diff --git a/admin/.htaccess b/admin/.htaccess new file mode 100644 index 0000000..cc2c068 --- /dev/null +++ b/admin/.htaccess @@ -0,0 +1,5 @@ + +CacheEnable off + +Header always set Cache-Control "no-store, no-cache, must-revalidate" +Header always set Pragma "no-cache" diff --git a/admin/index.php b/admin/index.php index 19d592c..2208c1d 100644 --- a/admin/index.php +++ b/admin/index.php @@ -1,23 +1,52 @@ time() + 86400, + 'path' => '/admin/', + 'secure' => $secure, + 'httponly' => true, + 'samesite' => 'Lax', + ]); +} +function _clearAuth(): void { + $secure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'; + setcookie(AUTH_COOKIE, '', ['expires' => time()-3600, 'path' => '/admin/', 'secure' => $secure, 'httponly' => true, 'samesite' => 'Lax']); +} $isAjax = !empty($_SERVER['HTTP_X_REQUESTED_WITH']) || (($_SERVER['HTTP_ACCEPT'] ?? '') === 'application/json'); // ── Auth ────────────────────────────────────────────────────────────────────── -if ($_POST['action'] ?? '' === 'login') { +if ($_SERVER['REQUEST_METHOD'] === 'POST' && ($_POST['action'] ?? '') === 'login') { if ($_POST['username'] === ADMIN_USER && password_verify($_POST['password'] ?? '', ADMIN_PASS)) { - $_SESSION[ADMIN_SESSION_KEY] = true; + _setAuth(); } header('Location: /admin/'); exit; } -if ($_GET['action'] ?? '' === 'logout') { - session_destroy(); header('Location: /admin/'); exit; +if (($_GET['action'] ?? '') === 'logout') { + _clearAuth(); header('Location: /admin/'); exit; } -$authed = !empty($_SESSION[ADMIN_SESSION_KEY]); +$authed = _verifyAuth(); // ── AJAX handlers ───────────────────────────────────────────────────────────── if ($isAjax && !$authed) {