Skip to content

Commit 06a1ff4

Browse files
ScIT-RaphaelScIT-Raphael
authored
Merge pull request hestiacp#1136 from hestiacp/fix/2020-09-fix_delete_post_on_session_mismatch
Delete POST/GET/SESSION data on session token mismatch
2 parents 9cd0fa5 + c8833f0 commit 06a1ff4

File tree

1 file changed

+9
-2
lines changed

1 file changed

+9
-2
lines changed

web/login/index.php

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,7 @@ function authenticate_user(){
9898
if ($data[$_POST['user']]['TWOFA'] != '') {
9999
if (empty($_POST['twofa'])){
100100
return false;
101-
}else{
101+
} else {
102102
$v_twofa = $_POST['twofa'];
103103
exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
104104
unset($output);
@@ -148,6 +148,13 @@ function authenticate_user(){
148148
}
149149
}
150150
}
151+
} else {
152+
unset($_POST);
153+
unset($_GET);
154+
unset($_SESSION);
155+
session_destroy();
156+
session_start();
157+
return false;
151158
}
152159
}
153160

@@ -190,4 +197,4 @@ function authenticate_user(){
190197
} else {
191198
require_once('../templates/login.html');
192199
}
193-
?>
200+
?>

0 commit comments

Comments
 (0)