Added more protection against session theft
This commit is contained in:
parent
8db64004ca
commit
243e9b045f
|
@ -35,6 +35,11 @@ if (password_verify($input->password, $password)) {
|
||||||
|
|
||||||
$_SESSION['id'] = $id;
|
$_SESSION['id'] = $id;
|
||||||
$_SESSION['type'] = $type;
|
$_SESSION['type'] = $type;
|
||||||
|
|
||||||
|
$randomSecret = base64_encode(openssl_random_pseudo_bytes(32));
|
||||||
|
$_SESSION['secret'] = $randomSecret;
|
||||||
|
|
||||||
|
setcookie("authSecret", $randomSecret, 0, "/", "", false, true);
|
||||||
} else {
|
} else {
|
||||||
$retval['status'] = "fail";
|
$retval['status'] = "fail";
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,7 +18,14 @@
|
||||||
|
|
||||||
session_start();
|
session_start();
|
||||||
|
|
||||||
if(!isset($_SESSION['id'])) {
|
|
||||||
|
if(
|
||||||
|
!isset($_SESSION['id']) ||
|
||||||
|
!isset($_SESSION['secret']) ||
|
||||||
|
!isset($_COOKIE['authSecret']) ||
|
||||||
|
$_SESSION['secret'] !== $_COOKIE['authSecret']
|
||||||
|
) {
|
||||||
header('Location: index.php');
|
header('Location: index.php');
|
||||||
|
session_destroy();
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
|
@ -17,6 +17,7 @@ limitations under the License.
|
||||||
<?php
|
<?php
|
||||||
require_once 'lib/session.php';
|
require_once 'lib/session.php';
|
||||||
session_destroy();
|
session_destroy();
|
||||||
|
setcookie("authSecret", "", 1, "/", "", false, true);
|
||||||
?>
|
?>
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
|
|
Loading…
Reference in a new issue