API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 25th, 2016
195
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 3.07 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. include_once 'psl-config.php';
  3.  
  4. function sec_session_start() {
  5.     $session_name = 'sec_session_id'; //sets a custom session name
  6.     $secure = SECURE;
  7.     //This stops JavaScript being able to access the session id.
  8.     $httponly = true;
  9.     //Forces sessions to only use cookies.
  10.     if (ini_set('session.use_only_cookies', 1) === FALSE) {
  11.         header("Location: ../error.php?err=Could notinitiate a safe session (ini_set)");
  12.         exit();
  13.     }
  14.     //gets current cookies params
  15.     $cookieParams = session_get_cookie_params();
  16.     session_set_cookie_params($cookieParams["lifetime"],
  17.                               $cookieParams["path"],
  18.                               $cookieParams["domain"],
  19.                               $secure,
  20.                               $httponly);
  21.     //Sets the session name to the one set above.
  22.     session_name($session_name);
  23.     session_start(); // Start the php session
  24.     session_regenerate_id(true); //regenerated the session, delete the old one.
  25. }
  26. function login($email, $password, $mysqli) {
  27.     //using prepared statements means that sql injection is not possible
  28.     if ($stmt = $mysqli->prepare("SELECT id, username, password, salt FROM members WHERE email = ? LIMIT 1")) {
  29.         $stmt->bind_param('s', $email); //bind "$email" to parameter
  30.         $stmt->execute(); //execute the prepared query
  31.         $stmt->store_result();
  32.        
  33.         //get variables from result.
  34.         $stmt->bind_result($user_id, $username, $db_password, $salt);
  35.         $stmt->fetch();
  36.        
  37.         //hash the password with the unique salt
  38.         $password = hash('sha512', $password . $salt);
  39.         if ($stmt->num_rows == 1) {
  40.             //if the user exists we check if the account is locked from too many attempts
  41.             if (checkbrute($user_id, $mysqli) == true) {
  42.                 //account is locked
  43.                 //send an email to user saying account is locked
  44.                 return false;
  45.             }
  46.             else {
  47.                 //check if the password in the database matches the submitted password
  48.                 if ($db_password == $password) {
  49.                     //password is correct
  50.                     //get the user-agent string of the user.
  51.                     $user_browser = $_SERVER['HTTP_USER_AGENT'];
  52.                     //xss protection as we might print this value
  53.                     $username = preg_replace("/[^a-zA-Z0-9_\-]+/", $username);
  54.                     $_SESSION['username'] = $username;
  55.                     $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
  56.                     //login succesful
  57.                 }
  58.                 else {
  59.                     //password is not correct
  60.                     //we record this attempt in the database
  61.                     $now = time();
  62.                     $mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')");
  63.                     return false;
  64.                 }
  65.         else {
  66.             //no user exists
  67.             return false;
  68.         }
  69.             }
  70.         }
  71.     }
  72. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!