diff --git a/lib/user.class.php b/lib/user.class.php index 28ba5fc..8f5383c 100644 --- a/lib/user.class.php +++ b/lib/user.class.php @@ -82,34 +82,44 @@ // any users? if ($user_counter>0) { // compare passwords - if(!strcmp(md5($user_pass), $users[0]['user_pass'])) { - // all ok: user is logged in, register session data - $_SESSION['suser_id'] = $users[0]['user_id']; - $_SESSION['suser_displayname'] = $users[0]['user_displayname']; - $_SESSION['suser_language'] = $users[0]['user_language']; - $_SESSION['suser_imagesize'] = $users[0]['user_imagesize']; - $_SESSION['suser_imagecount'] = $users[0]['user_imagecount']; - $_SESSION['suser_mac'] = $users[0]['user_mac']; - $_SESSION['suser_dateformat'] = $users[0]['user_dateformat']; - $_SESSION['suser_dns1suffix'] = $users[0]['user_dns1suffix']; - $_SESSION['suser_dns2suffix'] = $users[0]['user_dns2suffix']; - $_SESSION['suser_menu_assets'] = $users[0]['user_menu_assets']; - $_SESSION['suser_menu_assetclasses'] = $users[0]['user_menu_assetclasses']; - $_SESSION['suser_menu_assetclassgroups'] = $users[0]['user_menu_assetclassgroups']; - $_SESSION['suser_menu_locations'] = $users[0]['user_menu_locations']; - $_SESSION['suser_menu_nodes'] = $users[0]['user_menu_nodes']; - $_SESSION['suser_menu_subnets'] = $users[0]['user_menu_subnets']; - $_SESSION['suser_menu_users'] = $users[0]['user_menu_users']; - $_SESSION['suser_menu_vlans'] = $users[0]['user_menu_vlans']; - $_SESSION['suser_menu_zones'] = $users[0]['user_menu_zones']; - $_SESSION['suser_tooltips'] = $users[0]['user_tooltips']; + if(!strcmp(md5($user_pass), rtrim($users[0]['user_pass']))) { + // all ok: user is logged in + + // md5 match but outdated. rewrite with new algo + $newhash = password_hash($user_pass, PASSWORD_BCRYPT); + $query = "UPDATE user SET user_pass='" . $newhash. "' WHERE user_id=" . $users[0]['user_id']; + $db->db_update($query); + } else { - return FALSE; + if (! password_verify($user_pass, $users[0]['user_pass'])) { + return FALSE; + } } } else { return FALSE; } + // register session data + $_SESSION['suser_id'] = $users[0]['user_id']; + $_SESSION['suser_displayname'] = $users[0]['user_displayname']; + $_SESSION['suser_language'] = $users[0]['user_language']; + $_SESSION['suser_imagesize'] = $users[0]['user_imagesize']; + $_SESSION['suser_imagecount'] = $users[0]['user_imagecount']; + $_SESSION['suser_mac'] = $users[0]['user_mac']; + $_SESSION['suser_dateformat'] = $users[0]['user_dateformat']; + $_SESSION['suser_dns1suffix'] = $users[0]['user_dns1suffix']; + $_SESSION['suser_dns2suffix'] = $users[0]['user_dns2suffix']; + $_SESSION['suser_menu_assets'] = $users[0]['user_menu_assets']; + $_SESSION['suser_menu_assetclasses'] = $users[0]['user_menu_assetclasses']; + $_SESSION['suser_menu_assetclassgroups'] = $users[0]['user_menu_assetclassgroups']; + $_SESSION['suser_menu_locations'] = $users[0]['user_menu_locations']; + $_SESSION['suser_menu_nodes'] = $users[0]['user_menu_nodes']; + $_SESSION['suser_menu_subnets'] = $users[0]['user_menu_subnets']; + $_SESSION['suser_menu_users'] = $users[0]['user_menu_users']; + $_SESSION['suser_menu_vlans'] = $users[0]['user_menu_vlans']; + $_SESSION['suser_menu_zones'] = $users[0]['user_menu_zones']; + $_SESSION['suser_tooltips'] = $users[0]['user_tooltips']; + // no errors found, return return TRUE; }