Fix CSRF vulnerabilities

[sql-web.git] / login.php

diff --git a/login.php b/login.php
index f11e80ebb597a694827c5213e5aa8e1984e3edd1..32a4461b6db6726b133e3e93ec66888d85c2d1d8 100644 (file)
--- a/login.php
+++ b/login.php
@@ -1,4 +1,7 @@
 <?php
+/*
+       (c) 2005 Joe Presbrey
+*/
 
 require_once('mitsql.cfg.php');
 require_once('mitsql.lib.php');
@@ -9,23 +12,25 @@ if (isSSL()) {
        }
 }
 
-if (empty($err) && isPost()) {
-       
+if (isPost() && empty($err)) {
+
        if (isSSL()) {
-           $Login = new Login($SSLUsername);
-               $Login->update($SSLCred['Name'],$SSLCred['Email']);
-               sess('Login', $Login);
+               $Login = $LoginSSL;
        } else {
                $Login = new Login($i_u, $i_p);
-               if ($Login->exists() && !$Login->isEnabled()) {
-                       $err[] = 'Account not active. <a href="signup">Did you signup yet?</a>.';
-               } elseif (!$Login->exists()) {
-                       $err[] = 'Nonexistant account or invalid password.';
-               } elseif (!$Login->canLogin()) {
-                       $err[] = 'That account is no longer valid. Please contact the staff.';
-               } else {
-                       sess('Login', $Login);
-               }
+       }
+       
+       if ($Login->exists() && !$Login->isEnabled()) {
+               $err[] = 'Account not active.';
+       } elseif (!$Login->exists()) {
+               $err[] = 'Nonexistant account or invalid password.';
+       } elseif (!$Login->canLogin()) {
+               $err[] = 'That account is no longer valid. Please contact the staff (sql@mit.edu).';
+       }
+
+       if (empty($err)) {
+               sess('UserId', $Login->getUserId());
+               redirect('main?refresh');
        }
 
 }