function secpass_login_process() { $users = db_fetch_assoc('SELECT username FROM user_auth WHERE realm = 0'); $username = sanitize_search_string(get_request_var_post('login_username')); # Mark failed login attempts if (read_config_option('secpass_lockfailed') > 0) { $max = intval(read_config_option('secpass_lockfailed')); if ($max > 0) { $p = get_request_var_post('login_password'); foreach ($users as $fa) { if ($fa['username'] == $username) { $user = db_fetch_assoc_prepared("SELECT * FROM user_auth WHERE username = ? AND realm = 0 AND enabled = 'on'", array($username)); if (isset($user[0]['username'])) { $user = $user[0]; $unlock = intval(read_config_option('secpass_unlocktime')); if ($unlock > 1440) { $unlock = 1440; } if ($unlock > 0 && time() - $user['lastfail'] > 60 * $unlock) { db_execute_prepared("UPDATE user_auth SET lastfail = 0, failed_attempts = 0, locked = '' WHERE username = ? AND realm = 0 AND enabled = 'on'", array($username)); $user['failed_attempts'] = $user['lastfail'] = 0; $user['locked'] == ''; } if ($user['password'] != md5($p)) { $failed = $user['failed_attempts'] + 1; if ($failed >= $max) { db_execute_prepared("UPDATE user_auth SET locked = 'on' WHERE username = ? AND realm = 0 AND enabled = 'on'", array($username)); $user['locked'] = 'on'; } $user['lastfail'] = time(); db_execute_prepared("UPDATE user_auth SET lastfail = ?, failed_attempts = ? WHERE username = ? AND realm = 0 AND enabled = 'on'", array($user['lastfail'], $failed, $username)); if ($user['locked'] != '') { auth_display_custom_error_message('This account has been locked.'); exit; } return false; } if ($user['locked'] != '') { auth_display_custom_error_message('This account has been locked.'); exit; } } } } } } # Check if old password doesn't meet specifications and must be changed if (read_config_option('secpass_forceold') == 'on') { $p = get_request_var_post('login_password'); $error = secpass_check_pass($p); if ($error != '') { foreach ($users as $fa) { if ($fa['username'] == $username) { db_execute_prepared("UPDATE user_auth SET must_change_password = '******' WHERE username = ? AND password = ? AND realm = 0 AND enabled = 'on'", array($username, md5(get_request_var_post('login_password')))); return true; } } } } # Set the last Login time if (read_config_option('secpass_expireaccount') > 0) { $p = get_request_var_post('login_password'); foreach ($users as $fa) { if ($fa['username'] == $username) { db_execute_prepared("UPDATE user_auth SET lastlogin = ? WHERE username = ? AND password = ? AND realm = 0 AND enabled = 'on'", array(time(), $username, md5(get_request_var_post('login_password')))); } } } return true; }
/* set default action */ if (!isset($_REQUEST['action'])) { $_REQUEST['action'] = ''; } switch ($_REQUEST['action']) { case 'changepassword': if ($user['password'] != md5($_POST['current_password'])) { $bad_password = true; $errorMessage = "<span color='#FF0000'><strong>Your current password is not correct. Please try again.</strong></span>"; } if ($user['password'] == md5($_POST['password'])) { $bad_password = true; $errorMessage = "<span color='#FF0000'><strong>Your new password can not be the same as the old password. Please try again.</strong></span>"; } // Secpass checking $error = secpass_check_pass($_POST['password']); if ($error != '') { $bad_password = true; $errorMessage = "<span color='#FF0000'><strong>{$error}</strong></span>"; } if (!secpass_check_history($_SESSION['sess_user_id'], $_POST['password'])) { $bad_password = true; $errorMessage = "<span color='#FF0000'><strong>You can not use a previously entered password!</strong></span>"; } if ($bad_password == false && $_POST['password'] == $_POST['confirm'] && $_POST['password'] != '') { // Password change is good to go if (read_config_option('secpass_expirepass') > 0) { db_execute("UPDATE user_auth SET lastchange = " . time() . " WHERE id = " . intval($_SESSION['sess_user_id']) . " AND realm = 0 AND enabled = 'on'"); } $history = intval(read_config_option('secpass_history')); if ($history > 0) {