Adds CSRF checks to login/logout pages
parent
9c9a306f55
commit
27a4dca7c6
|
|
@ -27,6 +27,29 @@ try {
|
|||
|
||||
if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
|
||||
try {
|
||||
// Validate form data
|
||||
$security = SecurityHelper::getInstance();
|
||||
$formData = $security->sanitizeArray($_POST, ['username', 'password', 'remember_me', 'csrf_token']);
|
||||
|
||||
$validationRules = [
|
||||
'username' => [
|
||||
'type' => 'string',
|
||||
'required' => true,
|
||||
'min' => 3,
|
||||
'max' => 20
|
||||
],
|
||||
'password' => [
|
||||
'type' => 'string',
|
||||
'required' => true,
|
||||
'min' => 2
|
||||
]
|
||||
];
|
||||
|
||||
$errors = $security->validateFormData($formData, $validationRules);
|
||||
if (!empty($errors)) {
|
||||
throw new Exception("Invalid input: " . implode(", ", $errors));
|
||||
}
|
||||
|
||||
$username = $_POST['username'];
|
||||
$password = $_POST['password'];
|
||||
|
||||
|
|
|
|||
|
|
@ -4,15 +4,23 @@
|
|||
<div class="card-body">
|
||||
<p class="card-text"><strong>Welcome to JILO!</strong><br />Please enter login credentials:</p>
|
||||
<form method="POST" action="<?= htmlspecialchars($app_root) ?>?page=login">
|
||||
<input type="text" name="username" placeholder="Username" required autofocus />
|
||||
<br />
|
||||
<input type="password" name="password" placeholder="Password" required />
|
||||
<br />
|
||||
<?php include 'csrf_token.php'; ?>
|
||||
<div class="form-group mb-3">
|
||||
<input type="text" class="form-control" name="username" placeholder="Username".
|
||||
pattern="[a-zA-Z0-9_-]{3,20}" title="3-20 characters, letters, numbers, - and _"
|
||||
required autofocus />
|
||||
</div>
|
||||
<div class="form-group mb-3">
|
||||
<input type="password" class="form-control" name="password" placeholder="Password".
|
||||
pattern=".{2,}" title="Eight or more characters"
|
||||
required />
|
||||
</div>
|
||||
<div class="form-group mb-3">
|
||||
<label for="remember_me">
|
||||
<input type="checkbox" id="remember_me" name="remember_me" />
|
||||
remember me
|
||||
</label>
|
||||
<br /> <br />
|
||||
</div>
|
||||
<input type="submit" class="btn btn-primary" value="Login" />
|
||||
</form>
|
||||
</div>
|
||||
|
|
|
|||
|
|
@ -18,6 +18,17 @@ ob_start();
|
|||
// sanitize all input vars that may end up in URLs or forms
|
||||
require '../app/includes/sanitize.php';
|
||||
|
||||
session_name('jilo');
|
||||
session_start();
|
||||
|
||||
// Initialize security middleware
|
||||
require_once '../app/includes/csrf_middleware.php';
|
||||
require_once '../app/helpers/securityhelper.php';
|
||||
$security = SecurityHelper::getInstance();
|
||||
|
||||
// Verify CSRF token for POST requests
|
||||
verifyCsrfToken();
|
||||
|
||||
// Initialize message system
|
||||
require_once '../app/classes/messages.php';
|
||||
$messages = [];
|
||||
|
|
@ -87,9 +98,6 @@ if ($config_file) {
|
|||
|
||||
$app_root = $config['folder'];
|
||||
|
||||
session_name('jilo');
|
||||
session_start();
|
||||
|
||||
// check if logged in
|
||||
unset($currentUser);
|
||||
if (isset($_COOKIE['username'])) {
|
||||
|
|
@ -151,14 +159,19 @@ $userObject = new User($dbWeb);
|
|||
|
||||
// logout is a special case, as we can't use session vars for notices
|
||||
if ($page == 'logout') {
|
||||
// get user info before destroying session
|
||||
$user_id = $userObject->getUserId($currentUser)[0]['id'];
|
||||
|
||||
// clean up session
|
||||
session_unset();
|
||||
session_destroy();
|
||||
|
||||
// start new session for the login page
|
||||
session_start();
|
||||
|
||||
setcookie('username', "", time() - 100, $config['folder'], $config['domain'], isset($_SERVER['HTTPS']), true);
|
||||
|
||||
// Log successful logout
|
||||
$user_id = $userObject->getUserId($currentUser)[0]['id'];
|
||||
$logObject->insertLog($user_id, "Logout: User \"$currentUser\" logged out. IP: $user_IP", 'user');
|
||||
|
||||
// Set success message
|
||||
|
|
|
|||
Loading…
Reference in New Issue