threadr.lostcave.ddnss.de/threadr/login/redirect.php

<?php
session_start();

$pdo = new PDO('mysql:host=localhost;dbname=web', 'webstuff', 'Schei// auf Pa$$w0rter!');
$statement = $pdo->prepare('SELECT id, authentication_algorithm, authentication_salt, authentication_string FROM users WHERE name = :username;');
$result = $statement->execute(array('username' => $_POST['username']));
if ($statement->rowCount() > 0) {
  //existing user name
  $dbentry = $statement->fetch();
  //chechk for correct password
  if ($dbentry['authentication_string'] == hash($dbentry['authentication_algorithm'], $_POST['password'] . $dbentry['authentication_salt'])) {
    //password correct
    $_SESSION['user_id'] = $dbentry['id'];
    // IP and user agent string are used to prevent cheap session stealing
    $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
    $_SESSION['user_http_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
    header("Location: https://lostcave.ddnss.de/common/threadr/userhome/");
  } else {
    //password inorrect
    header("Location: https://lostcave.ddnss.de/common/threadr/login/?error=credentials");
    die();
  }
} else {
  //wrong user name
  header("Location: https://lostcave.ddnss.de/common/threadr/login/?error=credentials");
  die();
}
?>
started implementation 2020-02-19 15:50:13 +01:00			`<?php`
			`session_start();`

			`$pdo = new PDO('mysql:host=localhost;dbname=web', 'webstuff', 'Schei// auf Pa$$w0rter!');`
implemented password verification 2020-02-20 19:40:20 +01:00			`$statement = $pdo->prepare('SELECT id, authentication_algorithm, authentication_salt, authentication_string FROM users WHERE name = :username;');`
added user agent string to session variable 2020-02-24 04:15:21 +01:00			`$result = $statement->execute(array('username' => $_POST['username']));`
Fixed detection of wrong user name 2020-02-20 19:44:21 +01:00			`if ($statement->rowCount() > 0) {`
trying proper code now 2020-02-20 01:02:31 +01:00			`//existing user name`
implemented password verification 2020-02-20 19:40:20 +01:00			`$dbentry = $statement->fetch();`
			`//chechk for correct password`
added user agent string to session variable 2020-02-24 04:15:21 +01:00			`if ($dbentry['authentication_string'] == hash($dbentry['authentication_algorithm'], $_POST['password'] . $dbentry['authentication_salt'])) {`
implemented password verification 2020-02-20 19:40:20 +01:00			`//password correct`
added session variables 2020-02-20 22:01:47 +01:00			`$_SESSION['user_id'] = $dbentry['id'];`
added user agent string to session variable 2020-02-24 04:15:21 +01:00			`// IP and user agent string are used to prevent cheap session stealing`
			`$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];`
			`$_SESSION['user_http_user_agent'] = $_SERVER['HTTP_USER_AGENT'];`
added redirect to userhome 2020-02-20 22:03:50 +01:00			`header("Location: https://lostcave.ddnss.de/common/threadr/userhome/");`
implemented password verification 2020-02-20 19:40:20 +01:00			`} else {`
			`//password inorrect`
added redirect to userhome 2020-02-20 22:03:50 +01:00			`header("Location: https://lostcave.ddnss.de/common/threadr/login/?error=credentials");`
added redirect back to login page if there was an authentication error 2020-02-20 21:50:33 +01:00			`die();`
implemented password verification 2020-02-20 19:40:20 +01:00			`}`
trying proper code now 2020-02-20 01:02:31 +01:00			`} else {`
			`//wrong user name`
CRITICAL: Fixed debug information being visible 2020-02-21 07:16:46 +01:00			`header("Location: https://lostcave.ddnss.de/common/threadr/login/?error=credentials");`
added redirect back to login page if there was an authentication error 2020-02-20 21:50:33 +01:00			`die();`
trying proper code now 2020-02-20 01:02:31 +01:00			`}`
started implementation 2020-02-19 15:50:13 +01:00			`?>`