My login.php is like below:
Code: Select all
<?php
header("Content-Type: text/html; charset=utf-8");
require_once('bin/verify-user-logon.php');
// set the session token
$_SESSION['sess_token'] = uniqid(md5(microtime()), true);
?>
<form id="login_form" action="process-login.php" method="post">
<input type="hidden" name="token" value="<?php echo $_SESSION['sess_token'] ?>"/>
<table class="login">
<tr>
<td>
Email
</td>
<td>
<input type="text" name="email" id="email" class="textbox"/>
</td>
</tr>
<tr>
<td>
Password
</td>
<td>
<input type="password" name="password" id="password" class="textbox"/>
</td>
</tr>
<tr>
<td>
</td>
<td>
<input type="submit" id="login" name="login" value="Login" style=""/>
</td>
</tr>
</table>
</form>
Code: Select all
<?php
header('Content-type: text/html; charset=UTF-8');
header('Cache-Control: no-cache');
$post_token = isset($_POST['token'])?trim($_POST['token']):null;
$session_token = isset($_SESSION['sess_token'])?trim($_SESSION['sess_token']):null;
if(empty($post_token)) {
$error_log_content = "Post token is null or empty" ;
} else if(empty($session_token)) {
$error_log_content = "Session token is null or empty" ;
} else if(strcasecmp($post_token, $session_token) != 0) {
$error_log_content = "Session token and post token is not the same";
} else {
// continue login
......................
}
?>Cheers,
Mark Thien