function session_verify_fingerprint()
{
if (empty($_SESSION["userid"])) {
return false;
}
return $_SESSION["fingerprint"] == session_create_fingerprint();
}
if (!empty($_SESSION["userid"])) {
header("Location: {$successpage}");
} elseif ($_SERVER['REQUEST_METHOD'] == "POST") {
if (!empty($_POST["username"]) && !empty($_POST["password"])) {
$dbh = db_connect();
$sql = "SELECT id, \"user\", hash, salt, name, admin FROM users WHERE \"user\" = :username";
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(":username" => $_POST["username"]));
$data = $sth->fetch(PDO::FETCH_ASSOC);
if ($data && hash("sha256", $_POST["password"] . $data["salt"]) == $data["hash"]) {
$_SESSION["userid"] = $data["id"];
$_SESSION["username"] = $data["user"];
$_SESSION["usernick"] = $data[$data["name"] ? "name" : "user"];
$_SESSION["useradmin"] = $data["admin"];
$_SESSION["salt"] = hash("sha256", $_SERVER["REQUEST_TIME"]);
$_SESSION["fingerprint"] = session_create_fingerprint();
if (array_key_exists("redirectto", $_GET)) {
header("Location: " . rawurldecode($_GET["redirectto"]));
} elseif (array_key_exists("backto", $_SESSION)) {
header("Location: " . $_SESSION["backto"]);
} elseif (array_key_exists("HTTP_REFERER", $_SERVER)) {
header("Location: " . rawurldecode($_SERVER["HTTP_REFERER"]));
} else {
header("Location: {$successpage}");
}
} else {
$error = _("Incorrect username or password");
error_log("[" . date('d/M/Y:H:i:s O') . "] authentication failure: [client: " . $_SERVER['REMOTE_ADDR'] . "] [user: "******"]\n", 3, "/var/log/taxidi.log");
}
} else {
$error = _("Form not completed");