lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 5 Wiki Activity

Adds CSRF checks to login/logout pages

main
Yasen Pramatarov 2025-01-30 18:48:46 +02:00
parent 9c9a306f55
commit 27a4dca7c6
3 changed files with 57 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
app/pages/login.php
View File

@ -27,6 +27,29 @@ try {
if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) { if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
try { try {
// Validate form data
$security = SecurityHelper::getInstance();
$formData = $security->sanitizeArray($_POST, ['username', 'password', 'remember_me', 'csrf_token']);
$validationRules = [
'username' => [
'type' => 'string',
'required' => true,
'min' => 3,
'max' => 20
],
'password' => [
'type' => 'string',
'required' => true,
'min' => 2
]
];
$errors = $security->validateFormData($formData, $validationRules);
if (!empty($errors)) {
throw new Exception("Invalid input: " . implode(", ", $errors));
}
$username = $_POST['username']; $username = $_POST['username'];
$password = $_POST['password']; $password = $_POST['password'];

18
app/templates/form-login.php
View File

@ -4,15 +4,23 @@
<div class="card-body"> <div class="card-body">
<p class="card-text"><strong>Welcome to JILO!</strong><br />Please enter login credentials:</p> <p class="card-text"><strong>Welcome to JILO!</strong><br />Please enter login credentials:</p>
<form method="POST" action="<?= htmlspecialchars($app_root) ?>?page=login"> <form method="POST" action="<?= htmlspecialchars($app_root) ?>?page=login">
<input type="text" name="username" placeholder="Username" required autofocus /> <?php include 'csrf_token.php'; ?>
<br /> <div class="form-group mb-3">
<input type="password" name="password" placeholder="Password" required /> <input type="text" class="form-control" name="username" placeholder="Username".
<br /> pattern="[a-zA-Z0-9_-]{3,20}" title="3-20 characters, letters, numbers, - and _"
required autofocus />
</div>
<div class="form-group mb-3">
<input type="password" class="form-control" name="password" placeholder="Password".
pattern=".{2,}" title="Eight or more characters"
required />
</div>
<div class="form-group mb-3">
<label for="remember_me"> <label for="remember_me">
<input type="checkbox" id="remember_me" name="remember_me" /> <input type="checkbox" id="remember_me" name="remember_me" />
remember me remember me
</label> </label>
<br />&nbsp;<br /> </div>
<input type="submit" class="btn btn-primary" value="Login" /> <input type="submit" class="btn btn-primary" value="Login" />
</form> </form>
</div> </div>

21
public_html/index.php
View File

@ -18,6 +18,17 @@ ob_start();
// sanitize all input vars that may end up in URLs or forms // sanitize all input vars that may end up in URLs or forms
require '../app/includes/sanitize.php'; require '../app/includes/sanitize.php';
session_name('jilo');
session_start();
// Initialize security middleware
require_once '../app/includes/csrf_middleware.php';
require_once '../app/helpers/securityhelper.php';
$security = SecurityHelper::getInstance();
// Verify CSRF token for POST requests
verifyCsrfToken();
// Initialize message system // Initialize message system
require_once '../app/classes/messages.php'; require_once '../app/classes/messages.php';
$messages = []; $messages = [];
@ -87,9 +98,6 @@ if ($config_file) {
$app_root = $config['folder']; $app_root = $config['folder'];
session_name('jilo');
session_start();
// check if logged in // check if logged in
unset($currentUser); unset($currentUser);
if (isset($_COOKIE['username'])) { if (isset($_COOKIE['username'])) {
@ -151,14 +159,19 @@ $userObject = new User($dbWeb);
// logout is a special case, as we can't use session vars for notices // logout is a special case, as we can't use session vars for notices
if ($page == 'logout') { if ($page == 'logout') {
// get user info before destroying session
$user_id = $userObject->getUserId($currentUser)[0]['id'];
// clean up session // clean up session
session_unset(); session_unset();
session_destroy(); session_destroy();
// start new session for the login page
session_start();
setcookie('username', "", time() - 100, $config['folder'], $config['domain'], isset($_SERVER['HTTPS']), true); setcookie('username', "", time() - 100, $config['folder'], $config['domain'], isset($_SERVER['HTTPS']), true);
// Log successful logout // Log successful logout
$user_id = $userObject->getUserId($currentUser)[0]['id'];
$logObject->insertLog($user_id, "Logout: User \"$currentUser\" logged out. IP: $user_IP", 'user'); $logObject->insertLog($user_id, "Logout: User \"$currentUser\" logged out. IP: $user_IP", 'user');
// Set success message // Set success message