source: branches/rel/html/admin/login.php @ 14991

Revision 14991, 2.3 KB checked in by adati, 15 years ago (diff)

CSRF対策:ログイン時にuniqidをセッションにセットするように修正

Line 
1<?php
2/*
3 * Copyright(c) 2000-2007 LOCKON CO.,LTD. All Rights Reserved.
4 *
5 * http://www.lockon.co.jp/
6 */
7require_once("./require.php");
8
9$conn = new SC_DBConn();
10
11$osess = new SC_Session();
12$ret = false;
13
14// ÆþÎÏȽÄê
15if(strlen($_POST{'login_id'}) > 0 && strlen($_POST{'password'}) > 0) {
16    // ǧ¾Ú¥Ñ¥¹¥ï¡¼¥É¤ÎȽÄê
17    $ret = fnCheckPassword($conn);
18}
19
20if($ret){
21    // À®¸ù
22    header("Location: ".URL_HOME);
23    exit;
24} else {
25    // ¥¨¥é¡¼¥Ú¡¼¥¸¤Îɽ¼¨
26    sfDispError(LOGIN_ERROR);
27    exit;
28}
29
30/* ǧ¾Ú¥Ñ¥¹¥ï¡¼¥É¤ÎȽÄê */
31function fnCheckPassword($conn) {
32    $sql = "SELECT member_id, password, authority, login_date, name FROM dtb_member WHERE login_id = ? AND del_flg <> 1 AND work = 1";
33    $arrcol = array ($_POST['login_id']);
34    // DB¤«¤é°Å¹æ²½¥Ñ¥¹¥ï¡¼¥É¤ò¼èÆÀ¤¹¤ë¡£
35    $data_list = $conn->getAll($sql ,$arrcol);
36    // ¥Ñ¥¹¥ï¡¼¥É¤Î¼èÆÀ
37    $password = $data_list[0]['password'];
38    // ¥æ¡¼¥¶ÆþÎϥѥ¹¥ï¡¼¥É¤ÎȽÄê
39    $ret = sha1($_POST['password'] . ":" . AUTH_MAGIC);
40   
41    if ($ret == $password) {
42        // ¥»¥Ã¥·¥ç¥óÅÐÏ¿
43        fnSetLoginSession($data_list[0]['member_id'], $data_list[0]['authority'], $data_list[0]['login_date'], $data_list[0]['name']);
44        // ¥í¥°¥¤¥óÆü»þ¤ÎÅÐÏ¿
45        fnSetLoginDate();
46        return true;
47    }
48   
49    // ¥Ñ¥¹¥ï¡¼¥É
50    gfPrintLog($_POST['login_id'] . " password incorrect.");
51    return false;
52}
53
54/* ǧ¾Ú¥»¥Ã¥·¥ç¥ó¤ÎÅÐÏ¿ */
55function fnSetLoginSession($member_id,$authority,$login_date, $login_name = '') {
56    global $osess;
57    // ǧ¾ÚºÑ¤ß¤ÎÀßÄê
58    $osess->SetSession('cert', CERT_STRING);
59    $osess->SetSession('login_id', $_POST{'login_id'});
60    $osess->SetSession('authority', $authority);
61    $osess->SetSession('member_id', $member_id);
62    $osess->SetSession('login_name', $login_name);
63    $osess->SetSession('uniqid', $osess->getUniqId());
64   
65    if(strlen($login_date) > 0) {
66        $osess->SetSession('last_login', $login_date);
67    } else {
68        $osess->SetSession('last_login', date("Y-m-d H:i:s"));
69    }
70    $sid = $osess->GetSID();
71    // ¥í¥°¤Ëµ­Ï¿¤¹¤ë
72    gfPrintLog("login : user=".$_SESSION{'login_id'}." auth=".$_SESSION{'authority'}." lastlogin=". $_SESSION{'last_login'} ." sid=".$sid);
73}
74
75/* ¥í¥°¥¤¥óÆü»þ¤Î¹¹¿· */
76function fnSetLoginDate() {
77    global $osess;
78    $oquery = new SC_Query();
79    $sqlval['login_date'] = date("Y-m-d H:i:s");
80    $member_id = $osess->GetSession('member_id');
81    $where = "member_id = " . $member_id;
82    $ret = $oquery->update("dtb_member", $sqlval, $where);
83}
84?>
Note: See TracBrowser for help on using the repository browser.