prepare("SELECT id, passwort, email FROM intern_users WHERE email = :email LIMIT 1");
$stmt->execute(['email' => $_POST['email']]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
if ($user && password_verify($_POST['passwort'], $user['passwort'])) {
session_regenerate_id(true);
$_SESSION['2fa_userid'] = (int)$user['id'];
// Alten Code löschen
$pdo->prepare("DELETE FROM intern_2fa_codes WHERE user_id = :uid")
->execute(['uid' => $user['id']]);
// 2FA-Code
$code = random_int(100000, 999999);
$codeHash = hash('sha256', $code);
$expires = date('Y-m-d H:i:s', time() + 300);
$pdo->prepare("
INSERT INTO intern_2fa_codes (user_id, code, expires_at)
VALUES (:uid, :code, :expires)
")->execute([
'uid' => $user['id'],
'code' => $codeHash,
'expires' => $expires
]);
SendMailMessageSilent(
$con,
$user['email'],
'Ihr Login-Code für Praxis-Creutzburg.de',
"Ihr 2FA-Code lautet: $code
Geben Sie diesen Code niemals weiter."
);
header('Location: verify_2fa.php');
exit;
}
$error_msg = "E-Mail oder Passwort war ungültig";
}
$email_value = isset($_POST['email']) ? htmlentities($_POST['email']) : "";
include("templates/header.inc.php");
?>