iBNu Maksum
GitHub
commit
b32e2901af
@ -47,12 +47,11 @@ class Admin
|
||||
if (sha1("$tmp[0].$tmp[1].$db_pass") == $tmp[2]) {
|
||||
// Validate the token in the cookie
|
||||
$isValid = self::validateToken($tmp[0], $_COOKIE['aid']);
|
||||
if (!$isValid) {
|
||||
if (!empty($_COOKIE['aid']) && !$isValid) {
|
||||
self::removeCookie();
|
||||
_alert(Lang::T('Token has expired. Please log in again.'), 'danger', "admin");
|
||||
return 0;
|
||||
}
|
||||
|
||||
} else {
|
||||
if (time() - $tmp[1] < 86400 * 7) {
|
||||
$_SESSION['aid'] = $tmp[0];
|
||||
if ($enable_session_timeout) {
|
||||
@ -62,6 +61,7 @@ class Admin
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -77,13 +77,11 @@ class Admin
|
||||
|
||||
// Detect the current protocol
|
||||
$isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
|
||||
$serverHost = $_SERVER['HTTP_HOST'];
|
||||
$app_stage = ($serverHost === 'localhost') ? '' : APP_URL;
|
||||
// Set cookie with security flags
|
||||
setcookie('aid', $token, [
|
||||
'expires' => time() + 86400 * 7, // 7 days
|
||||
'path' => '/',
|
||||
'domain' => $app_stage,
|
||||
'domain' => '',
|
||||
'secure' => $isSecure,
|
||||
'httponly' => true,
|
||||
'samesite' => 'Lax', // or Strict
|
||||
@ -108,12 +106,10 @@ class Admin
|
||||
global $_app_stage;
|
||||
if (isset($_COOKIE['aid'])) {
|
||||
$isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
|
||||
$serverHost = $_SERVER['HTTP_HOST'];
|
||||
$app_stage = ($serverHost === 'localhost') ? '' : APP_URL;
|
||||
setcookie('aid', '', [
|
||||
'expires' => time() - 3600,
|
||||
'path' => '/',
|
||||
'domain' => $app_stage,
|
||||
'domain' => '',
|
||||
'secure' => $isSecure,
|
||||
'httponly' => true,
|
||||
'samesite' => 'Lax',
|
||||
|
||||
@ -18,11 +18,17 @@ switch ($action) {
|
||||
|
||||
case 'change-password':
|
||||
run_hook('customer_view_change_password'); #HOOK
|
||||
$csrf_token = Csrf::generateAndStoreToken();
|
||||
$ui->assign('csrf_token', $csrf_token);
|
||||
$ui->display('customer/change-password.tpl');
|
||||
break;
|
||||
|
||||
case 'change-password-post':
|
||||
$password = _post('password');
|
||||
$csrf_token = _post('csrf_token');
|
||||
if (!Csrf::check($csrf_token)) {
|
||||
r2(U . 'accounts/change-password', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
|
||||
}
|
||||
run_hook('customer_change_password'); #HOOK
|
||||
if ($password != '') {
|
||||
$d_pass = $user['password'];
|
||||
@ -67,9 +73,15 @@ switch ($action) {
|
||||
|
||||
case 'profile':
|
||||
run_hook('customer_view_edit_profile'); #HOOK
|
||||
$csrf_token = Csrf::generateAndStoreToken();
|
||||
$ui->assign('csrf_token', $csrf_token);
|
||||
$ui->display('customer/profile.tpl');
|
||||
break;
|
||||
case 'edit-profile-post':
|
||||
$csrf_token = _post('csrf_token');
|
||||
if (!Csrf::check($csrf_token)) {
|
||||
r2(U . 'accounts/profile', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
|
||||
}
|
||||
$fullname = _post('fullname');
|
||||
$address = _post('address');
|
||||
$email = _post('email');
|
||||
@ -100,11 +112,17 @@ switch ($action) {
|
||||
|
||||
|
||||
case 'phone-update':
|
||||
$csrf_token = Csrf::generateAndStoreToken();
|
||||
$ui->assign('csrf_token', $csrf_token);
|
||||
$ui->assign('new_phone', $_SESSION['new_phone']);
|
||||
$ui->display('customer/phone-update.tpl');
|
||||
break;
|
||||
|
||||
case 'phone-update-otp':
|
||||
$csrf_token = _post('csrf_token');
|
||||
if (!Csrf::check($csrf_token)) {
|
||||
r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
|
||||
}
|
||||
$phone = Lang::phoneFormat(_post('phone'));
|
||||
$username = $user['username'];
|
||||
$otpPath = $CACHE_PATH . '/sms/';
|
||||
@ -152,6 +170,10 @@ switch ($action) {
|
||||
break;
|
||||
|
||||
case 'phone-update-post':
|
||||
$csrf_token = _post('csrf_token');
|
||||
if (!Csrf::check($csrf_token)) {
|
||||
r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
|
||||
}
|
||||
$phone = Lang::phoneFormat(_post('phone'));
|
||||
$otp_code = _post('otp');
|
||||
$username = $user['username'];
|
||||
@ -210,10 +232,16 @@ switch ($action) {
|
||||
break;
|
||||
|
||||
case 'email-update':
|
||||
$csrf_token = Csrf::generateAndStoreToken();
|
||||
$ui->assign('csrf_token', $csrf_token);
|
||||
$ui->assign('new_email', $_SESSION['new_email']);
|
||||
$ui->display('customer/email-update.tpl');
|
||||
break;
|
||||
case 'email-update-otp':
|
||||
$csrf_token = _post('csrf_token');
|
||||
if (!Csrf::check($csrf_token)) {
|
||||
r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
|
||||
}
|
||||
$email = trim(_post('email'));
|
||||
$username = $user['username'];
|
||||
$otpPath = $CACHE_PATH . '/email/';
|
||||
@ -255,6 +283,10 @@ switch ($action) {
|
||||
break;
|
||||
|
||||
case 'email-update-post':
|
||||
$csrf_token = _post('csrf_token');
|
||||
if (!Csrf::check($csrf_token)) {
|
||||
r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
|
||||
}
|
||||
$email = trim(_post('email'));
|
||||
$otp_code = _post('otp');
|
||||
$username = $user['username'];
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
<div class="panel-heading">{Lang::T('Change Password')}</div>
|
||||
<div class="panel-body">
|
||||
<form class="form-horizontal" method="post" role="form" action="{$_url}accounts/change-password-post">
|
||||
<input type="hidden" name="csrf_token" value="{$csrf_token}">
|
||||
<div class="form-group">
|
||||
<label class="col-md-2 control-label">{Lang::T('Current Password')}</label>
|
||||
<div class="col-md-6">
|
||||
|
||||
@ -19,6 +19,7 @@
|
||||
</div>
|
||||
</div>
|
||||
<form method="post" role="form" action="{$_url}accounts/email-update-otp">
|
||||
<input type="hidden" name="csrf_token" value="{$csrf_token}">
|
||||
<div class="form-group">
|
||||
<label class="col-md-2 control-label">{Lang::T('New Email')}</label>
|
||||
<div class="col-md-6">
|
||||
@ -34,6 +35,7 @@
|
||||
</div>
|
||||
</form>
|
||||
<form method="post" role="form" action="{$_url}accounts/email-update-post">
|
||||
<input type="hidden" name="csrf_token" value="{$csrf_token}">
|
||||
<!-- Form 2 -->
|
||||
<div class="form-group">
|
||||
<label class="col-md-2 control-label">{Lang::T('OTP')}</label>
|
||||
|
||||
@ -19,6 +19,7 @@
|
||||
</div>
|
||||
</div>
|
||||
<form method="post" role="form" action="{$_url}accounts/phone-update-otp">
|
||||
<input type="hidden" name="csrf_token" value="{$csrf_token}">
|
||||
<div class="form-group">
|
||||
<label class="col-md-2 control-label">{Lang::T('New Number')}</label>
|
||||
<div class="col-md-6">
|
||||
@ -34,6 +35,7 @@
|
||||
</div>
|
||||
</form>
|
||||
<form method="post" role="form" action="{$_url}accounts/phone-update-post">
|
||||
<input type="hidden" name="csrf_token" value="{$csrf_token}">
|
||||
<!-- Form 2 -->
|
||||
<div class="form-group">
|
||||
<label class="col-md-2 control-label">{Lang::T('OTP')}</label>
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
<div class="panel-heading">{Lang::T('Data Change')}</div>
|
||||
<div class="panel-body">
|
||||
<form class="form-horizontal" method="post" role="form" action="{$_url}accounts/edit-profile-post">
|
||||
<input type="hidden" name="csrf_token" value="{$csrf_token}">
|
||||
<input type="hidden" name="id" value="{$_user['id']}">
|
||||
<div class="form-group">
|
||||
<label class="col-md-2 control-label">{Lang::T('Username')}</label>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user