-
Notifications
You must be signed in to change notification settings - Fork 0
/
login.php
116 lines (101 loc) · 4.09 KB
/
login.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
<?php
// Start the session
session_start();
require 'config.php';
$message = '';
// Check if the user is logged in via session or rememberMe cookie
if (isset($_SESSION['user_id'])) {
header('Location: main.php');
exit();
} elseif (isset($_COOKIE['rememberMe'])) {
$pdo = new PDO("mysql:host=$host;dbname=$dbname", $db_username, $db_password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Validate rememberMe cookie against the database including email verification check
$rememberToken = $_COOKIE['rememberMe'];
$userStmt = $pdo->prepare("SELECT id, username FROM users WHERE remember_token = ? AND email_verified = TRUE");
$userStmt->execute([$rememberToken]);
$userDetails = $userStmt->fetch();
if ($userDetails) {
// Set session variables and redirect to main.php
$_SESSION['user_id'] = $userDetails['id'];
$_SESSION['username'] = $userDetails['username'];
header('Location: main.php');
exit();
}
}
// CSRF token generation
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
if (isset($_POST['login'])) {
// CSRF token validation
if (!isset($_POST['csrf_token']) || trim($_POST['csrf_token']) !== $_SESSION['csrf_token']) {
$message = "CSRF token mismatch.";
} else {
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$password = trim($_POST['password']); // Trim password input
$rememberMe = isset($_POST['rememberMe']);
// Trim username input
$username = trim($username);
$pdo = new PDO("mysql:host=$host;dbname=$dbname", $db_username, $db_password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$username]);
$user = $stmt->fetch();
if ($user && password_verify($password, $user['password'])) {
if (!$user['email_verified']) {
$message = "Please verify your email address before logging in.";
} else {
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
if ($rememberMe) {
$rememberToken = bin2hex(random_bytes(16));
// Set cookie with secure and httponly flags
setcookie('rememberMe', $rememberToken, time() + 86400 * 30, '/', '', true, true);
$updateStmt = $pdo->prepare("UPDATE users SET remember_token = ? WHERE id = ?");
$updateStmt->execute([$rememberToken, $user['id']]);
}
header("Location: main.php");
exit();
}
} else {
$message = "Invalid username or password.";
}
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>To Do Login Page</title>
<link rel="stylesheet" href="stylesheet.css">
</head>
<body>
<div class="login-form">
<h2>To Do Login Page</h2>
<form action="" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
<input type="text" name="username" placeholder="Username" required>
<input type="password" name="password" placeholder="Password" required>
<div class="remember-me">
<input type="checkbox" name="rememberMe" id="rememberMe">
<label for="rememberMe">Remember Me</label>
</div>
<button type="submit" name="login">Login</button>
</form>
<div class="forgot-password">
<a href="forgot_password.php" class="btn">Forgot Password?</a>
</div>
<div class="register">
<a href="register.php" class="btn">Register</a>
</div>
<?php if ($message): ?>
<div class="message error">
<?php echo $message; ?>
</div>
<?php endif; ?>
</div>
</body>
</html>