diff --git a/login.php b/login.php
index 522d63af..88a5c64b 100644
--- a/login.php
+++ b/login.php
@@ -17,7 +17,7 @@ ini_set("session.cookie_httponly", True);
// Tell client to only send cookie(s) over HTTPS
if($config_https_only){
- ini_set("session.cookie_secure", True);
+ ini_set("session.cookie_secure", True);
}
// Handle POST login request
@@ -28,22 +28,22 @@ if(isset($_POST['login'])){
// Check recent failed login attempts for this IP (more than 10 failed logins in 5 mins)
$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT(log_id) AS failed_login_count FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 5 MINUTE)"));
-
+
$failed_login_count = $row['failed_login_count'];
// Login brute force check
if($failed_login_count >= 10){
- // Logging
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'");
+ // Logging
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'");
- // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company)
- if($failed_login_count == 10){
- mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'");
- }
+ // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company)
+ if($failed_login_count == 10){
+ mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'");
+ }
- // Inform user
- $response = 'IP Lockout - Please try again later.
';
+ // Inform user
+ $response = 'IP Lockout - Please try again later.
';
}
// Passed login brute force check
@@ -74,24 +74,34 @@ if(isset($_POST['login'])){
$site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password);
generateUserSessionKey($site_encryption_master_key);
- // Setup extension
+ // Setup extension
if (isset($row['user_extension_key']) && !empty($row['user_extension_key'])) {
- // Extension cookie
- // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS.
- setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']);
+ // Extension cookie
+ // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS.
+ setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']);
- // Set PHP session in DB so we can access the session encryption data (above)
- $user_php_session = session_id();
- mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'");
+ // Set PHP session in DB so we can access the session encryption data (above)
+ $user_php_session = session_id();
+ mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'");
}
}
if (empty($token)) {
+ // Full Login successful
+
$_SESSION['logged'] = TRUE;
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $user_id");
- header("Location: dashboard_financial.php");
+ // Show start page/dashboard depending on role
+ if ($row['user_role'] == 2) {
+ header("Location: dashboard_technical.php");
+ } else {
+ header("Location: dashboard_financial.php");
+ }
+
} else {
+ // Prompt for MFA
+
$token_field = "