thies/loginpagefoo
Template
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

maybe sometime else

Browse Source
This commit is contained in:
Thies Mueller
2021-01-08 21:09:12 +01:00
parent f71513d616
commit bec02fa297
2 changed files with 0 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
passwordchange.php
View File

@@ -1,79 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
<title>Change Password</title>
</head>
<body>
<?php
$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
if(!isset($_GET['userid']) || !isset($_GET['code'])) {
die('No code delivered. nothing to do here.<meta http-equiv="refresh" content="1; URL=secondauth.php">');
}
$userid = $_GET['userid'];
$code = $_GET['code'];
$statement = $pdo->prepare("SELECT * FROM users WHERE id = :userid");
$result = $statement->execute(array('userid' => $userid));
$user = $statement->fetch();
//check if theres a code for the user delivered
if($user === null || $user['passwordcode'] === null) {
die('No User matching your request.<meta http-equiv="refresh" content="1; URL=profile.php">');
}
if($user['passwordcode_time'] === null || strtotime($user['passwordcode_time']) < (time()-24*3600) ) {
die('Ooops. This code isnt valid anymore.<meta http-equiv="refresh" content="1; URL=profile.php">');
}
if(sha1($code) != $user['passwordcode']) {
die('<meta http-equiv="refresh" content="0; URL=/">');
}
if(isset($_GET['send'])) {
$password = $_POST['password'];
$password_confirm = $_POST['password_confirm'];
//regexes for passvalidation:
$REuppercase = preg_match('@[A-Z]@', $password);
$RElowercase = preg_match('@[a-z]@', $password);
$REnumber = preg_match('@[0-9]@', $password);
$REspecialChars = preg_match('@[^\w]@', $password);
if($password != $password_confirm) {
echo "password or confirmed password wrong";
}
if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) {
echo '<color="red">Password needs to be more complex.</color><br />';
echo '<i>Please implement at least 8 chars, upper & downer caser, one number & one special char.</i><br />';
$error = true;
} else {
$passwordhash = password_hash($password, PASSWORD_DEFAULT);
$statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
$result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
if($result) {
die('Changed password. Going to <a href="login.php">login</a> now.<meta http-equiv="refresh" content="1; URL=login.php?userid='.$user['id'].'&code='.$passwordcode">');
}
}
}
?>
<script src="ressources/js/bootstrap.min.js"></script>
<h1>Set new password</h1>
<form action="?send=1&amp;userid=<?php echo htmlentities($userid); ?>&amp;code=<?php echo htmlentities($code); ?>" method="post">
<div class="form-group">
<label for="password">New Password</label>
<input type="password" id="password" class="form-control" name="password"><br><br>
</div>
<div class=form-group>
<label for="password_confirm">Confirm new Password</label>
<input type="password" id="password" class="form-control" name="password_confirm"><br><br>
</div>
<button type="submit" class="btn btn-primary">Submit new password</button>
</form>

81
secondauth.php
View File

@@ -1,81 +0,0 @@
<?php
session_start();
$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
function random_string() {
if(function_exists('random_bytes')) {
$bytes = random_bytes(16);
$str = bin2hex($bytes);
} else if(function_exists('openssl_random_pseudo_bytes')) {
$bytes = openssl_random_pseudo_bytes(16);
$str = bin2hex($bytes);
} else if(function_exists('mcrypt_create_iv')) {
$bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
$str = bin2hex($bytes);
} else {
//this should be a unique string. if we use this in prod we should change this.
$str = md5(uniqid('thisisnotreallyrandombutthisstringheresomakethislongandmaybewith12345numberskthxbye', true));
}
return $str;
}
$passwordcode = random_string();
$statement = $pdo->prepare("UPDATE users SET passwordcode = :passwordcode, passwordcode_time = NOW() WHERE id = :userid");
$result = $statement->execute(array('passwordcode' => sha1($passwordcode), 'userid' => $user['id']));
if(isset($_GET['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$result = $statement->execute(array('username' => $username));
$user = $statement->fetch();
if ($user !== false && password_verify($password, $user['password'])) {
$_SESSION['userid'] = $user['id'];
$_SESSION['email'] = $user['email'];
$_SESSION['username'] = $user['username'];
$_SESSION['givenName'] = $user['givenName'];
$_SESSION['lastName'] = $user['lastName'];
die('successfull. please wait. youll be forwarded! <meta http-equiv="refresh" content="0; URL=passwordchange.php">');
} else {
$errorMessage = "somethings wrong (maybe wrong password or invalid session)<br>";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
<title>2nd Auth</title>
</head>
<body>
<?php
if(isset($errorMessage)) {
echo $errorMessage;
}
?>
<script src="ressources/js/bootstrap.min.js"></script>
<h3 class="display-5">You want to change your password? Please prove that you know your old password first!</h5>
<form action="?login=1" method="post">
<div class="form-group">
<label for="username">Username</label>
<input type="text" class="form-control" size="40" id="username" placeholder="Username" name="username" ><br><br>
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" class="form-control" size="40" id="password" placeholder="Password" name="password"><br>
</div>
<button type="submit" class="btn btn-primary">Login</button>
</form>
<br />
<br />
<a href="forgotpass.php"><button class="btn btn-warning">I forgot my password</button></a>
<br /> <br />
</body>
</html>