twin/jul
1
0
Fork 0
mirror of https://github.com/Xkeeper0/jul.git synced 2025-05-19 00:30:21 -07:00
Code Issues Packages Projects Releases Wiki Activity

more php8.0, make login page more modern (in the *good* sense)

Browse Source
This commit is contained in:
Xkeeper 2024-09-17 00:16:48 -07:00
parent 08cb172ab5
commit 81ee0c092e
No known key found for this signature in database
GPG Key ID: 397C04773ABE4045
2 changed files with 78 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/function.php
View File

@ -693,9 +693,9 @@ function checkuser($name,$pass){
if ($user['password'] !== getpwhash($pass, $user['id'])) { if ($user['password'] !== getpwhash($pass, $user['id'])) {
// Also check for the old md5 hash, allow a login and update it if successful // Also check for the old md5 hash, allow a login and update it if successful
// This shouldn't impact security (in fact it should improve it) // This shouldn't impact security (in fact it should improve it)
if (!$hacks['password_compatibility']) if (!($hacks['password_compatibility'] ?? null)) {
return -1; return -1;
else { } else {
if ($user['password'] === md5($pass)) { // Uncomment the lines below to update password hashes if ($user['password'] === md5($pass)) { // Uncomment the lines below to update password hashes
$sql->query("UPDATE users SET `password` = '".getpwhash($pass, $user['id'])."' WHERE `id` = '$user[id]'"); $sql->query("UPDATE users SET `password` = '".getpwhash($pass, $user['id'])."' WHERE `id` = '$user[id]'");
xk_ircsend("102|".xk(3)."Password hash for ".xk(9).$name.xk(3)." (uid ".xk(9).$user['id'].xk(3).") has been automatically updated."); xk_ircsend("102|".xk(3)."Password hash for ".xk(9).$name.xk(3)." (uid ".xk(9).$user['id'].xk(3).") has been automatically updated.");

112
login.php
View File

@ -5,42 +5,45 @@
// Bots don't need to be on this page // Bots don't need to be on this page
$meta['noindex'] = true; $meta['noindex'] = true;
$username = $_POST['username']; $username = $_POST['username'] ?? null;
$password = $_POST['userpass']; $password = $_POST['userpass'] ?? null;
$verifyid = $_POST['verify']; $verifyid = $_POST['verify'] ?? null;
$action = $_POST['action'] ?? null;
$show_form = true;
$txt="$header<br>$tblstart"; $txt = "$header<br>";
$msg = null;
if($_POST['action']=='login') { if ($action=='login') {
if (!$username) if (!$username) {
$msg = "Couldn't login. You didn't input a username."; $msg = "Couldn't login. You didn't input a username.";
else { } else {
$username = trim($username); $username = trim($username);
$useridn = checkusername(stripslashes($username));
$userid = checkuser($username,$password); $userid = checkuser($username,$password);
if($userid!=-1) { if ($useridn === -1) {
$msg = "No user with that username exists.<br><br>If you aren't sure if you have an account, check the <a href='memberlist.php'>memberlist</a> or <a href='register.php'>register a new account</a>.";
} elseif ($userid !== -1) {
$pwhash = $sql->resultq("SELECT `password` FROM `users` WHERE `id` = '$userid'"); $pwhash = $sql->resultq("SELECT `password` FROM `users` WHERE `id` = '$userid'");
$verify = create_verification_hash($verifyid, $pwhash); $verify = create_verification_hash($verifyid, $pwhash);
setcookie('loguserid',$userid,2147483647, "/", $_SERVER['SERVER_NAME'], false, true); setcookie('loguserid',$userid,2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
setcookie('logverify',$verify,2147483647, "/", $_SERVER['SERVER_NAME'], false, true); setcookie('logverify',$verify,2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
$msg = "You are now logged in as $username."; $msg = "You are now logged in as <b>$username</b>.<br><br>".redirect('index.php','the board',2);
} $show_form = false;
else if (/*$username == "Blaster" || */$username === "tictOrnaria") {
$sql->query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Abusive / malicious behavior'"); } else {
@xk_ircsend("1|". xk(7) ."Auto banned tictOrnaria (malicious bot) with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) .".");
}
else {
$sql->query("INSERT INTO `failedlogins` SET `time` = '". ctime() ."', `username` = '". $username ."', `password` = '". $password ."', `ip` = '". $_SERVER['REMOTE_ADDR'] ."'"); $sql->query("INSERT INTO `failedlogins` SET `time` = '". ctime() ."', `username` = '". $username ."', `password` = '". $password ."', `ip` = '". $_SERVER['REMOTE_ADDR'] ."'");
$fails = $sql->resultq("SELECT COUNT(`id`) FROM `failedlogins` WHERE `ip` = '". $_SERVER['REMOTE_ADDR'] ."' AND `time` > '". (ctime() - 1800) ."'"); $fails = $sql->resultq("SELECT COUNT(`id`) FROM `failedlogins` WHERE `ip` = '". $_SERVER['REMOTE_ADDR'] ."' AND `time` > '". (ctime() - 1800) ."'");
// Keep in mind, it's now not possible to trigger this if you're IP banned // Keep in mind, it's now not possible to trigger this if you're IP banned
// when you could previously, making extra checks to stop botspam not matter // when you could previously, making extra checks to stop botspam not matter
// @xk_ircsend("102|". xk(14) ."Failed attempt". xk(8) ." #$fails ". xk(14) ."to log in as ". xk(8) . $username . xk(14) ." by IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(14) .".");
//if ($fails > 1) // report("mod", "Failed attempt **#$fails** to log in as **$username** by IP " . $_SERVER['REMOTE_ADDR'] . ".");
@xk_ircsend("102|". xk(14) ."Failed attempt". xk(8) ." #$fails ". xk(14) ."to log in as ". xk(8) . $username . xk(14) ." by IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(14) .".");
report("mod", "Failed attempt **#$fails** to log in as **$username** by IP " . $_SERVER['REMOTE_ADDR'] . ".");
if ($fails >= 10) { if ($fails >= 10) {
$sql->query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Too many failed login attempts. Send e-mail for password recovery'"); $sql->query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Too many failed login attempts. Send e-mail for password recovery'");
@ -50,31 +53,63 @@
report("super", "Auto-IP banned " . $_SERVER['REMOTE_ADDR'] . "for repeated failed logins."); report("super", "Auto-IP banned " . $_SERVER['REMOTE_ADDR'] . "for repeated failed logins.");
} }
$msg = "Couldn't login. Either you didn't enter an existing username, or you haven't entered the right password for the username."; $msg = "Couldn't login. The password you entered doesn't match.
} <br><br>If you've forgotten your password, <a href='thread.php?id=17948'>join Discord</a> (sorry) or email me at <tt>xkeeper@gmail.com</tt> / Discord <tt>@xkeeper</tt>.";
}
$txt.="$tccell1>$msg<br>".redirect('index.php','the board',0);
} elseif ($_POST['action'] == 'logout') { if ($fails >= 5) {
$msg .= "<br><b>Warning: Continued failed attempts will result in a ban.</b>";
}
}
}
// $txt.="$tccell1>$msg<br>".redirect('index.php','the board',0);
} elseif ($action == 'logout') {
setcookie('loguserid','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true); setcookie('loguserid','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true);
setcookie('logverify','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true); setcookie('logverify','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true);
// May as well unset this as well // May as well unset this as well
setcookie('logpassword','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true); setcookie('logpassword','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true);
$show_form = false;
$txt.="$tccell1> You are now logged out.<br>".redirect('index.php','the board',0); $txt.="$tccell1> You are now logged out.<br>".redirect('index.php','the board',0);
} elseif (!$_POST['action']) { } elseif ($action) { // Just what do you think you're doing
die("error");
// $sql->query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Generic internet exploit searcher'");
// if (!mysql_error())
// xk_ircsend("1|". xk(7) ."Auto-banned asshole trying to be clever with the login form (action: ".xk(8).$action.xk(7).") with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) .".");
}
if ($msg) {
$txt .= <<<MSG
$tblstart
<tr>
$tccellh><b>Message</b></td>
</tr><tr>
$tccell1>$msg</td>
</tr></table><br>
MSG;
}
if ($show_form) {
$ipaddr = explode('.', $_SERVER['REMOTE_ADDR']); $ipaddr = explode('.', $_SERVER['REMOTE_ADDR']);
for ($i = 4; $i > 0; --$i) { for ($i = 4; $i > 0; --$i) {
$verifyoptext[$i] = "(".implode('.', $ipaddr).")"; $verifyoptext[$i] = "(".implode('.', $ipaddr).")";
$ipaddr[$i-1] = 'xxx'; $ipaddr[$i-1] = 'xxx';
} }
$txt .= "<body onload=window.document.REPLIER.username.focus()> $txt .= "<form action='login.php' name='REPLIER' method='post'>
<FORM ACTION=login.php NAME=REPLIER METHOD=POST><tr> $tblstart
$tccellh width=150>&nbsp;</td>$tccellh width=40%>&nbsp</td>$tccellh width=150>&nbsp;</td>$tccellh width=40%>&nbsp;</td></tr><tr> <tr>
$tccell1><b>User name:</b></td> $tccell2l>$inpt=username MAXLENGTH=25 style='width:280px;'></td> $tccellh width=150>&nbsp;</td>
$tccellh width=40%>&nbsp;</td>
$tccellh width=150>&nbsp;</td>
$tccellh width=40%>&nbsp;</td>
</tr><tr>
$tccell1><b>User name:</b></td>
$tccell2l>$inpt=username maxlength=25 style='width:280px;' ". (!$username ? "autofocus='1' " : "") ."tabindex='1' value=\"". htmlspecialchars($username) ."\"></td>
$tccell1 rowspan=2><b>IP Verification:</b></td> $tccell2l rowspan=2> $tccell1 rowspan=2><b>IP Verification:</b></td> $tccell2l rowspan=2>
<select name=verify> <select name='verify' tabindex=4>
<option selected value=0>Don't use</option> <option selected value=0>Don't use</option>
<option value=1> /8 $verifyoptext[1]</option> <option value=1> /8 $verifyoptext[1]</option>
<option value=2>/16 $verifyoptext[2]</option> <option value=2>/16 $verifyoptext[2]</option>
@ -82,19 +117,16 @@
<option value=4>/32 $verifyoptext[4]</option> <option value=4>/32 $verifyoptext[4]</option>
</select><br><small>You can require your IP address to match your current IP, to an extent, to remain logged in.</small> </select><br><small>You can require your IP address to match your current IP, to an extent, to remain logged in.</small>
</tr><tr> </tr><tr>
$tccell1><b>Password:</b></td> $tccell2l>$inpp=userpass MAXLENGTH=64 style='width:180px;'></td> $tccell1><b>Password:</b></td>
$tccell2l>$inpp=userpass maxlength=64 style='width:180px;' tabindex='2'". ($username ? " autofocus='1' " : "") ."></td>
</tr><tr> </tr><tr>
$tccell1>&nbsp;</td>$tccell2l colspan=3> $tccell1>&nbsp;</td>$tccell2l colspan=3>
$inph=action VALUE=login> $inph=action value='login'>
$inps=submit VALUE=Login></td></tr> $inps=submit value='Login' tabindex='3'></td></tr>
</FORM>"; </table>
} </form>";
else { // Just what do you think you're doing
$sql->query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Generic internet exploit searcher'");
if (!mysql_error())
xk_ircsend("1|". xk(7) ."Auto-banned asshole trying to be clever with the login form (action: ".xk(8).$_POST['action'].xk(7).") with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) .".");
} }
print $txt.$tblend.$footer; print $txt.$tblend.$footer;
printtimedif($startingtime); printtimedif($startingtime);
?>