function loginEmailPass($email, $pass) { if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { return false; } $q = DB::queryFirstRow('SELECT email, passhash, permissions, salt FROM users WHERE email=%s', $email); if (!$q) { return false; } $passhash = saltyStretchyHash($pass, $q['salt']); if (!hashEquals($q['passhash'], $passhash)) { return false; } $_SESSION['email'] = $q['email']; $_SESSION['permissions'] = $q['permissions']; $_SESSION['user_v'] = genRandStr(); setcookie('v', $_SESSION['user_v']); //passed back and forth and verified above. return true; }
function csrfVerify() { //Checks CSRF code validity, and returns whether to proceed. The return value is static. Erases 'ver'. static $valid = NULL; if (is_null($valid)) { if ($_SESSION['ver'] && hashEquals($_POST['ver'], $_SESSION['ver'])) { $valid = true; } unset($_POST['ver'], $_SESSION['ver']); } return $valid; }