2.11.18 Preparing for mandatory logins

src/edit-account-profile.php

@@ -1,26 +1,27 @@
 <?php
-    require_once (__SITE_ROOT__.'/classes/CSRFTokenHandler.php');
+    require_once __SITE_ROOT__.'/classes/CSRFTokenHandler.php';
     $lCSRFTokenHandler = new CSRFTokenHandler($_SESSION["security-level"], "edit-account-profile");
 
     switch ($_SESSION["security-level"]){
+		default: // Default case: This code is insecure
         case "0": // This code is insecure
             // DO NOTHING: This is equivalent to using client side security
-            $lEnableJavaScriptValidation = FALSE;
-            $lEnableHTMLControls = FALSE;
-            $lProtectAgainstMethodTampering = FALSE;
-            $lProtectAgainstIDOR = FALSE;
-            $lProtectAgainstPasswordLeakage = FALSE;
-            $lEncodeOutput = FALSE;
+            $lEnableJavaScriptValidation = false;
+            $lEnableHTMLControls = false;
+            $lProtectAgainstMethodTampering = false;
+            $lProtectAgainstIDOR = false;
+            $lProtectAgainstPasswordLeakage = false;
+            $lEncodeOutput = false;
             break;
 
         case "1": // This code is insecure
             // DO NOTHING: This is equivalent to using client side security
-            $lEnableJavaScriptValidation = TRUE;
-            $lEnableHTMLControls = TRUE;
-            $lProtectAgainstMethodTampering = FALSE;
-            $lProtectAgainstIDOR = FALSE;
-            $lProtectAgainstPasswordLeakage = FALSE;
-            $lEncodeOutput = FALSE;
+            $lEnableJavaScriptValidation = true;
+            $lEnableHTMLControls = true;
+            $lProtectAgainstMethodTampering = false;
+            $lProtectAgainstIDOR = false;
+            $lProtectAgainstPasswordLeakage = false;
+            $lEncodeOutput = false;
             break;
 
         case "2":
@@ -31,12 +32,12 @@
              * Concerning SQL Injection, use parameterized stored procedures. Parameterized
              * queries is not good enough. You cannot use least privilege with queries.
              */
-            $lEnableJavaScriptValidation = TRUE;
-            $lEnableHTMLControls = TRUE;
-            $lProtectAgainstMethodTampering = TRUE;
-            $lProtectAgainstIDOR = TRUE;
-            $lProtectAgainstPasswordLeakage = TRUE;
-            $lEncodeOutput = TRUE;
+            $lEnableJavaScriptValidation = true;
+            $lEnableHTMLControls = true;
+            $lProtectAgainstMethodTampering = true;
+            $lProtectAgainstIDOR = true;
+            $lProtectAgainstPasswordLeakage = true;
+            $lEncodeOutput = true;
             break;
     }// end switch
 
@@ -46,14 +47,14 @@
 
 <div class="page-title">Edit Profile</div>
 
-<?php include_once (__SITE_ROOT__.'/includes/back-button.inc');?>
-<?php include_once (__SITE_ROOT__.'/includes/hints/hints-menu-wrapper.inc'); ?>
+<?php include_once __SITE_ROOT__.'/includes/back-button.inc';?>
+<?php include_once __SITE_ROOT__.'/includes/hints/hints-menu-wrapper.inc'; ?>
 
 <?php
 
 	if ($lFormSubmitted){
 
-		try {					
+		try {
 			$lValidationFailed = false;
 
 	   		if ($lProtectAgainstMethodTampering) {
@@ -84,16 +85,16 @@
 			}// end if
 
 		   	if (strlen($lUsername) == 0) {
-		   		$lValidationFailed = TRUE;
+		   		$lValidationFailed = true;
 				echo '<h2 class="error-message">Username cannot be blank</h2>';
 		   	}// end if
 
 		   	if ($lPassword != $lConfirmedPassword ) {
-				$lValidationFailed = TRUE;
+				$lValidationFailed = true;
 		   		echo '<h2 class="error-message">Passwords do not match</h2>';
 		   	}// end if
 
-		   	if (!$lValidationFailed){					
+		   	if (!$lValidationFailed){
 		   		$lRowsAffected = $SQLQueryHandler->updateUserAccount($lUsername, $lPassword, $lUserSignature);
 				echo '<div class="success-message">Profile updated for ' . $lUsernameText . '</div>';
 				$LogHandler->writeToLog("Profile updated for: " . $lUsername);
@@ -110,7 +111,7 @@
 	    if(isset($_SESSION['uid'])){
 	       $lUserUID = $_SESSION['uid'];
 	    }else{
-	        $lUserUID = NULL;
+			$lUserUID = null;
 	    } // if isset
 	}else{
 	    if(isset($_REQUEST['uid'])){
@@ -119,7 +120,7 @@
 	        if(isset($_COOKIE['uid'])){
 	            $lUserUID = $_COOKIE['uid'];
 	        }else{
-	            $lUserUID = NULL;
+				$lUserUID = null;
 	        } // if isset
 	    } // if isset
 	} // $lProtectAgainstIDOR
@@ -129,17 +130,15 @@
 	$lUsername = "";
 	$lPassword = "";
 	$lSignature = "";
-	$lResultsFound = FALSE;
+	$lResultsFound = false;
 
 	if($lUserLoggedIn){
 	    try {
 	           $lQueryResult = $SQLQueryHandler->getUserAccountByID($lUserUID);
 	           $LogHandler->writeToLog("Got account with UID : " . $lUserUID);
 
 	           if (isset($lQueryResult->num_rows)){
-	               if ($lQueryResult->num_rows > 0) {
-	                   $lResultsFound = TRUE;
-	               }//end if
+				   $lResultsFound = $lQueryResult->num_rows > 0;
 	           }//end if
 
 	           if($lResultsFound){
@@ -294,7 +293,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 				Dont have an account? <a href="index.php?page=register.php">Please register here</a>
 			</td>
 		</tr>
-	</table>	
+	</table>
 </div>
 
 <script>
@@ -312,4 +311,4 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 	if ($lFormSubmitted) {
 		echo $lCSRFTokenHandler->generateCSRFHTMLReport();
 	}// end if
-?>
+?>

src/includes/constants.php

@@ -2,7 +2,7 @@
 	/* ------------------------------------------
 	 * @VERSION
 	 * ------------------------------------------*/
-	$C_VERSION = "2.11.17";
+	$C_VERSION = "2.11.18";
 	$C_VERSION_STRING = "Version: " . $C_VERSION;
 	$C_MAX_HINT_LEVEL = 1;
 

src/includes/header.php

@@ -18,13 +18,13 @@
             break;
     }// end switch
 
-	if($_SESSION['loggedin'] == "True"){
+	if($_SESSION["user_is_logged_in"] == "True"){
 
 	    switch ($lSecurityLevel){
 	   		case "0": // This code is insecure
 	   		case "1": // This code is insecure
 	   			// DO NOTHING: This is equivalent to using client side security
-				$logged_in_user = $_SESSION['logged_in_user'];
+				$logged_in_user = $_SESSION["logged_in_user"];
 			break;
 
 	   		case "2":
@@ -33,7 +33,7 @@
 	   		case "5": // This code is fairly secure
 	   			// encode the entire message following OWASP standards
 	   			// this is HTML encoding because we are outputting data into HTML
-				$logged_in_user = $Encoder->encodeForHTML($_SESSION['logged_in_user']);
+				$logged_in_user = $Encoder->encodeForHTML($_SESSION["logged_in_user"]);
 			break;
 	   	}// end switch
 
@@ -54,7 +54,7 @@
 	} else {
 		$logged_in_user = "anonymous";
 		$lAuthenticationStatusMessage = "Not Logged In";
-	}// end if($_SESSION['loggedin'] == "True")
+	}// end if($_SESSION["user_is_logged_in"] == "True")
 
 	if ($_SESSION["EnforceSSL"] == "True"){
 		$lEnforceSSLLabel = "Drop TLS";
@@ -109,7 +109,7 @@
 			<a href="index.php?page=home.php&popUpNotificationCode=HPH0">Home</a>
 			|
 			<?php
-				if ($_SESSION['loggedin'] == 'True'){
+				if ($_SESSION["user_is_logged_in"] == 'True'){
 					echo '<a href="index.php?do=logout">Logout</a>';
 				} else {
 					echo '<a href="index.php?page=login.php">Login/Register</a>';

src/includes/main-menu.php

@@ -1,6 +1,6 @@
 <?php
 	$lUserIDString = "";
-	if($_SESSION['loggedin'] == "True"){
+	if($_SESSION["user_is_logged_in"] == "True"){
 	    $lUserIDString = "&uid=" . $lUserID;
 	} //end if
 ?>

src/includes/process-commands.php

@@ -40,10 +40,10 @@ function logMessage($lMessage){
     	break;//case "toggle-enforce-ssl"
 
     	case "logout":
-    	    logMessage("Logout user: {$_SESSION['logged_in_user']} ({$_SESSION['uid']})");
-		    $_SESSION["loggedin"] = "False";
-		    $_SESSION['logged_in_user'] = '';
-		    $_SESSION['logged_in_usersignature'] = '';
+    	    logMessage("Logout user: {$_SESSION["logged_in_user"]} ({$_SESSION['uid']})");
+		    $_SESSION["user_is_logged_in"] = "False";
+		    $_SESSION["logged_in_user"] = '';
+		    $_SESSION["logged_in_user_signature"] = '';
 			$_SESSION['uid'] = '';
 			$_SESSION['is_admin'] = 'FALSE';
 
@@ -142,9 +142,9 @@ function logMessage($lMessage){
 
 		    /* If we have looped back around to security level 0,
 		     * show the hints again */
-		    if ($lSecurityLevel == 0){
-		    	$_SESSION["showhints"] = 1;
-		    	$_SESSION["hints-enabled"] = "Enabled";
+		    if ($lSecurityLevel == 0){
+		    	$_SESSION["showhints"] = 1;
+		    	$_SESSION["hints-enabled"] = "Enabled";
 
 		    	$l_cookie_options = array (
 		    	    'expires' => 0,              // 0 means session cookie
@@ -155,8 +155,8 @@ function logMessage($lMessage){
 		    	    'samesite' => 'Lax'          // None || Lax  || Strict
 		    	);
 		    	setcookie('showhints', "1", $l_cookie_options);
-
-		    }// end if
+
+		    }// end if
 
 		    /* Disable hints unless we are on security level 0.
 		     * There is a way to defeat this */

src/includes/process-login-attempt.php

@@ -6,13 +6,14 @@ function logLoginAttempt($lMessage){
 			$LogHandler->writeToLog($lMessage);
 		} catch (Exception $e) {
 			/*do nothing*/
-		};
-	};//end function logLoginAttempt
+		}
+	}//end function logLoginAttempt
 
     try {
 		$lQueryString = "";
     	switch ($_SESSION["security-level"]){
-	   		case "0": // This code is insecure
+			default: // Default case: This code is insecure
+			case "0": // This code is insecure
 	   		case "1": // This code is insecure
 				/*
 				 * Grab username and password from parameters.
@@ -23,8 +24,8 @@ function logLoginAttempt($lMessage){
 				 */
 				$lUsername = $_REQUEST["username"];
 				$lPassword = $_REQUEST["password"];
-	   			$lProtectCookies = FALSE;
-	   			$lConfidentialityRequired = FALSE;
+	   			$lProtectCookies = false;
+	   			$lConfidentialityRequired = false;
 	   		break;
 
 			case "2":
@@ -34,8 +35,8 @@ function logLoginAttempt($lMessage){
 	   			/* Restrict paramters to POST */
 				$lUsername = $_POST["username"];
 				$lPassword = $_POST["password"];
-	   			$lProtectCookies = TRUE;
-	   			$lConfidentialityRequired = TRUE;
+	   			$lProtectCookies = true;
+	   			$lConfidentialityRequired = true;
 	   		break;
 	   	}// end switch
 
@@ -48,8 +49,8 @@ function logLoginAttempt($lMessage){
 	   	$cUSERNAME_OR_PASSWORD_INCORRECT = 5;
 
 	   	$lAuthenticationAttemptResult = $cUNSURE;
-	   	$lAuthenticationAttemptResultFound = FALSE;
-	   	$lKeepGoing = TRUE;
+	   	$lAuthenticationAttemptResultFound = false;
+	   	$lKeepGoing = true;
 	   	$lQueryResult=NULL;
 
    		logLoginAttempt("User {$lUsername} attempting to authenticate");
@@ -60,36 +61,34 @@ function logLoginAttempt($lMessage){
    		    }else{
    		        $lAuthenticationAttemptResult = $cACCOUNT_DOES_NOT_EXIST;
    		    }// end if
-   			$lKeepGoing = FALSE;
+   			$lKeepGoing = false;
    			logLoginAttempt("Login Failed: Account {$lUsername} does not exist");
    		}// end if accountExists
 
-		if ($lKeepGoing){
-   			if (!$SQLQueryHandler->authenticateAccount($lUsername, $lPassword)){
-   			    if ($lConfidentialityRequired){
-   			        $lAuthenticationAttemptResult = $cUSERNAME_OR_PASSWORD_INCORRECT;
-   			    }else{
-   			        $lAuthenticationAttemptResult = $cPASSWORD_INCORRECT;
-   			    }// end if
-	   			$lKeepGoing = FALSE;
-	   			logLoginAttempt("Login Failed: Password for {$lUsername} incorrect");
-	   		}//end if authenticateAccount
-   		}//end if $lKeepGoing
-
+		if ($lKeepGoing && !$SQLQueryHandler->authenticateAccount($lUsername, $lPassword)){
+			if ($lConfidentialityRequired){
+				$lAuthenticationAttemptResult = $cUSERNAME_OR_PASSWORD_INCORRECT;
+			}else{
+				$lAuthenticationAttemptResult = $cPASSWORD_INCORRECT;
+			}// end if
+			$lKeepGoing = false;
+			logLoginAttempt("Login Failed: Password for {$lUsername} incorrect");
+		}//end if authenticateAccount
+
 		$lQueryResult = $SQLQueryHandler->getUserAccount($lUsername, $lPassword);
 
 		if (isset($lQueryResult->num_rows)){
    			if ($lQueryResult->num_rows > 0) {
-	   			$lAuthenticationAttemptResultFound = TRUE;
+	   			$lAuthenticationAttemptResultFound = true;
    			}//end if
 		}//end if
 
 		if ($lAuthenticationAttemptResultFound){
 			$lRecord = $lQueryResult->fetch_object();
-			$_SESSION['loggedin'] = 'True';
+			$_SESSION["user_is_logged_in"] = 'True';
 			$_SESSION['uid'] = $lRecord->cid;
-			$_SESSION['logged_in_user'] = $lRecord->username;
-			$_SESSION['logged_in_usersignature'] = $lRecord->mysignature;
+			$_SESSION["logged_in_user"] = $lRecord->username;
+			$_SESSION["logged_in_user_signature"] = $lRecord->mysignature;
 			$_SESSION['is_admin'] = $lRecord->is_admin;
 
    				/*
@@ -114,8 +113,8 @@ function logLoginAttempt($lMessage){
 				    'expires' => 0,              // 0 means session cookie
 				    'path' => '/',               // '/' means entire domain
 				    //'domain' => '.example.com', // default is current domain
-				    'secure' => FALSE,           // true or false
-				    'httponly' => TRUE,         // true or false
+				    'secure' => false,           // true or false
+				    'httponly' => true,         // true or false
 				    'samesite' => 'Strict'          // None || Lax  || Strict
 				);
 				setcookie("username", $lUsernameCookie, $l_cookie_options);
@@ -127,8 +126,8 @@ function logLoginAttempt($lMessage){
 				    'expires' => 0,              // 0 means session cookie
 				    'path' => '/',               // '/' means entire domain
 				    //'domain' => '.example.com', // default is current domain
-				    'secure' => FALSE,           // true or false
-				    'httponly' => FALSE,         // true or false
+				    'secure' => false,           // true or false
+				    'httponly' => false,         // true or false
 				    'samesite' => 'Lax'          // None || Lax  || Strict
 				);
 				setrawcookie("username", $lUsernameCookie, $l_cookie_options);
@@ -150,4 +149,4 @@ function logLoginAttempt($lMessage){
 		$lAuthenticationAttemptResult = $cAUTHENTICATION_EXCEPTION_OCCURED;
 	}// end try;
 
-?>
+?>