0
0

Added secondary security login with double password

This commit is contained in:
Bryan 2019-06-06 00:59:20 +02:00
parent ea4becd52d
commit 6c50b051bc
No known key found for this signature in database
GPG Key ID: 6CB4C49B61AD50EF
2 changed files with 19 additions and 11 deletions

View File

@ -1,7 +1,7 @@
function login ( ) { function login ( ) {
var username = document.getElementById ( "form-username" ).value; var username = document.getElementById ( "form-username" ).value;
var password = document.getElementById ( "form-password" ).value; var password = document.getElementById ( "form-password" ).value;
password = SHA512 ( password ); hashedpassword = SHA512 ( password );
var xhr = new XMLHttpRequest ( ); var xhr = new XMLHttpRequest ( );
xhr.open ( "POST", 'login', true ); xhr.open ( "POST", 'login', true );
xhr.onreadystatechange = function ( ) { xhr.onreadystatechange = function ( ) {
@ -24,6 +24,7 @@ function login ( ) {
data = new FormData ( ); data = new FormData ( );
data.append('username', username); data.append('username', username);
data.append('password', password); data.append('password', password);
data.append('hashedpassword', hashedpassword);
xhr.send( data ); xhr.send( data );
} }

View File

@ -7,16 +7,8 @@
include ( 'lib/php/forgot.php' ); include ( 'lib/php/forgot.php' );
exit; exit;
} }
if ( isset ( $_POST [ 'username' ] ) && isset ( $_POST [ 'password' ] ) ) { if ( isset ( $_POST [ 'username' ] ) && isset ( $_POST [ 'password' ] ) && isset ( $_POST [ 'hashedpassword' ] ) ) {
$username = $_POST [ 'username' ]; function wrong_credentials ( ) {
$password = $_POST [ 'password' ];
$database = new Database ( $config [ 'db' ] );
$database->connect ( );
$database->prepare ( "SELECT users.id FROM users WHERE users.username = :username AND users.password = :password" );
$database->bind ( [ ':username' => $username, ':password' => $password ] );
$database->execute ( );
$result = $database->get_result ( );
if ( $result->rowCount ( ) == 0 ) {
header ( 'Content-Type: application/json' ); header ( 'Content-Type: application/json' );
http_response_code ( 401 ); http_response_code ( 401 );
$response = [ $response = [
@ -26,6 +18,21 @@
echo ( json_encode ( $response ) ); echo ( json_encode ( $response ) );
exit; exit;
} }
$username = $_POST [ 'username' ];
$password = $_POST [ 'password' ];
$hashedpassword = $_POST [ 'hashedpassword' ];
if ( strcasecmp ( hash ( "sha512", $password ), $hashedpassword ) != 0 ) {
wrong_credentials ( );
}
$database = new Database ( $config [ 'db' ] );
$database->connect ( );
$database->prepare ( "SELECT users.id FROM users WHERE users.username = :username AND users.password = :password" );
$database->bind ( [ ':username' => $username, ':password' => strtoupper ( $hashedpassword ) ] );
$database->execute ( );
$result = $database->get_result ( );
if ( $result->rowCount ( ) == 0 ) {
wrong_credentials ( );
}
else { else {
$row = $result->fetchAll ( ) [ 0 ]; $row = $result->fetchAll ( ) [ 0 ];
$_SESSION [ 'user_id' ] = $row [ 'id' ]; $_SESSION [ 'user_id' ] = $row [ 'id' ];