API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 6th, 2016
63
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.18 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. function sec_session_start() {
  3. $session_name = 'COOKIENAME'; // Set a custom session name
  4. $secure = SECURE;
  5. // This stops JavaScript being able to access the session id.
  6. $httponly = true;
  7. // Forces sessions to only use cookies.
  8. if (ini_set('session.use_only_cookies', 1) === FALSE) {
  9. header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
  10. exit();
  11. }
  12. // Gets current cookies params.
  13. $cookieParams = session_get_cookie_params();
  14. session_set_cookie_params($cookieParams["lifetime"],
  15. $cookieParams["path"],
  16. $cookieParams["domain"],
  17. $secure,
  18. $httponly);
  19. // Sets the session name to the one set above.
  20. session_name($session_name);
  21. session_start(); // Start the PHP session
  22. session_regenerate_id(); // regenerated the session, delete the old one.
  23. }
  24. ?>
  25.  
  26. function login($email, $password, $mysqli) {
  27. // Using prepared statements means that SQL injection is not possible.
  28. if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
  29. FROM members
  30. WHERE email = ?
  31. LIMIT 1")) {
  32. $stmt->bind_param('s', $email); // Bind "$email" to parameter.
  33. $stmt->execute(); // Execute the prepared query.
  34. $stmt->store_result();
  35.  
  36. // get variables from result.
  37. $stmt->bind_result($user_id, $username, $db_password, $salt);
  38. $stmt->fetch();
  39.  
  40. // hash the pasword with the unique salt.
  41. $password = hash('sha512', $password . $salt);
  42. if ($stmt->num_rows == 1) {
  43. // If the user exists we check if the account is locked
  44. // from too many login attempts
  45.  
  46. if (checkbrute($user_id, $mysqli) == true) {
  47. // Account is locked
  48. // Send an email to user saying their account is locked
  49. return false;
  50. } else {
  51. // Chec k if the password in the database matches
  52. // the password the user submitted.
  53. if ($db_password == $password) {
  54. // Password is correct!
  55. // Get the user-agent string of the user.
  56. $user_browser = $_SERVER['HTTP_USER_AGENT'];
  57. // XSS protection as we might print this value
  58. $user_id = preg_replace("/[^0-9]+/", "", $user_id);
  59. $_SESSION['user_id'] = $user_id;
  60. // XSS protection as we might print this value
  61. $username = preg_replace("/[^a-zA-Z0-9_-]+/",
  62. "",
  63. $username);
  64. $_SESSION['username'] = $username;
  65. $_SESSION['login_string'] = hash('sha512',
  66. $password . $user_browser);
  67. // Login successful.
  68. return true;
  69. } else {
  70. // Password is not correct
  71. // We record this attempt in the database
  72. $now = time();
  73. $mysqli->query("INSERT INTO login_attempts(user_id, time)
  74. VALUES ('$user_id', '$now')");
  75. return false;
  76. }
  77. }
  78. } else {
  79. // No user exists.
  80. return false;
  81. }
  82. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!