public function ProcessLogin() { $loginName = ''; $loginPass = ''; if ((!isset($_POST['username']) || !isset($_POST['password'])) && !isset($_COOKIE['RememberToken'])) { $GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true); return; } // Is this an automatic login from "Remember Me" being ticked? if (isset($_POST['username'])) { $loginName = @$_POST['username']; $loginPass = @$_POST['password']; $query = sprintf("SELECT pk_userid, username, userpass, token, userimportpass FROM [|PREFIX|]users WHERE username='******' and userstatus='1'", $GLOBALS['ISC_CLASS_DB']->Quote($loginName)); } else { if (isset($_COOKIE['RememberToken']) && trim($_COOKIE['RememberToken']) != '') { $md5 = $_COOKIE['RememberToken']; $query = sprintf("SELECT pk_userid, username, userpass, token, userimportpass FROM [|PREFIX|]users WHERE userstatus='1' AND md5(concat(username, token))='%s'", $GLOBALS['ISC_CLASS_DB']->Quote($md5)); } else { // Otherwise, we have a bad username/password $GLOBALS['ISC_CLASS_LOG']->LogAdminAction("invalid", $loginName); $GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true); die; } } if (isset($_POST['remember']) || isset($_COOKIE['RememberToken'])) { $remember = true; } else { $remember = false; } ob_start(); // Try and find a user with the same credentials $userResult = $GLOBALS["ISC_CLASS_DB"]->Query($query); if ($userRow = $GLOBALS["ISC_CLASS_DB"]->Fetch($userResult)) { if (!$remember) { ISC_SetCookie("RememberToken", "", time() - 3600 * 24 * 365, true); } // Was this an improted password? if ($userRow['userimportpass'] != '' && $userRow['userpass'] != md5($loginPass)) { if (ValidateImportPassword($loginPass, $userRow['userimportpass'])) { // Valid login from an import password. We now store the Interspire Shopping Cart version of the password $updatedUser = array("userpass" => md5($loginPass), "userimportpass" => ""); $GLOBALS['ISC_CLASS_DB']->UpdateQuery("users", $updatedUser, "pk_userid='" . $GLOBALS['ISC_CLASS_DB']->Quote($userRow['pk_userid']) . "'"); } else { unset($userRow['pk_userid']); } } else { // Is this a "Remember Me" auto login or a form login? if (isset($_POST['username'])) { if ($userRow['userpass'] != md5($loginPass)) { unset($userRow['pk_userid']); } } else { // If they get here then "Remember Me" was set and valid so we don't have to do anything } } if (isset($userRow['pk_userid'])) { // Set the auth session variable to true $_COOKIE['STORESUITE_CP_TOKEN'] = $userRow['token']; ISC_SetCookie("STORESUITE_CP_TOKEN", $userRow['token'], 0, true); if ($remember) { ISC_SetCookie("RememberToken", md5($userRow['username'] . $userRow['token']), time() + 3600 * 24 * 365, true); } // Log the successful login to the administrators log $GLOBALS['ISC_CLASS_LOG']->LogAdminAction("valid"); // Everything was OK and the user has been logged in successfully ?> <script type="text/javascript"> document.location.href='index.php?ToDo='; </script> <?php die; } } // Otherwise, we have a bad username/password $GLOBALS['ISC_CLASS_LOG']->LogAdminAction("invalid", $loginName); $GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true); die; }
public function ProcessLogin() { //zcs=>authenticate captcha when it is not a QA user if (GetConfig('UserQA') != $_POST['username']) { $GLOBALS['ISC_CLASS_CAPTCHA'] = GetClass('ISC_CAPTCHA'); $captcha = trim($_REQUEST['captcha']); if (isc_strtolower($captcha) != isc_strtolower($GLOBALS['ISC_CLASS_CAPTCHA']->LoadSecret())) { // Captcha validation failed $GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(false, false, GetLang('InvalidCaptcha')); die; } } //<=zcs $loginName = ''; $loginPass = ''; if ((!isset($_POST['username']) || !isset($_POST['password'])) && !isset($_COOKIE['RememberToken'])) { $GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true); return; } // Is this an automatic login from "Remember Me" being ticked? if (isset($_POST['username'])) { $loginName = @$_POST['username']; $loginPass = @$_POST['password']; //zcs= add "fails" "userstatus" & remove " and userstatus='1'" $query = sprintf("SELECT pk_userid, username, userpass, token, userimportpass, fails, userstatus FROM [|PREFIX|]users WHERE username='******'", $GLOBALS['ISC_CLASS_DB']->Quote($loginName)); } else { if (isset($_COOKIE['RememberToken']) && trim($_COOKIE['RememberToken']) != '') { $md5 = $_COOKIE['RememberToken']; //zcs= add "fails" "userstatus" & remove " userstatus='1' AND" $query = sprintf("SELECT pk_userid, username, userpass, token, userimportpass, fails, userstatus FROM [|PREFIX|]users WHERE md5(concat(username, token))='%s'", $GLOBALS['ISC_CLASS_DB']->Quote($md5)); } else { // Otherwise, we have a bad username/password $GLOBALS['ISC_CLASS_LOG']->LogAdminAction("invalid", $loginName); $GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true); die; } } if (isset($_POST['remember']) || isset($_COOKIE['RememberToken'])) { $remember = true; } else { $remember = false; } ob_start(); // Try and find a user with the same credentials $userResult = $GLOBALS["ISC_CLASS_DB"]->Query($query); if ($userRow = $GLOBALS["ISC_CLASS_DB"]->Fetch($userResult)) { //zcs=>if already locked user, change message & get out if ($userRow['userstatus'] == 0) { $GLOBALS['ISC_CLASS_LOG']->LogAdminAction("has been locked", $loginName); $GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(false, false, GetLang('LockedUser')); die; } //<=zcs if (!$remember) { ISC_SetCookie("RememberToken", "", time() - 3600 * 24 * 365, true); } // Was this an improted password? if ($userRow['userimportpass'] != '' && $userRow['userpass'] != md5($loginPass)) { if (ValidateImportPassword($loginPass, $userRow['userimportpass'])) { // Valid login from an import password. We now store the Interspire Shopping Cart version of the password $updatedUser = array("userpass" => md5($loginPass), "userimportpass" => "", 'fails' => 0); $GLOBALS['ISC_CLASS_DB']->UpdateQuery("users", $updatedUser, "pk_userid='" . $GLOBALS['ISC_CLASS_DB']->Quote($userRow['pk_userid']) . "'"); } else { $this->doLoginFailed($userRow['pk_userid'], $userRow['fails']); //zcs=if failed unset($userRow['pk_userid']); } } else { // Is this a "Remember Me" auto login or a form login? if (isset($_POST['username'])) { if ($userRow['userpass'] != md5($loginPass)) { $this->doLoginFailed($userRow['pk_userid'], $userRow['fails']); //zcs=if failed unset($userRow['pk_userid']); } else { //zcs=>clear last fails if ($userRow['fails'] > 0) { $this->clearFails($userRow['pk_userid']); } //<=zcs } } else { // If they get here then "Remember Me" was set and valid so we don't have to do anything } } if (isset($userRow['pk_userid'])) { // Set the auth session variable to true $_COOKIE['STORESUITE_CP_TOKEN'] = $userRow['token']; ISC_SetCookie("STORESUITE_CP_TOKEN", $userRow['token'], 0, true); if ($remember) { ISC_SetCookie("RememberToken", md5($userRow['username'] . $userRow['token']), time() + 3600 * 24 * 365, true); } // Log the successful login to the administrators log $GLOBALS['ISC_CLASS_LOG']->LogAdminAction("valid"); // Everything was OK and the user has been logged in successfully ?> <script type="text/javascript"> document.location.href='index.php?ToDo='; </script> <?php die; } } // Otherwise, we have a bad username/password $GLOBALS['ISC_CLASS_LOG']->LogAdminAction("invalid", $loginName); $GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true); die; }