onenav/controller/login.php

<?php
/**
 * 登录入口
 */

// 载入辅助函数
require('functions/helper.php');
// 检查明文密码
unSafe();

$username = $site_setting['user'];
// 加密后的密码
$password = ENCRYPTED_PASSWORD;
$ip = getIP();
//如果认证通过，直接跳转到后台管理
$key = md5($username.$password.'onenav'.$_SERVER['HTTP_USER_AGENT']);
//获取cookie
$cookie = $_COOKIE['key'];

//获取版本号
$version = new_get_version();

//如果已经登录，直接跳转
if( is_login() ){
    header('location:index.php?c=admin');
    exit;
}

//登录检查
if( $_GET['check'] == 'login' ) {
    $user = trim($_POST['user']);
    $pass = trim($_POST['password']);
    // 用户密码进行加密处理，加密算法为用户名 + 密码，再进行MD5加密
    $pass = md5($user.$pass);
    header('Content-Type:application/json; charset=utf-8');
    if( ($user === $username) && ($pass === $password) ) {
        $key = md5($username.$password.'onenav'.$_SERVER['HTTP_USER_AGENT']);
        //开启httponly支持
        setcookie("key", $key, time()+30 * 24 * 60 * 60,"/",NULL,false,TRUE);
        $data = [
            'code'      =>  0,
            'msg'   =>  'successful'
        ];
    }
    else{
        $data = [
            'code'      =>  -1012,
            'err_msg'   =>  '用户名或密码错误！'
        ];
        
        
    }
    exit(json_encode($data));
}
//如果cookie的值和计算的key不一致，则没有权限


// if ( ($_SERVER['PHP_AUTH_PW'] !== $password) || ($_SERVER['PHP_AUTH_USER'] !== $username) ){
//     header('WWW-Authenticate: Basic realm="Please verify."');
//     header('HTTP/1.0 401 Unauthorized');
//     exit("<h2>认证失败！</h2>");
// }
// else{
    
//     $key = md5($username.$password.$ip.'onenav');
//     //设置cookie
//     setcookie("key", $key, time()+7 * 24 * 60 * 60,"/");
//     header('location:index.php?c=admin');
// }


// 载入后台登录模板
require('templates/admin/login.php');
beta 0.9.1 4 years ago			`<?php`
			`/**`
			`* 登录入口`
			`*/`
0.9.21 3 years ago
			`// 载入辅助函数`
			`require('functions/helper.php');`
update 3 months ago			`// 检查明文密码`
			`unSafe();`
0.9.21 3 years ago
beta 0.9.1 4 years ago			`$username = $site_setting['user'];`
20241210 3 months ago			`// 加密后的密码`
			`$password = ENCRYPTED_PASSWORD;`
beta 0.9.1 4 years ago			`$ip = getIP();`
			`//如果认证通过，直接跳转到后台管理`
0.9.21 3 years ago			`$key = md5($username.$password.'onenav'.$_SERVER['HTTP_USER_AGENT']);`
beta 0.9.1 4 years ago			`//获取cookie`
			`$cookie = $_COOKIE['key'];`

add file 3 years ago			`//获取版本号`
			`$version = new_get_version();`

beta 0.9.1 4 years ago			`//如果已经登录，直接跳转`
0.9.21 3 years ago			`if( is_login() ){`
beta 0.9.1 4 years ago			`header('location:index.php?c=admin');`
			`exit;`
			`}`

			`//登录检查`
			`if( $_GET['check'] == 'login' ) {`
20241210 3 months ago			`$user = trim($_POST['user']);`
			`$pass = trim($_POST['password']);`
			`// 用户密码进行加密处理，加密算法为用户名 + 密码，再进行MD5加密`
			`$pass = md5($user.$pass);`
beta 0.9.1 4 years ago			`header('Content-Type:application/json; charset=utf-8');`
修复登录漏洞 3 years ago			`if( ($user === $username) && ($pass === $password) ) {`
0.9.21 3 years ago			`$key = md5($username.$password.'onenav'.$_SERVER['HTTP_USER_AGENT']);`
20220304 3 years ago			`//开启httponly支持`
			`setcookie("key", $key, time()+30 * 24 * 60 * 60,"/",NULL,false,TRUE);`
beta 0.9.1 4 years ago			`$data = [`
			`'code' => 0,`
			`'msg' => 'successful'`
			`];`
			`}`
			`else{`
			`$data = [`
			`'code' => -1012,`
			`'err_msg' => '用户名或密码错误！'`
			`];`


			`}`
			`exit(json_encode($data));`
			`}`
			`//如果cookie的值和计算的key不一致，则没有权限`


			`// if ( ($_SERVER['PHP_AUTH_PW'] !== $password) \|\| ($_SERVER['PHP_AUTH_USER'] !== $username) ){`
			`// header('WWW-Authenticate: Basic realm="Please verify."');`
			`// header('HTTP/1.0 401 Unauthorized');`
			`// exit("<h2>认证失败！</h2>");`
			`// }`
			`// else{`

			`// $key = md5($username.$password.$ip.'onenav');`
			`// //设置cookie`
			`// setcookie("key", $key, time()+7 * 24 * 60 * 60,"/");`
			`// header('location:index.php?c=admin');`
			`// }`


			`// 载入后台登录模板`
			`require('templates/admin/login.php');`