/**
* Check user login
*
* @return boolean
*/
function check_user_login()
{
$cfg = EasySCP_Registry::get('Config');
$sess_id = session_id();
// kill timed out sessions
do_session_timeout();
$user_logged = isset($_SESSION['user_logged']) ? $_SESSION['user_logged'] : false;
if (!$user_logged) {
return false;
}
$sql_param = array(':admin_name' => $user_logged, ':admin_pass' => $_SESSION['user_pass'], ':admin_type' => $_SESSION['user_type'], ':admin_id' => $_SESSION['user_id'], ':session_id' => $sess_id);
// verify session data with database
$sql_query = "\n\t\tSELECT\n\t\t\t*\n\t\tFROM\n\t\t\tadmin, login\n\t\tWHERE\n\t\t\tadmin.admin_name = :admin_name\n\t\tAND\n\t\t\tadmin.admin_pass = :admin_pass\n\t\tAND\n\t\t\tadmin.admin_type = :admin_type\n\t\tAND\n\t\t\tadmin.admin_id = :admin_id\n\t\tAND\n\t\t\tlogin.session_id = :session_id;\n\t";
DB::prepare($sql_query);
$rs = DB::execute($sql_param);
if ($rs->rowCount() != 1) {
write_log("Detected session manipulation on " . $user_logged . "'s session!");
unset_user_login_data();
return false;
}
if ((EasySCP_Update_Database::getInstance()->checkUpdateExists() || $cfg->MAINTENANCEMODE) && $_SESSION['user_type'] != 'admin') {
unset_user_login_data();
write_log("System is currently in maintenance mode. Logging out <strong><em>" . $user_logged . "</em></strong>");
user_goto('/index.php');
}
// if user login data correct - update session and lastaccess
$_SESSION['user_login_time'] = time();
$sql_param = array(':lastaccess' => time(), ':session_id' => $sess_id);
$sql_query = "\n\t\tUPDATE\n\t\t\tlogin\n\t\tSET\n\t\t\tlastaccess = :lastaccess\n\t\tWHERE\n\t\t\tsession_id = :session_id\n\t;";
DB::prepare($sql_query);
DB::execute($sql_param);
return true;
}
* The Initial Developer of the Original Code is moleSoftware GmbH.
* Portions created by Initial Developer are Copyright (C) 2001-2006
* by moleSoftware GmbH. All Rights Reserved.
*
* Portions created by the ispCP Team are Copyright (C) 2006-2010 by
* isp Control Panel. All Rights Reserved.
*
* Portions created by the i-MSCP Team are Copyright (C) 2010-2015 by
* i-MSCP - internet Multi Server Control Panel. All Rights Reserved.
*/
// Include core library
require_once 'imscp-lib.php';
require_once LIBRARY_PATH . '/Functions/LostPassword.php';
iMSCP_Events_Aggregator::getInstance()->dispatch(iMSCP_Events::onLostPasswordScriptStart);
// Purge expired sessions
do_session_timeout();
/** @var $cfg iMSCP_Config_Handler_File */
$cfg = iMSCP_Registry::get('config');
// Lost password feature is disabled ?
if (!$cfg['LOSTPASSWORD']) {
redirectTo('/index.php');
}
// Check for gd library availability
if (!check_gd()) {
throw new iMSCP_Exception(tr("PHP GD extension not loaded."));
}
// Remove old unique keys
removeOldKeys($cfg['LOSTPASSWORD_TIMEOUT']);
$tpl = new iMSCP_pTemplate();
$tpl->define_dynamic(array('layout' => 'shared/layouts/simple.tpl', 'page' => 'lostpassword.tpl', 'page_message' => 'layout'));
$tpl->assign(array('TR_PAGE_TITLE' => tr('i-MSCP - Multi Server Control Panel / Lost Password'), 'CONTEXT_CLASS' => '', 'productLongName' => tr('internet Multi Server Control Panel'), 'productLink' => 'http://www.i-mscp.net', 'productCopyright' => tr('© 2010-2015 i-MSCP Team<br/>All Rights Reserved'), 'TR_CAPCODE' => tr('Security code'), 'GET_NEW_IMAGE' => tr('Get a new image'), 'TR_IMGCAPCODE' => '<img id="captcha" src="imagecode.php" width="' . $cfg['LOSTPASSWORD_CAPTCHA_WIDTH'] . '" height="' . $cfg['LOSTPASSWORD_CAPTCHA_HEIGHT'] . '" alt="captcha image" />', 'TR_USERNAME' => tr('Username'), 'TR_SEND' => tr('Send'), 'TR_CANCEL' => tr('Cancel')));
/**
* Check login
*
* @param string $userLevel User level (admin|reseller|user)
* @param bool $preventExternalLogin If TRUE, external login is disallowed
*/
function check_login($userLevel = '', $preventExternalLogin = true)
{
do_session_timeout();
$auth = iMSCP_Authentication::getInstance();
if (!$auth->hasIdentity()) {
$auth->unsetIdentity();
// Ensure deletion of all entity data
if (is_xhr()) {
header('HTTP/1.0 403 Forbidden');
exit;
}
redirectTo('/index.php');
}
/** @var $cfg iMSCP_Config_Handler_File */
$cfg = iMSCP_Registry::get('config');
$identity = $auth->getIdentity();
if ($cfg->MAINTENANCEMODE && $identity->admin_type != 'admin' && (!isset($_SESSION['logged_from_type']) || $_SESSION['logged_from_type'] != 'admin')) {
$auth->unsetIdentity();
redirectTo('/index.php');
}
// Check user level
if (!empty($userLevel) && ($userType = $identity->admin_type) != $userLevel) {
if ($userType != 'admin' && (!isset($_SESSION['logged_from']) || $_SESSION['logged_from'] != 'admin')) {
$loggedUser = isset($_SESSION['logged_from']) ? $_SESSION['logged_from'] : $identity->admin_name;
write_log('Warning! user |' . $loggedUser . '| requested |' . tohtml($_SERVER['REQUEST_URI']) . '| with REQUEST_METHOD |' . $_SERVER['REQUEST_METHOD'] . '|', E_USER_WARNING);
}
redirectTo('/index.php');
}
// prevent external login / check for referer
if ($preventExternalLogin && !empty($_SERVER['HTTP_REFERER'])) {
// Extracting hostname from referer URL
// Note2: We remove any braket in referer (ipv6 issue)
$refererHostname = str_replace(array('[', ']'), '', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST));
// The URL does contains the host element ?
if (!is_null($refererHostname)) {
// Note1: We don't care about the scheme, we only want make parse_url() happy
// Note2: We remove any braket in hostname (ipv6 issue)
$http_host = str_replace(array('[', ']'), '', parse_url("http://{$_SERVER['HTTP_HOST']}", PHP_URL_HOST));
// The referer doesn't match the panel hostname ?
if (!in_array($refererHostname, array($http_host, $_SERVER['SERVER_NAME']))) {
set_page_message(tr('Request from foreign host was blocked.'), 'info');
# Quick fix for #96 (will be rewritten ASAP)
isset($_SERVER['REDIRECT_URL']) ?: ($_SERVER['REDIRECT_URL'] = '');
if (!(substr($_SERVER['SCRIPT_FILENAME'], (int) -strlen($_SERVER['REDIRECT_URL']), strlen($_SERVER['REDIRECT_URL'])) == $_SERVER['REDIRECT_URL'])) {
redirectToUiLevel();
}
}
}
}
// If all goes fine update session and lastaccess
$_SESSION['user_login_time'] = time();
exec_query('UPDATE login SET lastaccess = ? WHERE session_id = ?', array($_SESSION['user_login_time'], session_id()));
}