . "-user"];
$pass = $_SESSION[$sessionprefix . "-pass"];
if($users[$user] == $pass)
{
//the user is logged in
Expand All @@ -143,12 +153,13 @@
else
{
//the user's login details are invalid (what is going on here?)
//unset the cookie and the variables, treat them as an anonymous user, and get out of here
//unset the session variables, treat them as an anonymous user, and get out of here
$isloggedin = false;
unset($user);
unset($pass);
setcookie($cookieprefix . "-user", null, -1, "/");
setcookie($cookieprefix . "-pass", null, -1, "/");
//clear the session data
$_SESSION = []; //delete al lthe variables
session_destroy(); //destroy the session
}
}
//check to see if the currently logged in user is an admin
Expand Down Expand Up @@ -797,6 +808,7 @@ function human_time_since($time)
* %checklogin% |___/
*/
case "checklogin":
//actually do the login
if(isset($_POST["user"]) and isset($_POST["pass"]))
{
//the user wants to log in
Expand All @@ -806,8 +818,9 @@ function human_time_since($time)
{
$isloggedin = true;
$expiretime = time() + 60*60*24*30; //30 days from now
setcookie($cookieprefix . "-user", $user, $expiretime, "/");
setcookie($cookieprefix . "-pass", hash("sha256", $pass), $expiretime, "/");
$_SESSION["$sessionprefix-user"] = $user;
$_SESSION["$sessionprefix-pass"] = hash("sha256", $pass);
$_SESSION["$sessionprefix-expiretime"] = $expiretime;
//redirect to wherever the user was going
http_response_code(302);
if(isset($_POST["goto"]))
Expand Down Expand Up @@ -843,8 +856,10 @@ function human_time_since($time)
$isloggedin = false;
unset($user);
unset($pass);
setcookie($cookieprefix . "-user", null, -1, "/");
setcookie($cookieprefix . "-pass", null, -1, "/");
//clear the session variables
$_SESSION = [];
session_destroy();

exit(renderpage("Logout Successful", "<h1>Logout Successful</h1>
<p>Logout Successful. You can login again <a href='index.php?action=login'>here</a>.</p>"));
break;
Expand Down
7 changes: 4 additions & 3 deletions settings.fragment.php
Original file line number Diff line number Diff line change
Expand Up @@ -88,10 +88,11 @@
//default: peppermint from https://openclipart.org/detail/19571/peppermint-candy-by-bluefrog23
$favicon = "";

//the prefix that should be used in the cookie names
//the prefix that should be used in the names of the session variables.
//defaults to an all lower case version of the site name with all non alphanumeric characters removed
//remember that changing this will log everyone out since the login cookie's name will have changed
$cookieprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));
//remember that changing this will log everyone out since the session varibles' name will have changed
//normally you wouldn't have to change this - this setting is left over from when we used a cookie to store login details
$sessionprefix = preg_replace("/[^0-9a-z]/i", "", strtolower($sitename));

/*
Actions:
Expand Down

0 comments on commit c9a2d1e

Please sign in to comment.