fixing some security issues and harderning service

2026-05-06 08:51:51 +02:00
parent 4d8ce1da43
commit 7ae7df0a11
30 changed files with 328 additions and 124 deletions
@@ -1,5 +1,7 @@
 <?php
-session_start();
+include "../utils/security.php";
+secure_session_start();
+require_same_origin_request();
 header('Content-Type: application/json');
 $send_to=$_SESSION["end_url"];

@@ -17,10 +19,11 @@ $twofa_secret="";
 mysqli_stmt_bind_result($stmt, $twofa_secret);
 mysqli_stmt_fetch($stmt);
 mysqli_stmt_close($stmt);
-$twofa_pin=$_POST["twofa_pin"];
+$twofa_pin=$_POST["twofa_pin"] ?? "";

-if(generateTOTP($twofa_secret)===$twofa_pin){
+if($twofa_secret !== "" && hash_equals(generateTOTP($twofa_secret), $twofa_pin)){
 	$_SESSION["mfa_authenticated"]=1;
+	session_regenerate_id(true);
 	$data = [
 		'status' => 'success'
 	];