diff --git a/app/Auth/NexusWebGuard.php b/app/Auth/NexusWebGuard.php index 9eaa940a..7768addd 100644 --- a/app/Auth/NexusWebGuard.php +++ b/app/Auth/NexusWebGuard.php @@ -70,7 +70,7 @@ public function validate(array $credentials = []) } $b_id = base64($credentials["c_secure_uid"],false); $id = intval($b_id ?? 0); - if (!$id || !is_valid_id($id) || strlen($credentials["c_secure_pass"]) != 32) { + if (!$id || !is_valid_id($id)) { return false; } $user = $this->provider->retrieveById($id); diff --git a/app/Auth/NexusWebUserProvider.php b/app/Auth/NexusWebUserProvider.php index 203c3e71..162946fa 100644 --- a/app/Auth/NexusWebUserProvider.php +++ b/app/Auth/NexusWebUserProvider.php @@ -76,16 +76,17 @@ public function retrieveByCredentials(array $credentials) */ public function validateCredentials(Authenticatable $user, array $credentials) { + $passh = base64_decode($credentials["c_secure_pass"]); if ($credentials["c_secure_login"] == base64("yeah")) { /** * Not IP related * @since 1.8.0 */ - if ($credentials["c_secure_pass"] != md5($user->passhash)) { + if (!password_verify($user->passhash, $passh)) { return false; } } else { - if ($credentials["c_secure_pass"] !== md5($user->passhash)) { + if (!password_verify($user->passhash, $passh)) { return false; } } diff --git a/app/Http/Controllers/AuthenticateController.php b/app/Http/Controllers/AuthenticateController.php index 4781e989..22bb0cbd 100644 --- a/app/Http/Controllers/AuthenticateController.php +++ b/app/Http/Controllers/AuthenticateController.php @@ -59,8 +59,8 @@ public function passkeyLogin($passkey) * @since 1.8.0 */ // $passhash = md5($user->passhash . $ip); - $passhash = md5($user->passhash); - do_log(sprintf('passhash: %s, ip: %s, md5: %s', $user->passhash, $ip, $passhash)); + $passhash = base64_encode(password_hash($user->passhash, PASSWORD_DEFAULT)) + do_log(sprintf('passhash: %s, ip: %s, password_hash: %s', $user->passhash, $ip, $passhash)); logincookie($user->id, $passhash,false, get_setting('system.cookie_valid_days', 365) * 86400, true, true, true); $user->last_login = now(); $user->save(); diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index aa307856..29a5ef24 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -86,23 +86,25 @@ private function getUserByCookie($cookie) } $b_id = base64($cookie["c_secure_uid"],false); $id = intval($b_id ?? 0); - if (!$id || !is_valid_id($id) || strlen($cookie["c_secure_pass"]) != 32) { + if (!$id || !is_valid_id($id)) { return null; } $user = User::query()->find($id); if (!$user) { return null; } + + $passh = base64_decode($cookie["c_secure_pass"]); if ($cookie["c_secure_login"] == base64("yeah")) { /** * Not IP related * @since 1.8.0 */ - if ($cookie["c_secure_pass"] != md5($user->passhash)) { + if (!password_verify($user->passhash, $passh)) { return null; } } else { - if ($cookie["c_secure_pass"] !== md5($user->passhash)) { + if (!password_verify($user->passhash, $passh)) { return null; } } diff --git a/include/functions.php b/include/functions.php index 0468722f..af48cdaa 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1980,24 +1980,14 @@ function userlogin() { do_log("$log, param not enough"); return $loginResult = false; } - if ($_COOKIE["c_secure_login"] == base64("yeah")) - { - //if (empty($_SESSION["s_secure_uid"]) || empty($_SESSION["s_secure_pass"])) - //return; - } + $b_id = base64($_COOKIE["c_secure_uid"],false); $id = intval($b_id ?? 0); - if (!$id || !is_valid_id($id) || strlen($_COOKIE["c_secure_pass"]) != 32) { + if (!$id || !is_valid_id($id)) { do_log("$log, invalid c_secure_uid"); return $loginResult = false; } - if ($_COOKIE["c_secure_login"] == base64("yeah")) - { - //if (strlen($_SESSION["s_secure_pass"]) != 32) - //return; - } - $res = sql_query("SELECT * FROM users WHERE users.id = ".sqlesc($id)." AND users.enabled='yes' AND users.status = 'confirmed' LIMIT 1"); $row = mysql_fetch_array($res); if (!$row) { @@ -2009,29 +1999,31 @@ function userlogin() { //die(base64_decode($_COOKIE["c_secure_login"])); - if ($_COOKIE["c_secure_login"] == base64("yeah")) - { + if ($_COOKIE["c_secure_login"] == base64("yeah")) + { /** * Not IP related * @since 1.8.0 */ // $md5 = md5($row["passhash"].$ip); - $md5 = md5($row["passhash"]); - $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, md5: $md5"; - if ($_COOKIE["c_secure_pass"] != $md5) { - do_log("$log, c_secure_pass != md5"); + $passh = base64_decode($_COOKIE["c_secure_pass"]); + $verify = password_verify($row["passhash"], $passh); + $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, password_hash: $passh"; + if (!$verify) { + do_log("$log, password_verify fail!"); return $loginResult = false; } - } - else - { - $md5 = md5($row["passhash"]); - $log .= "$log, passhash: {$row['passhash']}, md5: $md5"; - if ($_COOKIE["c_secure_pass"] !== $md5) { - do_log("$log, c_secure_pass != md5"); + } + else + { + $passh = base64_decode($_COOKIE["c_secure_pass"]); + $verify = password_verify($row["passhash"], $passh); + $log .= ", passhash: {$row['passhash']}, password_hash: $passh"; + if (!$verify) { + do_log("$log, password_verify fail!"); return $loginResult = false; } - } + } if ($_COOKIE["c_secure_login"] == base64("yeah")) { @@ -3015,22 +3007,22 @@ function logincookie($id, $passhash, $updatedb = 1, $expires = 0x7fffffff, $secu if ($expires != 0x7fffffff) $expires = time()+$expires; - setcookie("c_secure_uid", base64($id), $expires, "/", "", false, true); - setcookie("c_secure_pass", $passhash, $expires, "/", "", false, true); + setcookie("c_secure_uid", base64($id), $expires, "/", "", $ssl, true); + setcookie("c_secure_pass", $passhash, $expires, "/", "", $ssl, true); if($ssl) - setcookie("c_secure_ssl", base64("yeah"), $expires, "/", "", false, true); + setcookie("c_secure_ssl", base64("yeah"), $expires, "/", "", $ssl, true); else - setcookie("c_secure_ssl", base64("nope"), $expires, "/", "", false, true); + setcookie("c_secure_ssl", base64("nope"), $expires, "/", "", $ssl, true); if($trackerssl) - setcookie("c_secure_tracker_ssl", base64("yeah"), $expires, "/", "", false, true); + setcookie("c_secure_tracker_ssl", base64("yeah"), $expires, "/", "", $ssl, true); else - setcookie("c_secure_tracker_ssl", base64("nope"), $expires, "/", "", false, true); + setcookie("c_secure_tracker_ssl", base64("nope"), $expires, "/", "", $ssl, true); if ($securelogin) - setcookie("c_secure_login", base64("yeah"), $expires, "/", "", false, true); + setcookie("c_secure_login", base64("yeah"), $expires, "/", "", $ssl, true); else - setcookie("c_secure_login", base64("nope"), $expires, "/", "", false, true); + setcookie("c_secure_login", base64("nope"), $expires, "/", "", $ssl, true); if ($updatedb) diff --git a/public/confirm.php b/public/confirm.php index 0bfed73b..f2c8de9d 100644 --- a/public/confirm.php +++ b/public/confirm.php @@ -32,13 +32,18 @@ if ($securelogin == "yes") { - $securelogin_indentity_cookie = true; - $passh = md5($row["passhash"].$_SERVER["REMOTE_ADDR"]); + $securelogin_indentity_cookie = true; + /** + * Not IP related + * @since 1.8.0 + */ + // $passh = md5($row["passhash"].$_SERVER["REMOTE_ADDR"]); + $passh = base64_encode(password_hash($row["passhash"], PASSWORD_DEFAULT)); } -else // when it's op, default is not use secure login +else // when it's op, default is not use secure login { - $securelogin_indentity_cookie = false; - $passh = md5($row["passhash"]); + $securelogin_indentity_cookie = false; + $passh = base64_encode(password_hash($row["passhash"], PASSWORD_DEFAULT)); } logincookie($id, $passh,1,get_setting('system.cookie_valid_days', 365) * 86400,$securelogin_indentity_cookie); //sessioncookie($row["id"], $passh,false); diff --git a/public/takelogin.php b/public/takelogin.php index ee3edcea..70283560 100644 --- a/public/takelogin.php +++ b/public/takelogin.php @@ -46,20 +46,20 @@ function bark($text = "") if (isset($_POST["securelogin"]) && $_POST["securelogin"] == "yes") { - $securelogin_indentity_cookie = true; + $securelogin_indentity_cookie = true; /** * Not IP related * @since 1.8.0 */ // $passh = md5($row["passhash"].$ip); - $passh = md5($row["passhash"]); - $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, md5: $passh"; + $passh = base64_encode(password_hash($row["passhash"], PASSWORD_DEFAULT)); + $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, password_hash: $passh"; } else { - $securelogin_indentity_cookie = false; - $passh = md5($row["passhash"]); - $log .= ", passhash: {$row['passhash']}, md5: $passh"; + $securelogin_indentity_cookie = false; + $passh = base64_encode(password_hash($row["passhash"], PASSWORD_DEFAULT)); + $log .= ", passhash: {$row['passhash']}, password_hash: $passh"; } if ($securelogin=='yes' || (isset($_POST["ssl"]) && $_POST["ssl"] == "yes")) diff --git a/public/usercp.php b/public/usercp.php index f7b7c999..54d29b87 100644 --- a/public/usercp.php +++ b/public/usercp.php @@ -770,16 +770,21 @@ function browsecheck($dbtable, $cbname, array &$result){ $updateset[] = "passhash = " . sqlesc($passhash); //die($securelogin . base64_decode($_COOKIE["c_secure_login"])); - if ($_COOKIE["c_secure_login"] == base64("yeah")) - { - $passh = md5($passhash . $_SERVER["REMOTE_ADDR"]); - $securelogin_indentity_cookie = true; - } - else - { - $passh = md5($passhash); - $securelogin_indentity_cookie = false; - } + if ($_COOKIE["c_secure_login"] == base64("yeah")) + { + /** + * Not IP related + * @since 1.8.0 + */ + // $passh = md5($passhash . $_SERVER["REMOTE_ADDR"]); + $passh = base64_encode(password_hash($passhash, PASSWORD_DEFAULT)); + $securelogin_indentity_cookie = true; + } + else + { + $passh = base64_encode(password_hash($passhash, PASSWORD_DEFAULT)); + $securelogin_indentity_cookie = false; + } if($_COOKIE["c_secure_ssl"] == base64("yeah")) $ssl = true;