From 414aaf9bf5ce5dfb86c14baba90c0de5735af0b3 Mon Sep 17 00:00:00 2001 From: xiaomlove Date: Thu, 25 Aug 2022 22:38:06 +0800 Subject: [PATCH] secure login use ip instead of REMOTE_ADDR --- app/Http/Controllers/AuthenticateController.php | 7 ++++--- include/functions.php | 4 ++-- public/takelogin.php | 8 ++++---- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/app/Http/Controllers/AuthenticateController.php b/app/Http/Controllers/AuthenticateController.php index 572ca7b5..2b924fb1 100644 --- a/app/Http/Controllers/AuthenticateController.php +++ b/app/Http/Controllers/AuthenticateController.php @@ -50,9 +50,10 @@ class AuthenticateController extends Controller if ($deadline && $deadline > now()->toDateTimeString()) { $user = User::query()->where('passkey', $passkey)->first(['id', 'passhash']); if ($user) { - $passhash = md5($user->passhash . $_SERVER["REMOTE_ADDR"]); - do_log(sprintf('passhash: %s, remote_addr: %s, md5: %s', $user->passhash, $_SERVER["REMOTE_ADDR"], $passhash)); - logincookie($user->id, $passhash,false, 86400 * 30, true, true, true); + $ip = getip(); + $passhash = md5($user->passhash . $ip); + do_log(sprintf('passhash: %s, ip: %s, md5: %s', $user->passhash, $ip, $passhash)); + logincookie($user->id, $passhash,false, 0x7fffffff, true, true, true); $user->last_login = now(); $user->save(); } diff --git a/include/functions.php b/include/functions.php index 98a454d5..2a6693ea 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1976,8 +1976,8 @@ function userlogin() { if ($_COOKIE["c_secure_login"] == base64("yeah")) { - $md5 = md5($row["passhash"].$_SERVER["REMOTE_ADDR"]); - $log .= ", secure login == yeah, passhash: {$row['passhash']}, remote_addr: {$_SERVER["REMOTE_ADDR"]}, md5: $md5"; + $md5 = md5($row["passhash"].$ip); + $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, md5: $md5"; if ($_COOKIE["c_secure_pass"] != $md5) { do_log("$log, c_secure_pass != md5"); return $loginResult = false; diff --git a/public/takelogin.php b/public/takelogin.php index 439b3199..a416d7a4 100644 --- a/public/takelogin.php +++ b/public/takelogin.php @@ -7,7 +7,7 @@ dbconn(); require_once(get_langfile_path("", false, get_langfolder_cookie())); failedloginscheck (); cur_user_check () ; - +$ip = getip(); function bark($text = "") { global $lang_takelogin; @@ -33,7 +33,7 @@ if (!empty($row['two_step_secret'])) { failedlogins($lang_takelogin['std_invalid_two_step_code']); } } -$log = "user: " . $row['id']; +$log = "user: {$row['id']}, ip: $ip"; if ($row["passhash"] != md5($row["secret"] . $password . $row["secret"])) login_failedlogins(); @@ -43,8 +43,8 @@ if ($row["enabled"] == "no") if (isset($_POST["securelogin"]) && $_POST["securelogin"] == "yes") { $securelogin_indentity_cookie = true; - $passh = md5($row["passhash"].$_SERVER["REMOTE_ADDR"]); - $log .= ", secure login == yeah, passhash: {$row['passhash']}, remote_addr: {$_SERVER["REMOTE_ADDR"]}, md5: $passh"; + $passh = md5($row["passhash"].$ip); + $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, md5: $passh"; } else {