* add CSRF protection to xhr requests

* force ORM to use SQLITE WAL * add .editorconfig * cleanup a few things
author: Andrew Dolgov <[email protected]> 2021-03-14 14:17:18 +0300
committer: Andrew Dolgov <[email protected]> 2021-03-14 14:17:18 +0300
commit: 1c9afba5f058adace5e005b51fc533882f9af0fa (patch)
tree: 99f4a228acf9f969d5411048c210338ba0fd126a /login.php
parent: 2b8b845abe7c13ecbb266613910484310cffe8e1 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/login.php b/login.php
index 76f7a7f..37bed4b 100644
--- a/login.php
+++ b/login.php
@@ -28,6 +28,7 @@
 
 			$_SESSION["owner"] = $username;
 			$_SESSION["pass_hash"] = sha1($user->pass);
+			$_SESSION["csrf_token"] = bin2hex(random_bytes(16));
 
 			header("Location: index.php");
 			exit;
@@ -35,6 +36,8 @@
 		} else {
 			$login_notice = "Incorrect username or password";
 		}
+	} else {
+		logout_user();
 	}
 ?>
 <!DOCTYPE html>
author	Andrew Dolgov <[email protected]>	2021-03-14 14:17:18 +0300
committer	Andrew Dolgov <[email protected]>	2021-03-14 14:17:18 +0300
commit	1c9afba5f058adace5e005b51fc533882f9af0fa (patch)
tree	99f4a228acf9f969d5411048c210338ba0fd126a /login.php
parent	2b8b845abe7c13ecbb266613910484310cffe8e1 (diff)