Many fixes for security.

includes/login.php

@@ -1,6 +1,5 @@
 <?php
 require_once 'initdb.php';
-
 session_start();
 
 // Function to check user credentials
@@ -17,13 +16,42 @@ if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) {
     $password = $_POST['password'];
 
     if (checkCredentials($username, $password, $pdo)) {
+        // Regenerate session ID upon successful login
+        session_regenerate_id();
+
         $_SESSION['username'] = $username;
+        $_SESSION['last_activity'] = time(); // track start of session
+        $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR']; // store user IP
+        $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; // store user agent
+
         header("Location: /?page=user_domains");
         exit;
     } else {
         $error = "Invalid username or password.";
     }
 }
+
+// Session timeout logic
+$timeout = 1800; // 30 minutes in seconds
+if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
+    // last request was more than 30 minutes ago
+    session_unset(); // unset $_SESSION variable
+    session_destroy(); // destroy session data
+    header("Location: /?page=login"); // redirect to login page
+    exit;
+}
+
+$_SESSION['last_activity'] = time(); // update last activity time
+
+// Check if user IP or user agent has changed
+if (isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR'] ||
+    isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT']) {
+    session_unset();
+    session_destroy();
+    header("Location: /?page=login");
+    exit;
+}
+
 ?>
 
 <!DOCTYPE html>
@@ -50,4 +78,4 @@ if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) {
         <p><?php echo $error; ?></p>
     <?php endif; ?>
 </body>
-</html>
+</html>