force login over https.

This commit is contained in:
Louis Vallat 2019-11-11 13:51:40 +01:00
parent fe1d13d28b
commit 7cc6afb56c
2 changed files with 18 additions and 10 deletions

View File

@ -25,11 +25,11 @@ function connect_user($user_id, $long_expiration = true)
{
global $PDO, $SESSION_COOKIE_NAME, $MAX_COOKIE_LIFE;
// Set an expiration delay for the cookie
$delay = 86400;
if ($long_expiration === true) {
$delay = $MAX_COOKIE_LIFE;
}
// Set the session max lifespan
$delay = $long_expiration === true ? $MAX_COOKIE_LIFE : 86400;
// Set the cookie lifespan
$cookie_life = $long_expiration === true ? time() + $MAX_COOKIE_LIFE : 0;
// The session id is a 32-chars random string
$session_id = generate_random_string();
@ -50,8 +50,11 @@ function connect_user($user_id, $long_expiration = true)
return setcookie(
$SESSION_COOKIE_NAME,
$session_id,
time() + $delay,
$secure = true
$cookie_life,
"",
"",
true,
false
);
}
return false;

View File

@ -34,9 +34,14 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Check if username exists, if yes then verify password
if (get_username_count($username) == 1) {
if (correct_email_password($username, $password)) {
if (is_https()) {
connect_user(get_user_id_from_email($username), false);
// Redirect user to welcome page
header("location: welcome.php");
} else {
$username_err = "Please use HTTPS.";
}
} else {
// Display an error message if password is not valid
$username_err = "Invalid Username/Password.";