Example #1
0
/**
 * Check user login
 *
 * @return boolean
 */
function check_user_login()
{
    $cfg = EasySCP_Registry::get('Config');
    $sess_id = session_id();
    // kill timed out sessions
    do_session_timeout();
    $user_logged = isset($_SESSION['user_logged']) ? $_SESSION['user_logged'] : false;
    if (!$user_logged) {
        return false;
    }
    $sql_param = array(':admin_name' => $user_logged, ':admin_pass' => $_SESSION['user_pass'], ':admin_type' => $_SESSION['user_type'], ':admin_id' => $_SESSION['user_id'], ':session_id' => $sess_id);
    // verify session data with database
    $sql_query = "\n\t\tSELECT\n\t\t\t*\n\t\tFROM\n\t\t\tadmin, login\n\t\tWHERE\n\t\t\tadmin.admin_name = :admin_name\n\t\tAND\n\t\t\tadmin.admin_pass = :admin_pass\n\t\tAND\n\t\t\tadmin.admin_type = :admin_type\n\t\tAND\n\t\t\tadmin.admin_id = :admin_id\n\t\tAND\n\t\t\tlogin.session_id = :session_id;\n\t";
    DB::prepare($sql_query);
    $rs = DB::execute($sql_param);
    if ($rs->rowCount() != 1) {
        write_log("Detected session manipulation on " . $user_logged . "'s session!");
        unset_user_login_data();
        return false;
    }
    if ((EasySCP_Update_Database::getInstance()->checkUpdateExists() || $cfg->MAINTENANCEMODE) && $_SESSION['user_type'] != 'admin') {
        unset_user_login_data();
        write_log("System is currently in maintenance mode. Logging out <strong><em>" . $user_logged . "</em></strong>");
        user_goto('/index.php');
    }
    // if user login data correct - update session and lastaccess
    $_SESSION['user_login_time'] = time();
    $sql_param = array(':lastaccess' => time(), ':session_id' => $sess_id);
    $sql_query = "\n\t\tUPDATE\n\t\t\tlogin\n\t\tSET\n\t\t\tlastaccess = :lastaccess\n\t\tWHERE\n\t\t\tsession_id = :session_id\n\t;";
    DB::prepare($sql_query);
    DB::execute($sql_param);
    return true;
}
Example #2
0
 * The Initial Developer of the Original Code is moleSoftware GmbH.
 * Portions created by Initial Developer are Copyright (C) 2001-2006
 * by moleSoftware GmbH. All Rights Reserved.
 *
 * Portions created by the ispCP Team are Copyright (C) 2006-2010 by
 * isp Control Panel. All Rights Reserved.
 *
 * Portions created by the i-MSCP Team are Copyright (C) 2010-2015 by
 * i-MSCP - internet Multi Server Control Panel. All Rights Reserved.
 */
// Include core library
require_once 'imscp-lib.php';
require_once LIBRARY_PATH . '/Functions/LostPassword.php';
iMSCP_Events_Aggregator::getInstance()->dispatch(iMSCP_Events::onLostPasswordScriptStart);
// Purge expired sessions
do_session_timeout();
/** @var $cfg iMSCP_Config_Handler_File */
$cfg = iMSCP_Registry::get('config');
// Lost password feature is disabled ?
if (!$cfg['LOSTPASSWORD']) {
    redirectTo('/index.php');
}
// Check for gd library availability
if (!check_gd()) {
    throw new iMSCP_Exception(tr("PHP GD extension not loaded."));
}
// Remove old unique keys
removeOldKeys($cfg['LOSTPASSWORD_TIMEOUT']);
$tpl = new iMSCP_pTemplate();
$tpl->define_dynamic(array('layout' => 'shared/layouts/simple.tpl', 'page' => 'lostpassword.tpl', 'page_message' => 'layout'));
$tpl->assign(array('TR_PAGE_TITLE' => tr('i-MSCP - Multi Server Control Panel / Lost Password'), 'CONTEXT_CLASS' => '', 'productLongName' => tr('internet Multi Server Control Panel'), 'productLink' => 'http://www.i-mscp.net', 'productCopyright' => tr('© 2010-2015 i-MSCP Team<br/>All Rights Reserved'), 'TR_CAPCODE' => tr('Security code'), 'GET_NEW_IMAGE' => tr('Get a new image'), 'TR_IMGCAPCODE' => '<img id="captcha" src="imagecode.php" width="' . $cfg['LOSTPASSWORD_CAPTCHA_WIDTH'] . '" height="' . $cfg['LOSTPASSWORD_CAPTCHA_HEIGHT'] . '" alt="captcha image" />', 'TR_USERNAME' => tr('Username'), 'TR_SEND' => tr('Send'), 'TR_CANCEL' => tr('Cancel')));
Example #3
0
/**
 * Check login
 *
 * @param string $userLevel User level (admin|reseller|user)
 * @param bool $preventExternalLogin If TRUE, external login is disallowed
 */
function check_login($userLevel = '', $preventExternalLogin = true)
{
    do_session_timeout();
    $auth = iMSCP_Authentication::getInstance();
    if (!$auth->hasIdentity()) {
        $auth->unsetIdentity();
        // Ensure deletion of all entity data
        if (is_xhr()) {
            header('HTTP/1.0 403 Forbidden');
            exit;
        }
        redirectTo('/index.php');
    }
    /** @var $cfg iMSCP_Config_Handler_File */
    $cfg = iMSCP_Registry::get('config');
    $identity = $auth->getIdentity();
    if ($cfg->MAINTENANCEMODE && $identity->admin_type != 'admin' && (!isset($_SESSION['logged_from_type']) || $_SESSION['logged_from_type'] != 'admin')) {
        $auth->unsetIdentity();
        redirectTo('/index.php');
    }
    // Check user level
    if (!empty($userLevel) && ($userType = $identity->admin_type) != $userLevel) {
        if ($userType != 'admin' && (!isset($_SESSION['logged_from']) || $_SESSION['logged_from'] != 'admin')) {
            $loggedUser = isset($_SESSION['logged_from']) ? $_SESSION['logged_from'] : $identity->admin_name;
            write_log('Warning! user |' . $loggedUser . '| requested |' . tohtml($_SERVER['REQUEST_URI']) . '| with REQUEST_METHOD |' . $_SERVER['REQUEST_METHOD'] . '|', E_USER_WARNING);
        }
        redirectTo('/index.php');
    }
    // prevent external login / check for referer
    if ($preventExternalLogin && !empty($_SERVER['HTTP_REFERER'])) {
        // Extracting hostname from referer URL
        // Note2: We remove any braket in referer (ipv6 issue)
        $refererHostname = str_replace(array('[', ']'), '', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST));
        // The URL does contains the host element ?
        if (!is_null($refererHostname)) {
            // Note1: We don't care about the scheme, we only want make parse_url() happy
            // Note2: We remove any braket in hostname (ipv6 issue)
            $http_host = str_replace(array('[', ']'), '', parse_url("http://{$_SERVER['HTTP_HOST']}", PHP_URL_HOST));
            // The referer doesn't match the panel hostname ?
            if (!in_array($refererHostname, array($http_host, $_SERVER['SERVER_NAME']))) {
                set_page_message(tr('Request from foreign host was blocked.'), 'info');
                # Quick fix for #96 (will be rewritten ASAP)
                isset($_SERVER['REDIRECT_URL']) ?: ($_SERVER['REDIRECT_URL'] = '');
                if (!(substr($_SERVER['SCRIPT_FILENAME'], (int) -strlen($_SERVER['REDIRECT_URL']), strlen($_SERVER['REDIRECT_URL'])) == $_SERVER['REDIRECT_URL'])) {
                    redirectToUiLevel();
                }
            }
        }
    }
    // If all goes fine update session and lastaccess
    $_SESSION['user_login_time'] = time();
    exec_query('UPDATE login SET lastaccess = ? WHERE session_id = ?', array($_SESSION['user_login_time'], session_id()));
}