fixing some security issues and harderning service

2026-05-06 08:51:51 +02:00
parent 4d8ce1da43
commit 7ae7df0a11
30 changed files with 328 additions and 124 deletions
@@ -1,3 +1,20 @@
+<?php
+include "api/utils/security.php";
+include "api/utils/check_keepmeloggedin.php";
+secure_session_start();
+$_SESSION["end_url"]=normalize_redirect_target($_GET["send_to"] ?? "/account/");
+if (isset($_SESSION["logged_in"]) && $_SESSION["logged_in"] === true && !isset($_GET["donotsend"]) /*also check for keepmeloggedin here*/) {
+    header("LOCATION:/login/account_selector.php");
+    exit();
+}
+if(isset($_GET["donotsend"])){
+    delete_cookie("auth_token");
+}
+if(logmein()==="success"){
+    header("LOCATION:/login/account_selector.php");
+    exit();
+}
+?>
 <!DOCTYPE html>
 <html lang="en" data-bs-theme="dark">
 <head>
@@ -8,20 +25,6 @@
  <title>Jakach Login</title>
  <?php
 	include "assets/components.php";
-	include "api/utils/check_keepmeloggedin.php";
-	session_start();
-	$_SESSION["end_url"]=$_GET["send_to"];
-	if (isset($_SESSION["logged_in"]) && $_SESSION["logged_in"] === true && !isset($_GET["donotsend"]) /*also check for keepmeloggedin here*/) {
-	    header("LOCATION:/login/account_selector.php");
-	    exit();
-	}
-	if(isset($_GET["donotsend"])){
-		setcookie("auth_token", "", time() - 3600, "/");
-	}
-	if(logmein()==="success"){
-		header("LOCATION:/login/account_selector.php");
-	    	exit();
-	}
  ?>
 </head>
 <body>
@@ -135,4 +138,3 @@
 ?>
 </body>
 </html>
-