/** * Check user login * * @return boolean */ function check_user_login() { $cfg = EasySCP_Registry::get('Config'); $sess_id = session_id(); // kill timed out sessions do_session_timeout(); $user_logged = isset($_SESSION['user_logged']) ? $_SESSION['user_logged'] : false; if (!$user_logged) { return false; } $sql_param = array(':admin_name' => $user_logged, ':admin_pass' => $_SESSION['user_pass'], ':admin_type' => $_SESSION['user_type'], ':admin_id' => $_SESSION['user_id'], ':session_id' => $sess_id); // verify session data with database $sql_query = "\n\t\tSELECT\n\t\t\t*\n\t\tFROM\n\t\t\tadmin, login\n\t\tWHERE\n\t\t\tadmin.admin_name = :admin_name\n\t\tAND\n\t\t\tadmin.admin_pass = :admin_pass\n\t\tAND\n\t\t\tadmin.admin_type = :admin_type\n\t\tAND\n\t\t\tadmin.admin_id = :admin_id\n\t\tAND\n\t\t\tlogin.session_id = :session_id;\n\t"; DB::prepare($sql_query); $rs = DB::execute($sql_param); if ($rs->rowCount() != 1) { write_log("Detected session manipulation on " . $user_logged . "'s session!"); unset_user_login_data(); return false; } if ((EasySCP_Update_Database::getInstance()->checkUpdateExists() || $cfg->MAINTENANCEMODE) && $_SESSION['user_type'] != 'admin') { unset_user_login_data(); write_log("System is currently in maintenance mode. Logging out <strong><em>" . $user_logged . "</em></strong>"); user_goto('/index.php'); } // if user login data correct - update session and lastaccess $_SESSION['user_login_time'] = time(); $sql_param = array(':lastaccess' => time(), ':session_id' => $sess_id); $sql_query = "\n\t\tUPDATE\n\t\t\tlogin\n\t\tSET\n\t\t\tlastaccess = :lastaccess\n\t\tWHERE\n\t\t\tsession_id = :session_id\n\t;"; DB::prepare($sql_query); DB::execute($sql_param); return true; }
* The Initial Developer of the Original Code is moleSoftware GmbH. * Portions created by Initial Developer are Copyright (C) 2001-2006 * by moleSoftware GmbH. All Rights Reserved. * * Portions created by the ispCP Team are Copyright (C) 2006-2010 by * isp Control Panel. All Rights Reserved. * * Portions created by the i-MSCP Team are Copyright (C) 2010-2015 by * i-MSCP - internet Multi Server Control Panel. All Rights Reserved. */ // Include core library require_once 'imscp-lib.php'; require_once LIBRARY_PATH . '/Functions/LostPassword.php'; iMSCP_Events_Aggregator::getInstance()->dispatch(iMSCP_Events::onLostPasswordScriptStart); // Purge expired sessions do_session_timeout(); /** @var $cfg iMSCP_Config_Handler_File */ $cfg = iMSCP_Registry::get('config'); // Lost password feature is disabled ? if (!$cfg['LOSTPASSWORD']) { redirectTo('/index.php'); } // Check for gd library availability if (!check_gd()) { throw new iMSCP_Exception(tr("PHP GD extension not loaded.")); } // Remove old unique keys removeOldKeys($cfg['LOSTPASSWORD_TIMEOUT']); $tpl = new iMSCP_pTemplate(); $tpl->define_dynamic(array('layout' => 'shared/layouts/simple.tpl', 'page' => 'lostpassword.tpl', 'page_message' => 'layout')); $tpl->assign(array('TR_PAGE_TITLE' => tr('i-MSCP - Multi Server Control Panel / Lost Password'), 'CONTEXT_CLASS' => '', 'productLongName' => tr('internet Multi Server Control Panel'), 'productLink' => 'http://www.i-mscp.net', 'productCopyright' => tr('© 2010-2015 i-MSCP Team<br/>All Rights Reserved'), 'TR_CAPCODE' => tr('Security code'), 'GET_NEW_IMAGE' => tr('Get a new image'), 'TR_IMGCAPCODE' => '<img id="captcha" src="imagecode.php" width="' . $cfg['LOSTPASSWORD_CAPTCHA_WIDTH'] . '" height="' . $cfg['LOSTPASSWORD_CAPTCHA_HEIGHT'] . '" alt="captcha image" />', 'TR_USERNAME' => tr('Username'), 'TR_SEND' => tr('Send'), 'TR_CANCEL' => tr('Cancel')));
/** * Check login * * @param string $userLevel User level (admin|reseller|user) * @param bool $preventExternalLogin If TRUE, external login is disallowed */ function check_login($userLevel = '', $preventExternalLogin = true) { do_session_timeout(); $auth = iMSCP_Authentication::getInstance(); if (!$auth->hasIdentity()) { $auth->unsetIdentity(); // Ensure deletion of all entity data if (is_xhr()) { header('HTTP/1.0 403 Forbidden'); exit; } redirectTo('/index.php'); } /** @var $cfg iMSCP_Config_Handler_File */ $cfg = iMSCP_Registry::get('config'); $identity = $auth->getIdentity(); if ($cfg->MAINTENANCEMODE && $identity->admin_type != 'admin' && (!isset($_SESSION['logged_from_type']) || $_SESSION['logged_from_type'] != 'admin')) { $auth->unsetIdentity(); redirectTo('/index.php'); } // Check user level if (!empty($userLevel) && ($userType = $identity->admin_type) != $userLevel) { if ($userType != 'admin' && (!isset($_SESSION['logged_from']) || $_SESSION['logged_from'] != 'admin')) { $loggedUser = isset($_SESSION['logged_from']) ? $_SESSION['logged_from'] : $identity->admin_name; write_log('Warning! user |' . $loggedUser . '| requested |' . tohtml($_SERVER['REQUEST_URI']) . '| with REQUEST_METHOD |' . $_SERVER['REQUEST_METHOD'] . '|', E_USER_WARNING); } redirectTo('/index.php'); } // prevent external login / check for referer if ($preventExternalLogin && !empty($_SERVER['HTTP_REFERER'])) { // Extracting hostname from referer URL // Note2: We remove any braket in referer (ipv6 issue) $refererHostname = str_replace(array('[', ']'), '', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)); // The URL does contains the host element ? if (!is_null($refererHostname)) { // Note1: We don't care about the scheme, we only want make parse_url() happy // Note2: We remove any braket in hostname (ipv6 issue) $http_host = str_replace(array('[', ']'), '', parse_url("http://{$_SERVER['HTTP_HOST']}", PHP_URL_HOST)); // The referer doesn't match the panel hostname ? if (!in_array($refererHostname, array($http_host, $_SERVER['SERVER_NAME']))) { set_page_message(tr('Request from foreign host was blocked.'), 'info'); # Quick fix for #96 (will be rewritten ASAP) isset($_SERVER['REDIRECT_URL']) ?: ($_SERVER['REDIRECT_URL'] = ''); if (!(substr($_SERVER['SCRIPT_FILENAME'], (int) -strlen($_SERVER['REDIRECT_URL']), strlen($_SERVER['REDIRECT_URL'])) == $_SERVER['REDIRECT_URL'])) { redirectToUiLevel(); } } } } // If all goes fine update session and lastaccess $_SESSION['user_login_time'] = time(); exec_query('UPDATE login SET lastaccess = ? WHERE session_id = ?', array($_SESSION['user_login_time'], session_id())); }