From becf2936284961490bf4536151c1cce75adea904 Mon Sep 17 00:00:00 2001 From: BodgeMaster <> Date: Mon, 24 Feb 2020 04:15:21 +0100 Subject: [PATCH] added user agent string to session variable --- threadr/login/redirect.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/threadr/login/redirect.php b/threadr/login/redirect.php index 983025a..051168c 100644 --- a/threadr/login/redirect.php +++ b/threadr/login/redirect.php @@ -1,19 +1,19 @@ prepare('SELECT id, authentication_algorithm, authentication_salt, authentication_string FROM users WHERE name = :username;'); -$result = $statement->execute(array('username' => $username)); +$result = $statement->execute(array('username' => $_POST['username'])); if ($statement->rowCount() > 0) { //existing user name $dbentry = $statement->fetch(); //chechk for correct password - if ($dbentry['authentication_string'] == hash($dbentry['authentication_algorithm'], $password . $dbentry['authentication_salt'])) { + if ($dbentry['authentication_string'] == hash($dbentry['authentication_algorithm'], $_POST['password'] . $dbentry['authentication_salt'])) { //password correct $_SESSION['user_id'] = $dbentry['id']; - $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR']; //ip will be used to prevent session stealing + // IP and user agent string are used to prevent cheap session stealing + $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR']; + $_SESSION['user_http_user_agent'] = $_SERVER['HTTP_USER_AGENT']; header("Location: https://lostcave.ddnss.de/common/threadr/userhome/"); } else { //password inorrect