Auth: Set token after unsuccessful login

Broken by d59830c

diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php
index 9a5f5cdd1762b10cadcfa6109c26b510fd5b1d58..69f875a7a8a0cbc77190b50ddaa59932bc29b0a3 100644 (file)
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -146,6 +146,9 @@ function auth_error(string $error, array &$permanent) {
        }
        $params = session_get_cookie_params();
        cookie("adminer_key", ($_COOKIE["adminer_key"] ?: rand_string()), $params["lifetime"]);
+       if (!$_SESSION["token"]) {
+               $_SESSION["token"] = rand(1, 1e6); // this is for next attempt
+       }
        page_header(lang('Login'), $error, null);
        echo "<form action='' method='post'>\n";
        echo "<div>";
@@ -187,11 +190,9 @@ if (isset($_GET["username"]) && is_string(get_password())) {
 
 $login = null;
 if (!is_object($connection) || ($login = adminer()->login($_GET["username"], get_password())) !== true) {
-       $error = (is_string($connection) ? nl_br(h($connection)) : (is_string($login) ? $login : lang('Invalid credentials.')));
-       auth_error(
-               $error . (preg_match('~^ | $~', get_password()) ? '<br>' . lang('There is a space in the input password which might be the cause.') : ''),
-               $permanent
-       );
+       $error = (is_string($connection) ? nl_br(h($connection)) : (is_string($login) ? $login : lang('Invalid credentials.')))
+               . (preg_match('~^ | $~', get_password()) ? '<br>' . lang('There is a space in the input password which might be the cause.') : '');
+       auth_error($error, $permanent);
 }
 
 if ($_POST["logout"] && $_SESSION["token"] && !verify_token()) {