Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- include_once 'psl-config.php';
- function sec_session_start() {
- $session_name = 'sec_session_id'; //sets a custom session name
- $secure = SECURE;
- //This stops JavaScript being able to access the session id.
- $httponly = true;
- //Forces sessions to only use cookies.
- if (ini_set('session.use_only_cookies', 1) === FALSE) {
- header("Location: ../error.php?err=Could notinitiate a safe session (ini_set)");
- exit();
- }
- //gets current cookies params
- $cookieParams = session_get_cookie_params();
- session_set_cookie_params($cookieParams["lifetime"],
- $cookieParams["path"],
- $cookieParams["domain"],
- $secure,
- $httponly);
- //Sets the session name to the one set above.
- session_name($session_name);
- session_start(); // Start the php session
- session_regenerate_id(true); //regenerated the session, delete the old one.
- }
- function login($email, $password, $mysqli) {
- //using prepared statements means that sql injection is not possible
- if ($stmt = $mysqli->prepare("SELECT id, username, password, salt FROM members WHERE email = ? LIMIT 1")) {
- $stmt->bind_param('s', $email); //bind "$email" to parameter
- $stmt->execute(); //execute the prepared query
- $stmt->store_result();
- //get variables from result.
- $stmt->bind_result($user_id, $username, $db_password, $salt);
- $stmt->fetch();
- //hash the password with the unique salt
- $password = hash('sha512', $password . $salt);
- if ($stmt->num_rows == 1) {
- //if the user exists we check if the account is locked from too many attempts
- if (checkbrute($user_id, $mysqli) == true) {
- //account is locked
- //send an email to user saying account is locked
- return false;
- }
- else {
- //check if the password in the database matches the submitted password
- if ($db_password == $password) {
- //password is correct
- //get the user-agent string of the user.
- $user_browser = $_SERVER['HTTP_USER_AGENT'];
- //xss protection as we might print this value
- $username = preg_replace("/[^a-zA-Z0-9_\-]+/", $username);
- $_SESSION['username'] = $username;
- $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
- //login succesful
- }
- else {
- //password is not correct
- //we record this attempt in the database
- $now = time();
- $mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')");
- return false;
- }
- else {
- //no user exists
- return false;
- }
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement