From 5c084c6aaa2b41fc3d40d550b5b5f3a5f9d7f3fb Mon Sep 17 00:00:00 2001
From: Jester <stassh87@gmail.com>
Date: Mon, 19 Jan 2026 08:57:58 +0300
Subject: [PATCH] security update

---
 api/check_auth.php |   3 +-
 api/login.php      |  70 ++++++++++++++++-------------
 api/logout.php     |  15 ++++++-
 config/db.php      |   4 +-
 config/session.php |  15 +++++++
 index.html         |   9 ++--
 js/auth.js         |   8 ++--
 login.html         | 107 ++++++++++++++++++++++++++++++++++++++++++---
 8 files changed, 182 insertions(+), 49 deletions(-)
 create mode 100644 config/session.php

diff --git a/api/check_auth.php b/api/check_auth.php
index 0e52a9b..e2bed0e 100644
--- a/api/check_auth.php
+++ b/api/check_auth.php
@@ -1,5 +1,6 @@
 <?php
-session_start();
+header('Content-Type: application/json; charset=utf-8');
+require_once '../config/session.php';
 
 if (isset($_SESSION['user_id'])) {
     echo json_encode([
diff --git a/api/login.php b/api/login.php
index 9b6d139..e8aeb1b 100644
--- a/api/login.php
+++ b/api/login.php
@@ -1,37 +1,47 @@
 <?php
 error_reporting(E_ALL);
-ini_set('display_errors', 1);
-ini_set('display_startup_errors', 1);
+ini_set('display_errors', 0);
+ini_set('display_startup_errors', 0);
 header('Content-Type: application/json; charset=utf-8');
 require_once '../config/db.php';
+require_once '../config/session.php';
 
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $data = json_decode(file_get_contents('php://input'), true);
-    
-    $login = trim($data['username'] ?? '');
-    $password = $data['password'] ?? '';
-    
-    // Поиск пользователя по username
-    $stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
-    $stmt->execute([$login]);
-    $user = $stmt->fetch(PDO::FETCH_ASSOC);
-    
-    if ($user && password_verify($password, $user['password_hash'])) {
-        // Успешная авторизация
-        session_start();
-        $_SESSION['user_id'] = $user['id'];
-        $_SESSION['username'] = $user['username'];
-        
-        echo json_encode([
-            'success' => true,
-            'message' => 'Вход выполнен успешно',
-            'user' => [
-                'id' => $user['id'],
-                'username' => $user['username'],
-            ]
-        ]);
-    } else {
-        echo json_encode(['success' => false, 'message' => 'Неверные учетные данные']);
-    }
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    http_response_code(405);
+    echo json_encode(['success' => false, 'message' => 'Метод не поддерживается']);
+    exit;
+}
+
+$data = json_decode(file_get_contents('php://input'), true);
+if (!is_array($data)) {
+    http_response_code(400);
+    echo json_encode(['success' => false, 'message' => 'Некорректные данные']);
+    exit;
+}
+
+$login = trim($data['username'] ?? '');
+$password = $data['password'] ?? '';
+
+// Поиск пользователя по username
+$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
+$stmt->execute([$login]);
+$user = $stmt->fetch(PDO::FETCH_ASSOC);
+
+if ($user && password_verify($password, $user['password_hash'])) {
+    // Успешная авторизация
+    session_regenerate_id(true);
+    $_SESSION['user_id'] = $user['id'];
+    $_SESSION['username'] = $user['username'];
+
+    echo json_encode([
+        'success' => true,
+        'message' => 'Вход выполнен успешно',
+        'user' => [
+            'id' => $user['id'],
+            'username' => $user['username'],
+        ]
+    ]);
+} else {
+    echo json_encode(['success' => false, 'message' => 'Неверные учетные данные']);
 }
 ?>
diff --git a/api/logout.php b/api/logout.php
index 829c135..979ccb2 100644
--- a/api/logout.php
+++ b/api/logout.php
@@ -1,5 +1,18 @@
 <?php
-session_start();
+header('Content-Type: application/json; charset=utf-8');
+require_once '../config/session.php';
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    http_response_code(405);
+    echo json_encode(['success' => false, 'message' => 'Метод не поддерживается']);
+    exit;
+}
+
+$_SESSION = [];
+if (ini_get('session.use_cookies')) {
+    $params = session_get_cookie_params();
+    setcookie(session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+}
 session_destroy();
 echo json_encode(['success' => true]);
 ?>
\ No newline at end of file
diff --git a/config/db.php b/config/db.php
index 2b71884..8675c63 100644
--- a/config/db.php
+++ b/config/db.php
@@ -1,7 +1,7 @@
 <?php
 error_reporting(E_ALL);
-ini_set('display_errors', 1);
-ini_set('display_startup_errors', 1);
+ini_set('display_errors', 0);
+ini_set('display_startup_errors', 0);
 $host = 'localhost';
 $dbname = 'users';
 $username = 'root';
diff --git a/config/session.php b/config/session.php
new file mode 100644
index 0000000..b5adffd
--- /dev/null
+++ b/config/session.php
@@ -0,0 +1,15 @@
+<?php
+if (session_status() === PHP_SESSION_NONE) {
+    $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
+    ini_set('session.use_strict_mode', '1');
+    session_set_cookie_params([
+        'lifetime' => 0,
+        'path' => '/',
+        'domain' => '',
+        'secure' => $isSecure,
+        'httponly' => true,
+        'samesite' => 'Lax',
+    ]);
+    session_start();
+}
+?>
diff --git a/index.html b/index.html
index aaef4f8..e9f0633 100644
--- a/index.html
+++ b/index.html
@@ -10,7 +10,7 @@
     <script>
         // Проверка авторизации при загрузке страницы
         async function checkAuth() {
-            const response = await fetch('api/check_auth.php');
+            const response = await fetch('api/check_auth.php', { credentials: 'same-origin' });
             const result = await response.json();
             
             if (!result.isLoggedIn) {
@@ -23,9 +23,10 @@
         }
         
         async function logout() {
-            await fetch('api/logout.php');
-            localStorage.removeItem('user');
-            localStorage.removeItem('isLoggedIn');
+            await fetch('api/logout.php', {
+                method: 'POST',
+                credentials: 'same-origin'
+            });
             window.location.href = 'login.html';
         }
         
diff --git a/js/auth.js b/js/auth.js
index d61cb3b..1e5bb65 100644
--- a/js/auth.js
+++ b/js/auth.js
@@ -3,11 +3,15 @@ async function sendRequest(url, data) {
     try {
         const response = await fetch(url, {
             method: 'POST',
+            credentials: 'same-origin',
             headers: {
                 'Content-Type': 'application/json',
             },
             body: JSON.stringify(data)
         });
+        if (!response.ok) {
+            return { success: false, message: 'Ошибка сервера' };
+        }
         return await response.json();
     } catch (error) {
         console.error('Ошибка:', error);
@@ -45,10 +49,6 @@ if (document.getElementById('loginForm')) {
         const result = await sendRequest('api/login.php', data);
         
         if (result.success) {
-            // Сохраняем данные пользователя в localStorage
-            localStorage.setItem('user', JSON.stringify(result.user));
-            localStorage.setItem('isLoggedIn', 'true');
-            
             alert(result.message);
             window.location.href = 'index.html';
         } else {
diff --git a/login.html b/login.html
index fa588b8..f45a1b5 100644
--- a/login.html
+++ b/login.html
@@ -1,16 +1,109 @@
 <!DOCTYPE html>
 <html>
 <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>Вход</title>
+    <style>
+        :root {
+            color-scheme: light;
+            --bg: #f5f7fb;
+            --card: #ffffff;
+            --text: #1b1f2a;
+            --muted: #6b7280;
+            --border: #e5e7eb;
+            --accent: #3b82f6;
+            --accent-dark: #2563eb;
+        }
+        * { box-sizing: border-box; }
+        body {
+            margin: 0;
+            font-family: "Segoe UI", Arial, sans-serif;
+            background: linear-gradient(135deg, #eef2ff, #f8fafc);
+            color: var(--text);
+            min-height: 100vh;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            padding: 24px;
+        }
+        .card {
+            width: 100%;
+            max-width: 380px;
+            background: var(--card);
+            border: 1px solid var(--border);
+            border-radius: 12px;
+            padding: 24px;
+            box-shadow: 0 10px 30px rgba(15, 23, 42, 0.08);
+        }
+        h2 {
+            margin: 0 0 8px;
+            font-size: 24px;
+        }
+        .subtitle {
+            margin: 0 0 20px;
+            color: var(--muted);
+            font-size: 14px;
+        }
+        .field {
+            margin-bottom: 14px;
+        }
+        label {
+            display: block;
+            font-size: 13px;
+            color: var(--muted);
+            margin-bottom: 6px;
+        }
+        input {
+            width: 100%;
+            padding: 10px 12px;
+            border: 1px solid var(--border);
+            border-radius: 8px;
+            font-size: 14px;
+            transition: border-color 0.2s, box-shadow 0.2s;
+        }
+        input:focus {
+            outline: none;
+            border-color: var(--accent);
+            box-shadow: 0 0 0 3px rgba(59, 130, 246, 0.15);
+        }
+        button {
+            width: 100%;
+            padding: 10px 12px;
+            border: none;
+            border-radius: 8px;
+            background: var(--accent);
+            color: #fff;
+            font-size: 15px;
+            cursor: pointer;
+            transition: background 0.2s;
+        }
+        button:hover { background: var(--accent-dark); }
+        .helper {
+            margin-top: 14px;
+            font-size: 12px;
+            color: var(--muted);
+            text-align: center;
+        }
+    </style>
 </head>
 <body>
-    <h2>Вход</h2>
-    <form id="loginForm">
-        <input type="text" name="username" placeholder="Логин" required>
-        <input type="password" name="password" placeholder="Пароль" required>
-        <button type="submit">Войти</button>
-    </form>
-    
+    <div class="card">
+        <h2>Вход</h2>
+        <p class="subtitle">Введите логин и пароль для доступа</p>
+        <form id="loginForm">
+            <div class="field">
+                <label for="username">Логин</label>
+                <input id="username" type="text" name="username" placeholder="Введите логин" required autocomplete="username" autocapitalize="off" spellcheck="false">
+            </div>
+            <div class="field">
+                <label for="password">Пароль</label>
+                <input id="password" type="password" name="password" placeholder="Введите пароль" required autocomplete="current-password">
+            </div>
+            <button type="submit">Войти</button>
+        </form>
+        <div class="helper">Доступ только для зарегистрированных пользователей</div>
+    </div>
     <script src="js/auth.js"></script>
 </body>
 </html>
\ No newline at end of file