2020-02-19 15:50:13 +01:00
|
|
|
<?php
|
|
|
|
session_start();
|
2020-03-02 14:19:10 +01:00
|
|
|
%PLEAZE_NO_CACHE%
|
2020-02-19 15:50:13 +01:00
|
|
|
|
2021-09-02 09:02:22 +02:00
|
|
|
$pdo = new PDO('mysql:host=localhost;dbname=web', '%DB_USERNAME%', '%DB_PASSWORD%');
|
2020-02-20 19:40:20 +01:00
|
|
|
$statement = $pdo->prepare('SELECT id, authentication_algorithm, authentication_salt, authentication_string FROM users WHERE name = :username;');
|
2020-02-24 04:15:21 +01:00
|
|
|
$result = $statement->execute(array('username' => $_POST['username']));
|
2020-02-20 19:44:21 +01:00
|
|
|
if ($statement->rowCount() > 0) {
|
2020-02-20 01:02:31 +01:00
|
|
|
//existing user name
|
2020-02-20 19:40:20 +01:00
|
|
|
$dbentry = $statement->fetch();
|
|
|
|
//chechk for correct password
|
2020-02-24 04:15:21 +01:00
|
|
|
if ($dbentry['authentication_string'] == hash($dbentry['authentication_algorithm'], $_POST['password'] . $dbentry['authentication_salt'])) {
|
2020-02-20 19:40:20 +01:00
|
|
|
//password correct
|
2020-02-20 22:01:47 +01:00
|
|
|
$_SESSION['user_id'] = $dbentry['id'];
|
2020-02-24 04:15:21 +01:00
|
|
|
// IP and user agent string are used to prevent cheap session stealing
|
|
|
|
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
|
|
|
|
$_SESSION['user_http_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
|
2021-09-02 08:46:00 +02:00
|
|
|
header("Location: https://%DOMAIN_NAME%%CONTENT_DIR%/userhome/");
|
2020-02-20 19:40:20 +01:00
|
|
|
} else {
|
|
|
|
//password inorrect
|
2021-09-02 08:46:00 +02:00
|
|
|
header("Location: https://%DOMAIN_NAME%%CONTENT_DIR%/login/?error=credentials");
|
2020-02-20 21:50:33 +01:00
|
|
|
die();
|
2020-02-20 19:40:20 +01:00
|
|
|
}
|
2020-02-20 01:02:31 +01:00
|
|
|
} else {
|
|
|
|
//wrong user name
|
2021-09-02 08:46:00 +02:00
|
|
|
header("Location: https://%DOMAIN_NAME%%CONTENT_DIR%/login/?error=credentials");
|
2020-02-20 21:50:33 +01:00
|
|
|
die();
|
2020-02-20 01:02:31 +01:00
|
|
|
}
|
2020-02-19 15:50:13 +01:00
|
|
|
?>
|