-
Notifications
You must be signed in to change notification settings - Fork 0
/
remember.php
87 lines (79 loc) · 3.3 KB
/
remember.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
<?php
//If the user is not logged in & rememberme cookie exists
if(!isset($_SESSION['user_id']) && !empty($_COOKIE['rememberme'])){
//array_key_exists('user_id', $_SESSION)
//f1: COOKIE: $a . "," . bin2hex($b)
//f2: hash('sha256', $a)
//extract $authentificators 1&2 from the cookie
list($authentificator1, $authentificator2) = explode(',', $_COOKIE['rememberme']);
$authentificator2 = hex2bin($authentificator2);
$f2authentificator2 = hash('sha256', $authentificator2);
//Look for authentificator1 in the rememberme table
$sql = "SELECT * FROM rememberme where authentificator1 = '$authentificator1'";
$result = mysqli_query($link, $sql);
if(!$result){
echo '<div class="alert alert-danger">There was an error running the query.</div>';
exit;
}
$count = mysqli_num_rows($result);
if($count !== 1){
echo '<div class="alert alert-danger">Remember me process failed!</div>';
exit;
}
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
//if authentificator2 does not match
if(!hash_equals($row['f2authentificator2'], $f2authentificator2)){
echo '<div class="alert alert-danger">hash_equals returned false.</div>';
}else{
//generate new authentificators
//Store them in cookie and rememberme table
$authentificator1 = bin2hex(openssl_random_pseudo_bytes(10));
//2*2*...*2
$authentificator2 = openssl_random_pseudo_bytes(20);
//Store them in a cookie
function f1($a, $b){
$c = $a . "," . bin2hex($b);
return $c;
}
$cookieValue = f1($authentificator1, $authentificator2);
setcookie(
"rememberme",
$cookieValue,
time() + 1296000
);
//Run query to store them in rememberme table
function f2($a){
$b = hash('sha256', $a);
return $b;
}
$f2authentificator2 = f2($authentificator2);
$user_id = $_SESSION['user_id'];
$expiration = date('Y-m-d H:i:s', time() + 1296000);
$sql = "INSERT INTO rememberme
(`authentificator1`, `f2authentificator2`, `user_id`, `expires`)
VALUES
('$authentificator1', '$f2authentificator2', '$user_id', '$expiration')";
$result = mysqli_query($link, $sql);
if(!$result){
echo '<div class="alert alert-danger">There was an error storing data to remember you next time.</div>';
}
//Log the user in and redirect to notes page
$_SESSION['user_id'] = $row['user_id'];
$uid = $row['user_id'];
$sql = "SELECT * FROM users where u_id = '$uid'";
$result = mysqli_query($link, $sql);
if(!$result){
echo '<div class="alert alert-danger">There was an error running the query.</div>';
exit;
}
$count = mysqli_num_rows($result);
if($count !== 1){
echo '<div class="alert alert-danger">Remember me process failed!</div>';
exit;
}
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$_SESSION['username'] = $row['username'];
header("location:mainpageloggedin.php");
}
}
?>