mirror of
https://github.com/pi-hole/web.git
synced 2026-04-25 03:10:18 +01:00
Move login form to a new page
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
This commit is contained in:
RD WebDesign
@@ -9,11 +9,12 @@
|
||||
|
||||
require_once 'func.php';
|
||||
|
||||
// Start a new PHP session (or continue an existing one)
|
||||
// Prevents javascript XSS attacks aimed to steal the session ID
|
||||
ini_set('session.cookie_httponly', 1);
|
||||
// Prevent Session ID from being passed through URLs
|
||||
ini_set('session.use_only_cookies', 1);
|
||||
|
||||
// Start a new PHP session (or continue an existing one)
|
||||
session_start();
|
||||
|
||||
// Read setupVars.conf file
|
||||
@@ -25,81 +26,82 @@ if (isset($setupVars['WEBPASSWORD'])) {
|
||||
$pwhash = '';
|
||||
}
|
||||
|
||||
// If the user wants to log out, we free all session variables currently registered
|
||||
// and delete any persistent cookie.
|
||||
if (isset($_GET['logout'])) {
|
||||
session_unset();
|
||||
setcookie('persistentlogin', '', 1);
|
||||
header('Location: index.php');
|
||||
function verifyPassword($pwhash)
|
||||
{
|
||||
$validpassword = true;
|
||||
|
||||
exit;
|
||||
}
|
||||
|
||||
$wrongpassword = false;
|
||||
$auth = false;
|
||||
|
||||
// Test if password is set
|
||||
if (strlen($pwhash) > 0) {
|
||||
// Check for and authorize from persistent cookie
|
||||
if (isset($_COOKIE['persistentlogin'])) {
|
||||
if (hash_equals($pwhash, $_COOKIE['persistentlogin'])) {
|
||||
$auth = true;
|
||||
// Refresh cookie with new expiry
|
||||
// setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
|
||||
setcookie('persistentlogin', $pwhash, time() + 60 * 60 * 24 * 7, null, null, null, true);
|
||||
} else {
|
||||
// Invalid cookie
|
||||
$auth = false;
|
||||
setcookie('persistentlogin', '', 1);
|
||||
}
|
||||
}
|
||||
// Compare doubly hashes password input with saved hash
|
||||
elseif (isset($_POST['pw'])) {
|
||||
$postinput = hash('sha256', hash('sha256', $_POST['pw']));
|
||||
if (hash_equals($pwhash, $postinput)) {
|
||||
// Regenerate session ID to prevent session fixation
|
||||
session_regenerate_id();
|
||||
|
||||
// Clear the old session
|
||||
$_SESSION = array();
|
||||
|
||||
// Set hash in new session
|
||||
$_SESSION['hash'] = $pwhash;
|
||||
|
||||
// Set persistent cookie if selected
|
||||
if (isset($_POST['persistentlogin'])) {
|
||||
// Test if password is set
|
||||
if (strlen($pwhash) > 0) {
|
||||
// Check for and authorize from persistent cookie
|
||||
if (isset($_COOKIE['persistentlogin'])) {
|
||||
if (hash_equals($pwhash, $_COOKIE['persistentlogin'])) {
|
||||
$_SESSION['auth'] = true;
|
||||
// Refresh cookie with new expiry
|
||||
// setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
|
||||
setcookie('persistentlogin', $pwhash, time() + 60 * 60 * 24 * 7, null, null, null, true);
|
||||
} else {
|
||||
// Invalid cookie
|
||||
$_SESSION['auth'] = false;
|
||||
setcookie('persistentlogin', '', 1);
|
||||
}
|
||||
} elseif (isset($_POST['pw'])) {
|
||||
// Compare doubly hashes password input with saved hash
|
||||
$postinput = hash('sha256', hash('sha256', $_POST['pw']));
|
||||
|
||||
// Login successful, redirect the user to the homepage to discard the POST request
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_SERVER['QUERY_STRING'] === 'login') {
|
||||
header('Location: index.php');
|
||||
if (hash_equals($pwhash, $postinput)) {
|
||||
// Save previously accessed page, before clear the session
|
||||
$redirect_url = 'index.php';
|
||||
if (isset($_SESSION['prev_url'])) {
|
||||
$redirect_url = $_SESSION['prev_url'];
|
||||
}
|
||||
|
||||
exit;
|
||||
// Regenerate session ID to prevent session fixation
|
||||
session_regenerate_id();
|
||||
|
||||
// Clear the old session
|
||||
$_SESSION = array();
|
||||
|
||||
// Set hash in new session
|
||||
$_SESSION['hash'] = $pwhash;
|
||||
|
||||
// Set persistent cookie if selected
|
||||
if (isset($_POST['persistentlogin'])) {
|
||||
// setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
|
||||
setcookie('persistentlogin', $pwhash, time() + 60 * 60 * 24 * 7, null, null, null, true);
|
||||
}
|
||||
|
||||
$_SESSION['auth'] = true;
|
||||
|
||||
// Login successful, redirect the user to the original requested page
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_SERVER['SCRIPT_NAME'] === '/admin/login.php') {
|
||||
header('Location: '.$redirect_url);
|
||||
exit;
|
||||
}
|
||||
} else {
|
||||
$_SESSION['auth'] = false;
|
||||
$validpassword = false;
|
||||
}
|
||||
} elseif (isset($_SESSION['hash'])) {
|
||||
// Compare auth hash with saved hash
|
||||
if (hash_equals($pwhash, $_SESSION['hash'])) {
|
||||
$_SESSION['auth'] = true;
|
||||
}
|
||||
} elseif (isset($api) && isset($_GET['auth'])) {
|
||||
// API can use the hash to get data without logging in via plain-text password
|
||||
if (hash_equals($pwhash, $_GET['auth'])) {
|
||||
$_SESSION['auth'] = true;
|
||||
}
|
||||
|
||||
$auth = true;
|
||||
} else {
|
||||
$wrongpassword = true;
|
||||
}
|
||||
}
|
||||
// Compare auth hash with saved hash
|
||||
elseif (isset($_SESSION['hash'])) {
|
||||
if (hash_equals($pwhash, $_SESSION['hash'])) {
|
||||
$auth = true;
|
||||
}
|
||||
}
|
||||
// API can use the hash to get data without logging in via plain-text password
|
||||
elseif (isset($api, $_GET['auth'])) {
|
||||
if (hash_equals($pwhash, $_GET['auth'])) {
|
||||
$auth = true;
|
||||
// Password or hash wrong
|
||||
$_SESSION['auth'] = false;
|
||||
}
|
||||
} else {
|
||||
// Password or hash wrong
|
||||
$auth = false;
|
||||
// No password set
|
||||
$_SESSION['auth'] = true;
|
||||
}
|
||||
} else {
|
||||
// No password set
|
||||
$auth = true;
|
||||
|
||||
return $validpassword;
|
||||
}
|
||||
|
||||
$wrongpassword = !verifyPassword($pwhash);
|
||||
$auth = $_SESSION['auth'];
|
||||
|
||||
Reference in New Issue
Block a user