0
我正在与内部站点绑定以使用Active Directory进行身份验证。但是,如果您输入错误的密码并且找到用户名,它仍然会允许进行身份验证。所以基本上这是告诉我,它甚至不检查密码是否匹配。有没有办法确保实际的身份验证发生?PHP和Active Directory身份验证允许输入错误密码
<?php session_start();
include '_includes/header.php';
// form defaults
$error['alert'] = '';
$error['user'] = '';
$error['pass'] = '';
$input['user'] = '';
$input['pass'] = '';
if(isset($_POST['submit']))
{
if($_POST['username'] == '' || $_POST['password'] == '')
{
if($_POST['username'] == '') { $error['user'] = 'required!'; }
if($_POST['password'] == '') { $error['pass'] = 'required!'; }
$error['alert'] = 'Please fill in the required fields';
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
include 'views/v_authentication.php';
}
else
{
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
$user = $input['user'] . '@domain.local';
$ldap = ldap_connect("name.of.ldap.server");
if($bind = ldap_bind($ldap, $user, $pass)) {
$_SESSION['id'] = $id;
$_SESSION['type'] = $type;
$_SESSION['username'] = $input['user'];
$_SESSION['last_active'] = time();
header('Location: index.php');
} else {
// username/password incorrect
$error['alert'] = "Username or password incorrect!";
include 'views/v_authentication.php';
}
}
}
else
{
// check for any variables within the URL
if (isset($_GET['unauthorized']))
{
$error['alert'] = 'Please login to view that page!';
}
if (isset($_GET['timeout']))
{
$error['alert'] = 'Your session has expired. Please log in again.';
}
// if the form hasn't been submitted, show form
include 'views/v_authentication.php';
}
$ldap->close();
?>
<?php include 'views/v_authentication.php'; ?>
<?php include '_includes/footer.php'; ?>
好吧,你是对的..谢谢你的额外的眼睛。 – tattooedgeek