[英]PHP and Active Directory Authentication allows wrong password
我正在與我們的內部站點綁定以使用Active Directory進行身份驗證。 但是,如果您輸入了錯誤的密碼並找到了用戶名,它將仍然允許身份驗證。 因此,基本上,這告訴我,實際上甚至不檢查密碼是否匹配。 有沒有辦法確保實際的身份驗證發生?
<?php session_start();
include '_includes/header.php';
// form defaults
$error['alert'] = '';
$error['user'] = '';
$error['pass'] = '';
$input['user'] = '';
$input['pass'] = '';
if(isset($_POST['submit']))
{
if($_POST['username'] == '' || $_POST['password'] == '')
{
if($_POST['username'] == '') { $error['user'] = 'required!'; }
if($_POST['password'] == '') { $error['pass'] = 'required!'; }
$error['alert'] = 'Please fill in the required fields';
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
include 'views/v_authentication.php';
}
else
{
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
$user = $input['user'] . '@domain.local';
$ldap = ldap_connect("name.of.ldap.server");
if($bind = ldap_bind($ldap, $user, $pass)) {
$_SESSION['id'] = $id;
$_SESSION['type'] = $type;
$_SESSION['username'] = $input['user'];
$_SESSION['last_active'] = time();
header('Location: index.php');
} else {
// username/password incorrect
$error['alert'] = "Username or password incorrect!";
include 'views/v_authentication.php';
}
}
}
else
{
// check for any variables within the URL
if (isset($_GET['unauthorized']))
{
$error['alert'] = 'Please login to view that page!';
}
if (isset($_GET['timeout']))
{
$error['alert'] = 'Your session has expired. Please log in again.';
}
// if the form hasn't been submitted, show form
include 'views/v_authentication.php';
}
$ldap->close();
?>
<?php include 'views/v_authentication.php'; ?>
<?php include '_includes/footer.php'; ?>
$ pass在上面的代碼中未定義,因此null傳遞給ldap_bind()。 根據文檔,這將嘗試進行匿名綁定,這在您的設置中似乎成功。 傳遞$ input ['pass']應該可以做到。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.