86400, 'cookie_secure' => $secure, 'cookie_httponly' => true, 'cookie_samesite' => 'Strict', 'use_strict_mode' => true, 'use_only_cookies' => true, 'cookie_path' => '/', 'gc_maxlifetime' => 1800 ]); } // Regenerate session ID periodically if (isset($_SESSION['last_regeneration']) && (time() - $_SESSION['last_regeneration']) > 300) { session_regenerate_id(true); $_SESSION['last_regeneration'] = time(); } elseif (!isset($_SESSION['last_regeneration'])) { $_SESSION['last_regeneration'] = time(); } // Already logged in check with validation if (isset($_SESSION['user_id']) && is_int($_SESSION['user_id']) && $_SESSION['user_id'] > 0) { // Regenerate to prevent session fixation session_regenerate_id(true); header('Location: ../dashboard.php'); exit(); } // Get real client IP (respecting proxies safely) $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? 'unknown'; $ip_address = filter_var($ip_address, FILTER_VALIDATE_IP) ? $ip_address : 'unknown'; // Rate limiting $max_attempts = 5; $lockout_time = 15 * 60; $errors = []; $attempts = 0; try { // Use hashed IP for privacy $hashedIp = hash('sha256', $ip_address); $stmt = $pdo->prepare(" SELECT COUNT(*) as attempts FROM login_attempts WHERE ip_hash = ? AND success = 0 AND created_at > DATE_SUB(NOW(), INTERVAL ? SECOND) "); $stmt->execute([$hashedIp, $lockout_time]); $attempts = (int)($stmt->fetch()['attempts'] ?? 0); } catch (PDOException $e) { error_log("Rate limit check failed: " . $e->getMessage()); } if ($attempts >= $max_attempts) { $errors[] = "Too many failed attempts. Please try again later."; http_response_code(429); } // CSRF token if (empty($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); $_SESSION['csrf_token_time'] = time(); } if ($_SERVER['REQUEST_METHOD'] === 'POST' && empty($errors)) { // Verify CSRF token with timing-safe comparison $token = $_POST['csrf_token'] ?? ''; if (!hash_equals($_SESSION['csrf_token'] ?? '', $token)) { $errors[] = "Security token invalid. Please refresh and try again."; http_response_code(403); } // Check token age if (!isset($_SESSION['csrf_token_time']) || (time() - $_SESSION['csrf_token_time']) > 86400) { $errors[] = "Session expired. Please refresh and try again."; } // Get and validate email $email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); $password = $_POST['password'] ?? ''; $remember_me = filter_input(INPUT_POST, 'remember_me', FILTER_VALIDATE_BOOLEAN) ?? false; if (empty($email)) { $errors[] = "Please enter a valid email address."; } if (strlen($password) < 1 || strlen($password) > 128) { $errors[] = "Invalid password."; } if (empty($errors)) { try { // Fetch user with row lock to prevent race conditions $stmt = $pdo->prepare(" SELECT id, email, password_hash, first_name, email_verified, account_locked, failed_logins, last_failed_login FROM users WHERE email = ? LIMIT 1 "); $stmt->execute([$email]); $user = $stmt->fetch(); if (!$user || !password_verify($password, $user['password_hash'])) { // Log failed attempt with hashed IP $hashedIp = hash('sha256', $ip_address); $stmt = $pdo->prepare(" INSERT INTO login_attempts (ip_hash, email, success, created_at) VALUES (?, ?, 0, NOW()) "); $stmt->execute([$hashedIp, strtolower($email)]); // Increment failed login count on user record if ($user) { $stmt = $pdo->prepare(" UPDATE users SET failed_logins = failed_logins + 1, last_failed_login = NOW(), account_locked = CASE WHEN failed_logins >= 4 THEN 1 ELSE account_locked END WHERE id = ? "); $stmt->execute([$user['id']]); } // Generic error to prevent user enumeration $errors[] = "Invalid credentials."; usleep(random_int(100000, 300000)); // Timing attack mitigation goto end_login; } // Check account status if ($user['account_locked']) { $errors[] = "Account locked. Contact support."; goto end_login; } if (!$user['email_verified']) { $errors[] = "Please verify your email first."; $_SESSION['pending_verification_email'] = $user['email']; goto end_login; } // SUCCESS: Create session session_regenerate_id(true); $_SESSION['user_id'] = (int)$user['id']; $_SESSION['user_email'] = $user['email']; $_SESSION['user_first_name'] = htmlspecialchars($user['first_name'], ENT_QUOTES, 'UTF-8'); $_SESSION['verified'] = true; $_SESSION['last_activity'] = time(); $_SESSION['last_regeneration'] = time(); // Clear failed logins $stmt = $pdo->prepare("UPDATE users SET failed_logins = 0 WHERE id = ?"); $stmt->execute([$user['id']]); // Log success $hashedIp = hash('sha256', $ip_address); $stmt = $pdo->prepare(" INSERT INTO login_attempts (ip_hash, email, success, created_at) VALUES (?, ?, 1, NOW()) "); $stmt->execute([$hashedIp, strtolower($email)]); // Remember me if ($remember_me) { $selector = bin2hex(random_bytes(12)); $validator = bin2hex(random_bytes(32)); $tokenHash = hash('sha256', $validator); $expires = date('Y-m-d H:i:s', time() + 30 * 86400); // Store token $stmt = $pdo->prepare(" INSERT INTO remember_tokens (user_id, selector, token_hash, expires_at) VALUES (?, ?, ?, ?) "); $stmt->execute([$user['id'], $selector, $tokenHash, $expires]); // Set cookie with selector:validator format $cookieValue = base64_encode($selector . ':' . $validator); setcookie('remember', $cookieValue, [ 'expires' => time() + 30 * 86400, 'path' => '/', 'domain' => '', 'secure' => !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', 'httponly' => true, 'samesite' => 'Strict' ]); } header('Location: ../dashboard.php'); exit(); } catch (PDOException $e) { error_log("Login error: " . $e->getMessage()); $errors[] = "System error. Please try again."; } } } end_login: // Only regenerate CSRF on GET or after failed POST to prevent fixation if ($_SERVER['REQUEST_METHOD'] !== 'POST' || !empty($errors)) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); $_SESSION['csrf_token_time'] = time(); } // Regenerate CSRF token for new form $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); ?> Sign In | Unamused
unamused.

Sign in to your account

Access your orders, saved items, and preferences

Login failed

Forgot password?

Don't have an account? Sign up