AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Login page enhancements 

- Default to secure cookies (in case var is not defined in config.php)
- Enable content security policy
- Return HTTP 401 response code for invalid username/password combinations
This commit is contained in:
Marcus Hill 2023-06-17 15:09:01 +01:00
parent 8a33a45d20
commit 57dab27169
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
js/login_prevent_resubmit.js Normal file
View File

@ -0,0 +1,3 @@
if (window.history.replaceState) {
window.history.replaceState(null,null,window.location.href);
}

17
login.php
View File

@ -1,6 +1,7 @@
<?php <?php
header("X-Frame-Options: DENY"); header("X-Frame-Options: DENY");
header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
if (!file_exists('config.php')) { if (!file_exists('config.php')) {
header("Location: setup.php"); header("Location: setup.php");
@ -66,7 +67,7 @@ if ($config_login_key_required) {
ini_set("session.cookie_httponly", true); ini_set("session.cookie_httponly", true);
// Tell client to only send cookie(s) over HTTPS // Tell client to only send cookie(s) over HTTPS
if ($config_https_only) { if ($config_https_only || !isset($config_https_only)) {
ini_set("session.cookie_secure", true); ini_set("session.cookie_secure", true);
} }
@ -227,6 +228,8 @@ if (isset($_POST['login'])) {
// Password incorrect or user doesn't exist - show generic error // Password incorrect or user doesn't exist - show generic error
header("HTTP/1.1 401 Unauthorized");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent'"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent'");
$response = " $response = "
@ -309,21 +312,17 @@ if (isset($_POST['login'])) {
<!-- jQuery --> <!-- jQuery -->
<script src="plugins/jquery/jquery.min.js"></script> <script src="plugins/jquery/jquery.min.js"></script>
<!-- Bootstrap 4 --> <!-- Bootstrap 4 -->
<script src="plugins/bootstrap/js/bootstrap.bundle.min.js"></script> <script src="plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
<!-- AdminLTE App --> <!-- AdminLTE App -->
<script src="dist/js/adminlte.min.js"></script> <script src="dist/js/adminlte.min.js"></script>
<script src="plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script> <!-- <script src="plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script> -->
<!-- Prevents resubmit on refresh or back --> <!-- Prevents resubmit on refresh or back -->
<script> <script src="js/login_prevent_resubmit.js"></script>
if (window.history.replaceState) {
window.history.replaceState(null,null,window.location.href);
}
</script>
</body> </body>
</html> </html>