query("DELETE FROM jumi_securitytokens
WHERE securitytoken ='$token_neu'
AND identifier = '$identifier'
");
}
//Cookies entfernen
session_destroy();
setcookie("identifier","",time()-(3600*24*365));
setcookie("securitytoken","",time()-(3600*24*365));
header("location:../dashboard/login.php");
}
function random_string() {
if(function_exists('random_bytes')) {
$bytes = random_bytes(16);
$str = bin2hex($bytes);
} else if(function_exists('openssl_random_pseudo_bytes')) {
$bytes = openssl_random_pseudo_bytes(16);
$str = bin2hex($bytes);
} else if(function_exists('mcrypt_create_iv')) {
$bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
$str = bin2hex($bytes);
} else {
//Bitte euer_geheim_string durch einen zufälligen String mit >12 Zeichen austauschen
$str = md5(uniqid('#!af445bsvjke34vas', true));
}
return $str;
}
//Automatischer Login
#if ($function != 'login') {
if ($function == '') {
if(!isset($_SESSION['userid']) && isset($_COOKIE['identifier']) && isset($_COOKIE['securitytoken'])) {
$identifier = $_COOKIE['identifier'];
$securitytoken = $_COOKIE['securitytoken'];
$result = $db->query("SELECT * FROM jumi_securitytokens WHERE identifier ='$identifier'");
$securitytoken_row = $result->fetch_array();
## $statement = $pdo->prepare("SELECT * FROM jumi_securitytokens WHERE identifier = ?");
## $result = $statement->execute(array($identifier));
## $securitytoken_row = $statement->fetch();
if(sha1($securitytoken) !== $securitytoken_row['securitytoken']) {
# die('Ein vermutlich gestohlener Security Token wurde identifiziert');
header("location:../dashboard/login.php");
} else { //Token war korrekt
//Setze neuen Token
$neuer_securitytoken = random_string();
# $insert = $pdo->prepare("UPDATE jumi_securitytokens SET securitytoken = :securitytoken WHERE identifier = :identifier");
# $insert->execute(array('securitytoken' => sha1($neuer_securitytoken), 'identifier' => $identifier));
$token_neu = sha1($neuer_securitytoken);
$update = $db->query("UPDATE jumi_securitytokens
SET securitytoken ='$token_neu'
WHERE identifier = '$identifier'
");
setcookie("identifier",$identifier,time()+(3600*24*365)); //1 Jahr Gültigkeit
setcookie("securitytoken",$neuer_securitytoken,time()+(3600*24*365)); //1 Jahr Gültigkeit
$_SESSION['angemeldet_bleiben'] = 1;
//Logge den Benutzer ein
$_SESSION['userid'] = $securitytoken_row['uid'];
$redirect = $_SESSION['cur_page'];
if($redirect != ''){
header("location:$redirect");
}else{
header("location:../dashboard/index.php");
}
}
}else{
if(!isset($_SESSION['userid'])){
header("location:../dashboard/login.php");
}
}
}
if ($function == 'login') {
$mail=strtoupper($_POST["mail"]); //remove case sensitivity on the mail
$password=$_POST["password"];
if($_POST["mail"] != ""){
$_SESSION["global_mail"]=$mail;
}
if($mail == "" OR $password == ""){
echo ' Bitte füllen Sie alle Felder aus!
|***|error';
exit;
}else{
$result = $db->query("SELECT uid, mail, passwort, aktiv FROM jumi_admin WHERE UPPER(mail)='$mail'");
$row = $result->fetch_array();
if ($row['aktiv'] == '0'){ //verschlüsseltes Passwort überprüfen
echo ' Ihr Benutzeraccount ist inaktiv.
|***|error';
exit;
}else if (md5($password) != $row['passwort'] or $row['mail'] == ''){ //verschlüsseltes Passwort überprüfen
echo ' Bitte prüfen Sie Ihre Zugangsdaten
|***|error';
exit;
}else{
$uid = $row['uid'];
//Möchte der Nutzer angemeldet beleiben?
if($_POST['angemeldet_bleiben'] == 1) {
$identifier = random_string();
$securitytoken = random_string();
# $insert = $pdo->prepare("INSERT INTO jumi_securitytokens (user_id, identifier, securitytoken) VALUES (:user_id, :identifier, :securitytoken)");
# $insert->execute(array('user_id' => $user['id'], 'identifier' => $identifier, 'securitytoken' => sha1($securitytoken)));
$token_neu = sha1($securitytoken);
$result_1 = $db->query("INSERT INTO jumi_securitytokens (uid, identifier, securitytoken) VALUES ('$uid', '$identifier', '$token_neu')");
setcookie("identifier",$identifier,time()+(3600*24*365)); //1 Jahr Gültigkeit
setcookie("securitytoken",$securitytoken,time()+(3600*24*365)); //1 Jahr Gültigkeit
$_SESSION['angemeldet_bleiben'] = 1;
}else{
$_SESSION['angemeldet_bleiben'] = 0;
}
$datum=date("Y-m-d H:i:s");
$ip=getenv("REMOTE_ADDR");
$agent=getenv("HTTP_USER_AGENT");
$_SESSION['userid'] = $uid;
$_SESSION["global_mail"] = $row['mail'];
$result_1 = $db->query("INSERT INTO jumi_adminlog (Datum, IP, user_agent, uid) VALUES ('$datum', '$ip', '$agent', '$uid')");
echo ' Login wird durchgeführt
|***|success';
}
}
}
?>