0
我正在與內部站點綁定以使用Active Directory進行身份驗證。但是,如果您輸入錯誤的密碼並且找到用戶名,它仍然會允許進行身份驗證。所以基本上這是告訴我,它甚至不檢查密碼是否匹配。有沒有辦法確保實際的身份驗證發生?PHP和Active Directory身份驗證允許輸入錯誤密碼
<?php session_start();
include '_includes/header.php';
// form defaults
$error['alert'] = '';
$error['user'] = '';
$error['pass'] = '';
$input['user'] = '';
$input['pass'] = '';
if(isset($_POST['submit']))
{
if($_POST['username'] == '' || $_POST['password'] == '')
{
if($_POST['username'] == '') { $error['user'] = 'required!'; }
if($_POST['password'] == '') { $error['pass'] = 'required!'; }
$error['alert'] = 'Please fill in the required fields';
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
include 'views/v_authentication.php';
}
else
{
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
$user = $input['user'] . '@domain.local';
$ldap = ldap_connect("name.of.ldap.server");
if($bind = ldap_bind($ldap, $user, $pass)) {
$_SESSION['id'] = $id;
$_SESSION['type'] = $type;
$_SESSION['username'] = $input['user'];
$_SESSION['last_active'] = time();
header('Location: index.php');
} else {
// username/password incorrect
$error['alert'] = "Username or password incorrect!";
include 'views/v_authentication.php';
}
}
}
else
{
// check for any variables within the URL
if (isset($_GET['unauthorized']))
{
$error['alert'] = 'Please login to view that page!';
}
if (isset($_GET['timeout']))
{
$error['alert'] = 'Your session has expired. Please log in again.';
}
// if the form hasn't been submitted, show form
include 'views/v_authentication.php';
}
$ldap->close();
?>
<?php include 'views/v_authentication.php'; ?>
<?php include '_includes/footer.php'; ?>
好吧,你是對的..謝謝你的額外的眼睛。 – tattooedgeek