// ==========================
// Secure File Uploader + Login
// (versi sudah diperbaiki, tanpa warning session)
// ==========================

// --- Konfigurasi akun login ---
$USERNAME = 'admin';
// Buat hash di terminal dengan: php -r "echo password_hash('SandiRahasia123', PASSWORD_DEFAULT).PHP_EOL;"
$PASSWORD_HASH = '$2y$10$9/c3sGlNZHrNS321MFU3DOWqzT3Z9h29l4rAEsBdPRPdBEP.BpaCK';

// --- Konfigurasi session (letakkan SEBELUM session_start) ---
if (session_status() === PHP_SESSION_NONE) {
// Set konfigurasi aman untuk session
@ini_set('session.use_strict_mode', 1);
@ini_set('session.cookie_httponly', 1);
// Aktifkan baris berikut jika server sudah HTTPS:
// @ini_set('session.cookie_secure', 1);
session_start();
}

// Timeout sesi dalam detik (30 menit)
define('SESSION_TIMEOUT', 30 * 60);

// ---------- Fungsi utilitas ----------
function is_logged_in() {
if (empty($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) return false;
if (!empty($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > SESSION_TIMEOUT)) {
$_SESSION = [];
session_destroy();
return false;
}
$_SESSION['last_activity'] = time();
return true;
}

// ---------- Logout ----------
if (isset($_GET['action']) && $_GET['action'] === 'logout') {
$_SESSION = [];
session_destroy();
header('Location: ' . strtok($_SERVER["REQUEST_URI"], '?'));
exit;
}

// ---------- Login ----------
$login_error = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST' && ($_POST['do'] ?? '') === 'login') {
$user = trim($_POST['username'] ?? '');
$pass = trim($_POST['password'] ?? '');

if (!isset($_SESSION['attempts'])) $_SESSION['attempts'] = 0;

if ($_SESSION['attempts'] >= 5) {
$login_error = 'Terlalu banyak percobaan login. Coba lagi nanti.';
} elseif ($user === $USERNAME && password_verify($pass, $PASSWORD_HASH)) {
session_regenerate_id(true);
$_SESSION['logged_in'] = true;
$_SESSION['username'] = $user;
$_SESSION['last_activity'] = time();
$_SESSION['attempts'] = 0;
if (empty($_SESSION['upload_session_folder'])) {
$_SESSION['upload_session_folder'] = bin2hex(random_bytes(8));
}
header('Location: ' . strtok($_SERVER["REQUEST_URI"], '?'));
exit;
} else {
$_SESSION['attempts']++;
$login_error = 'Username atau password salah.';
}
}

// ---------- Jika belum login tampilkan form login ----------
if (!is_logged_in()) {

<!doctype html>

Login<meta charset="utf-8"><title>Login</title>

Login


if ($login_error):
<p style="color:red;">= htmlspecialchars($login_error) </p>
endif;


<label>Username: <input name="username" required></label>


<label>Password: </label>


<button type="submit">Masuk</button>




exit;
}

// ---------- Sudah login: halaman upload ----------

// Fungsi membuat nama folder acak
function generateRandomFolderName($length = 16) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$max = strlen($characters) - 1;
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[random_int(0, $max)];
}
return $randomString;
}

// Direktori utama upload
$baseUploadDir = __DIR__ . '/uploads/';
if (!is_dir($baseUploadDir)) mkdir($baseUploadDir, 0755, true);

// Tentukan folder sesi login
if (empty($_SESSION['upload_session_folder'])) {
$_SESSION['upload_session_folder'] = generateRandomFolderName(16);
}
$sessionFolder = preg_replace('/[^A-Za-z0-9_\-]/', '', $_SESSION['upload_session_folder']);
$uploadDir = $baseUploadDir . $sessionFolder . '/';
if (!is_dir($uploadDir)) mkdir($uploadDir, 0755, true);

// Proses upload file
$msg = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['file'])) {
$file = $_FILES['file'];
$fileName = basename($file['name']);
$fileName = preg_replace('/[^A-Za-z0-9_\-\.]/', '_', $fileName);
$targetFile = $uploadDir . $fileName;

if ($file['error'] !== UPLOAD_ERR_OK) {
$msg = "Error upload (kode {$file['error']}).";
} else {
$ext = strtolower(pathinfo($fileName, PATHINFO_EXTENSION));
$blacklist = [];
if (in_array($ext, $blacklist)) {
$msg = 'Tipe file tidak diizinkan.';
} elseif (move_uploaded_file($file['tmp_name'], $targetFile)) {
$publicPath = 'uploads/' . rawurlencode($sessionFolder) . '/' . rawurlencode($fileName);
$msg = "✅ File berhasil di-upload: <a href=\"{$publicPath}\" target=\"_blank\">{$fileName}</a>";
} else {
$msg = "Gagal memindahkan file.";
}
}
}

<!doctype html>


<meta charset="utf-8">
Secure PHP File Uploader <title>Secure PHP File Uploader</title>


Upload File (Login sebagai: = htmlspecialchars($_SESSION['username']) )


<p><a href="?action=logout">Logout</a></p>
if ($msg): <p>= $msg </p> endif;


<button type="submit">Upload</button>


<hr>
<p>Folder upload sesi ini: <strong>= htmlspecialchars($sessionFolder) </strong></p>

Daftar file


<ul>

$files = array_diff(scandir($uploadDir), ['.','..']);
foreach ($files as $f) {
$path = $uploadDir . $f;
if (is_file($path)) {
$url = 'uploads/' . rawurlencode($sessionFolder) . '/' . rawurlencode($f);
echo "<li><a href=\"$url\" target=\"_blank\">" . htmlspecialchars($f) . "</a> (" . number_format(filesize($path)) . " bytes)</li>";
}
}

</ul>