prepare("SELECT * FROM users WHERE email = :email LIMIT 1");
$statement->execute(['email' => $email]);
$user = $statement->fetch(PDO::FETCH_ASSOC);
if ($user && password_verify($passwort, $user['passwort'])) {
// Session IMMER setzen
session_regenerate_id(true);
$_SESSION['auth'] = [
'type' => 'admin',
'id' => (int)$user['id'],
];
// "Angemeldet bleiben" optional
if (!empty($_POST['angemeldet_bleiben'])) {
$identifier = bin2hex(random_bytes(16));
$securitytoken = bin2hex(random_bytes(32)); // stärker als random_string()
$hash = hash('sha256', $securitytoken);
$insert = $pdo->prepare("
INSERT INTO securitytokens (user_id, identifier, securitytoken, user_type)
VALUES (:user_id, :identifier, :securitytoken, 'admin')
");
$insert->execute([
'user_id' => (int)$user['id'],
'identifier' => $identifier,
'securitytoken' => $hash
]);
$cookieOpts = [
'expires' => time() + 365*24*3600,
'path' => '/',
'secure' => true, // nur wenn HTTPS
'httponly' => true,
'samesite' => 'Lax',
];
setcookie('identifier', $identifier, $cookieOpts);
setcookie('securitytoken', $securitytoken, $cookieOpts);
}
header("Location: index.php");
exit;
} else {
$error_msg = "E-Mail oder Passwort war ungültig
";
}
}
$email_value = isset($_POST['email']) ? htmlentities($_POST['email']) : "";
include("templates/header.inc.php");
?>