From 07986954f55b2d3727217a3e932b8ddeab75394d Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 1 Jan 2023 13:41:29 +0000 Subject: [PATCH] Redirect/show techs to technical dashboard on login/navbar --- login.php | 153 +++++++++++++---------- side_nav.php | 341 +++++++++++++++++++++++++++------------------------ 2 files changed, 263 insertions(+), 231 deletions(-) diff --git a/login.php b/login.php index 522d63af..88a5c64b 100644 --- a/login.php +++ b/login.php @@ -17,7 +17,7 @@ ini_set("session.cookie_httponly", True); // Tell client to only send cookie(s) over HTTPS if($config_https_only){ - ini_set("session.cookie_secure", True); + ini_set("session.cookie_secure", True); } // Handle POST login request @@ -28,22 +28,22 @@ if(isset($_POST['login'])){ // Check recent failed login attempts for this IP (more than 10 failed logins in 5 mins) $row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT(log_id) AS failed_login_count FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 5 MINUTE)")); - + $failed_login_count = $row['failed_login_count']; // Login brute force check if($failed_login_count >= 10){ - // Logging - mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'"); + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'"); - // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company) - if($failed_login_count == 10){ - mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'"); - } + // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company) + if($failed_login_count == 10){ + mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'"); + } - // Inform user - $response = '
IP Lockout - Please try again later.
'; + // Inform user + $response = '
IP Lockout - Please try again later.
'; } // Passed login brute force check @@ -74,24 +74,34 @@ if(isset($_POST['login'])){ $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password); generateUserSessionKey($site_encryption_master_key); - // Setup extension + // Setup extension if (isset($row['user_extension_key']) && !empty($row['user_extension_key'])) { - // Extension cookie - // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS. - setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']); + // Extension cookie + // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS. + setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']); - // Set PHP session in DB so we can access the session encryption data (above) - $user_php_session = session_id(); - mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'"); + // Set PHP session in DB so we can access the session encryption data (above) + $user_php_session = session_id(); + mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'"); } } if (empty($token)) { + // Full Login successful + $_SESSION['logged'] = TRUE; mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $user_id"); - header("Location: dashboard_financial.php"); + // Show start page/dashboard depending on role + if ($row['user_role'] == 2) { + header("Location: dashboard_technical.php"); + } else { + header("Location: dashboard_financial.php"); + } + } else { + // Prompt for MFA + $token_field = "
@@ -104,10 +114,17 @@ if(isset($_POST['login'])){ require_once("rfc6238.php"); if (TokenAuth6238::verify($token, $current_code)) { + // Full login (with MFA) successful $_SESSION['logged'] = TRUE; mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login 2FA', log_action = 'Success', log_description = '$user_name successfully logged in using 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); - //header("Location: $config_start_page"); - header("Location: dashboard_financial.php"); + + // Show start page/dashboard depending on role + if ($row['user_role'] == 2) { + header("Location: dashboard_technical.php"); + } else { + header("Location: dashboard_financial.php"); + } + } else { mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = '2FA Failed', log_description = '$user_name failed 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); @@ -138,60 +155,60 @@ if(isset($_POST['login'])){ - - - <?php echo $config_app_name; ?> | Login - - - - - - - - - - + + + <?php echo $config_app_name; ?> | Login + + + + + + + + + +