function session_verify_fingerprint() { if (empty($_SESSION["userid"])) { return false; } return $_SESSION["fingerprint"] == session_create_fingerprint(); }
if (!empty($_SESSION["userid"])) { header("Location: {$successpage}"); } elseif ($_SERVER['REQUEST_METHOD'] == "POST") { if (!empty($_POST["username"]) && !empty($_POST["password"])) { $dbh = db_connect(); $sql = "SELECT id, \"user\", hash, salt, name, admin FROM users WHERE \"user\" = :username"; $sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)); $sth->execute(array(":username" => $_POST["username"])); $data = $sth->fetch(PDO::FETCH_ASSOC); if ($data && hash("sha256", $_POST["password"] . $data["salt"]) == $data["hash"]) { $_SESSION["userid"] = $data["id"]; $_SESSION["username"] = $data["user"]; $_SESSION["usernick"] = $data[$data["name"] ? "name" : "user"]; $_SESSION["useradmin"] = $data["admin"]; $_SESSION["salt"] = hash("sha256", $_SERVER["REQUEST_TIME"]); $_SESSION["fingerprint"] = session_create_fingerprint(); if (array_key_exists("redirectto", $_GET)) { header("Location: " . rawurldecode($_GET["redirectto"])); } elseif (array_key_exists("backto", $_SESSION)) { header("Location: " . $_SESSION["backto"]); } elseif (array_key_exists("HTTP_REFERER", $_SERVER)) { header("Location: " . rawurldecode($_SERVER["HTTP_REFERER"])); } else { header("Location: {$successpage}"); } } else { $error = _("Incorrect username or password"); error_log("[" . date('d/M/Y:H:i:s O') . "] authentication failure: [client: " . $_SERVER['REMOTE_ADDR'] . "] [user: "******"]\n", 3, "/var/log/taxidi.log"); } } else { $error = _("Form not completed");