/**
* Sets the SMF-style login cookie and session based on the id_member and password passed.
* - password should be already encrypted with the cookie salt.
* - logs the user out if id_member is zero.
* - sets the cookie and session to last the number of seconds specified by cookie_length.
* - when logging out, if the globalCookies setting is enabled, attempts to clear the subdomain's cookie too.
*
* @param int $cookie_length,
* @param int $id The id of the member
* @param string $password = ''
*/
function setLoginCookie($cookie_length, $id, $password = '')
{
global $cookiename, $boardurl, $modSettings, $sourcedir;
// If changing state force them to re-address some permission caching.
$_SESSION['mc']['time'] = 0;
// The cookie may already exist, and have been set with different options.
$cookie_state = (empty($modSettings['localCookies']) ? 0 : 1) | (empty($modSettings['globalCookies']) ? 0 : 2);
if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\\{i:0;(i:\\d{1,6}|s:[1-8]:"\\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\\d{1,14};(i:3;i:\\d;)?\\}$~', $_COOKIE[$cookiename]) === 1) {
$array = @unserialize($_COOKIE[$cookiename]);
// Out with the old, in with the new!
if (isset($array[3]) && $array[3] != $cookie_state) {
$cookie_url = url_parts($array[3] & 1 > 0, $array[3] & 2 > 0);
smf_setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0]);
}
}
// Get the data and path to set it on.
$data = serialize(empty($id) ? array(0, '', 0) : array($id, $password, time() + $cookie_length, $cookie_state));
$cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
// Set the cookie, $_COOKIE, and session variable.
smf_setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0]);
// If subdomain-independent cookies are on, unset the subdomain-dependent cookie too.
if (empty($id) && !empty($modSettings['globalCookies'])) {
smf_setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], '');
}
// Any alias URLs? This is mainly for use with frames, etc.
if (!empty($modSettings['forum_alias_urls'])) {
$aliases = explode(',', $modSettings['forum_alias_urls']);
$temp = $boardurl;
foreach ($aliases as $alias) {
// Fake the $boardurl so we can set a different cookie.
$alias = strtr(trim($alias), array('http://' => '', 'https://' => ''));
$boardurl = 'http://' . $alias;
$cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
if ($cookie_url[0] == '') {
$cookie_url[0] = strtok($alias, '/');
}
smf_setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0]);
}
$boardurl = $temp;
}
$_COOKIE[$cookiename] = $data;
// Make sure the user logs in with a new session ID.
if (!isset($_SESSION['login_' . $cookiename]) || $_SESSION['login_' . $cookiename] !== $data) {
// We need to meddle with the session.
require_once $sourcedir . '/Session.php';
// Backup and remove the old session.
$oldSessionData = $_SESSION;
$_SESSION = array();
session_destroy();
// Recreate and restore the new session.
loadSession();
// @todo should we use session_regenerate_id(true); now that we are 5.1+
session_regenerate_id();
$_SESSION = $oldSessionData;
$_SESSION['login_' . $cookiename] = $data;
}
}
} else {
ob_end_clean();
ob_start('ob_gzhandler');
}
}
// Emit some headers for some modicum of protection against nasties.
if (!headers_sent()) {
// Future versions will make some of this configurable. This is primarily a 'safe' configuration for most cases for now.
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1');
header('X-Content-Type-Options: nosniff');
}
// Register an error handler.
set_error_handler('error_handler');
// Start the session. (assuming it hasn't already been.)
loadSession();
// Determine if this is using WAP, WAP2, or imode. Technically, we should check that wap comes before application/xhtml or text/html, but this doesn't work in practice as much as it should.
if (isset($_REQUEST['wap']) || isset($_REQUEST['wap2']) || isset($_REQUEST['imode'])) {
unset($_SESSION['nowap']);
} elseif (isset($_REQUEST['nowap'])) {
$_SESSION['nowap'] = true;
} elseif (!isset($_SESSION['nowap'])) {
if (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'application/vnd.wap.xhtml+xml') !== false) {
$_REQUEST['wap2'] = 1;
} elseif (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'text/vnd.wap.wml') !== false) {
if (strpos($_SERVER['HTTP_USER_AGENT'], 'DoCoMo/') !== false || strpos($_SERVER['HTTP_USER_AGENT'], 'portalmmm/') !== false) {
$_REQUEST['imode'] = 1;
} else {
$_REQUEST['wap'] = 1;
}
}
if (isset($_SESSION['cal'])) {
//active
$calID = $_SESSION['cal'];
} else {
//expired, get cal & user ID
$calID = $_SESSION['cal'] = isset($_COOKIE['LCALcid']) ? @unserialize($_COOKIE['LCALcid']) : $dbPfix;
$_SESSION['uid'] = isset($_COOKIE['LCALuid']) ? @unserialize($_COOKIE['LCALuid']) : 1;
}
//get settings from database
$set = getSettings();
}
//set time zone
date_default_timezone_set($set['timeZone']);
//load session data from db
if ($set['restLastSel']) {
loadSession($sessID, $calID);
}
//echo "sessID: ".$sessID." / calID: ".$calID." / restLastSel: ".$set['restLastSel']." / cP: ".$_SESSION['cP']; //test
//after login bake is set (1:bake, -1:eat cookie)
if (isset($_REQUEST['bake'])) {
setcookie('LCALuid', serialize($_SESSION['uid']), time() + 86400 * $set['cookieExp'] * $_REQUEST['bake']);
//set or refresh
saveSession($sessID, $calID, $_REQUEST['bake']);
}
//check for mobile browsers
if (!isset($_SESSION['mobile'])) {
$_SESSION['mobile'] = isMobile();
}
//set header display
if (isset($_GET['hdr'])) {
$_SESSION['hdr'] = $_GET['hdr'];
public function integrate_pre_load()
{
global $boardurl;
// Check if we came from Wordpress and if so, redirect to the appropriate action
if (!isset($_GET['fromWp']) || empty($_GET['url']) || time() - (int) $_GET['fromWp'] > 30 || empty($_SERVER['HTTP_REFERER'])) {
return;
}
$referer = parse_url($_SERVER['HTTP_REFERER']);
// We don't want to allow cross domain shit
if (empty($referer['host'])) {
return;
}
$boardhost = parse_url($boardurl, PHP_URL_HOST);
if ($boardhost !== $referer['host']) {
// Compare them, TLD must at least match
$boardHostParts = array_reverse(explode('.', $boardhost));
$refererHostParts = array_reverse(explode('.', $referer['host']));
$matches = 0;
while (!empty($boardHostParts) && !empty($refererHostParts)) {
$matches += array_shift($boardHostParts) === array_shift($refererHostParts) ? 1 : 0;
}
if ($matches < 2) {
return;
}
}
define('WIRELESS', FALSE);
$_SERVER['REQUEST_URL'] = !empty($_SERVER['REQUEST_URL']) ? $_SERVER['REQUEST_URL'] : '';
$orgin = parse_url($_GET['url']);
// Coming from wp-login.php?
if (strpos($orgin['path'], 'wp-login.php') !== FALSE) {
if (empty($orgin['query'])) {
$orgin['query'] = 'action=login';
}
$query = array();
parse_str($orgin['query'], $query);
if (empty($query['action'])) {
$query['action'] = 'login';
}
switch ($query['action']) {
case 'register':
redirectexit('action=register');
break;
case 'logout':
// Need to load the session real quick so we can properly logout and redirect
loadSession();
$_SESSION['logout_url'] = $_SERVER['HTTP_REFERER'];
redirectexit('action=logout&' . $_SESSION['session_var'] . '=' . $_SESSION['session_value']);
break;
case 'lostpassword':
case 'retrievepassword':
redirectexit('action=reminder');
break;
default:
redirectexit('action=login&wp_redirect=' . $this->encodeRedirect($_SERVER['HTTP_REFERER']));
break;
}
}
}
function startLogin($username)
{
try {
if (checkSession($username)) {
$con = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD);
$con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$date = new DateTime();
$token = hash("sha256", $date->format('Y-m-d H:i:s'));
$sql = "UPDATE userssession SET token = '{$token}' WHERE username = :username";
$stmt = $con->prepare($sql);
$stmt->bindValue("username", $username, PDO::PARAM_STR);
$stmt->execute();
$session = loadSession($username);
echo $session->getJSON();
} else {
// create a new token
$con = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD);
$con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$date = new DateTime();
$token = hash("sha256", $date->format('Y-m-d H:i:s'));
$sql = "INSERT INTO userssession(username,token) VALUES (:username,'{$token}')";
$stmt = $con->prepare($sql);
$stmt->bindValue("username", $username, PDO::PARAM_STR);
$stmt->execute();
$session = loadSession($username);
echo $session->getJSON();
}
} catch (PDOException $e) {
$e->getMessage();
}
}
function setLoginCookie($cookie_length, $id, $password = '')
{
global $cookiename, $boardurl, $modSettings;
// The cookie may already exist, and have been set with different options.
$cookie_state = (empty($modSettings['localCookies']) ? 0 : 1) | (empty($modSettings['globalCookies']) ? 0 : 2);
if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\\{i:0;(i:\\d{1,6}|s:[1-8]:"\\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\\d{1,14};(i:3;i:\\d;)?\\}$~', $_COOKIE[$cookiename]) === 1) {
$array = @unserialize($_COOKIE[$cookiename]);
// Out with the old, in with the new!
if (isset($array[3]) && $array[3] != $cookie_state) {
$cookie_url = url_parts($array[3] & 1 > 0, $array[3] & 2 > 0);
setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], 0);
}
}
// Get the data and path to set it on.
$data = serialize(empty($id) ? array(0, '', 0) : array($id, $password, time() + $cookie_length, $cookie_state));
$cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
// Set the cookie, $_COOKIE, and session variable.
setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], 0);
// If subdomain-independent cookies are on, unset the subdomain-dependent cookie too.
if (empty($id) && !empty($modSettings['globalCookies'])) {
setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], '', 0);
}
// Any alias URLs? This is mainly for use with frames, etc.
if (!empty($modSettings['forum_alias_urls'])) {
$aliases = explode(',', $modSettings['forum_alias_urls']);
$temp = $boardurl;
foreach ($aliases as $alias) {
// Fake the $boardurl so we can set a different cookie.
$alias = strtr(trim($alias), array('http://' => '', 'https://' => ''));
$boardurl = 'http://' . $alias;
$cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
if ($cookie_url[0] == '') {
$cookie_url[0] = strtok($alias, '/');
}
setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], 0);
}
$boardurl = $temp;
}
$_COOKIE[$cookiename] = $data;
// Make sure the user logs in with a new session ID.
if (!isset($_SESSION['login_' . $cookiename]) || $_SESSION['login_' . $cookiename] !== $data) {
// Backup and remove the old session.
$oldSessionData = $_SESSION;
$_SESSION = array();
session_destroy();
// Recreate and restore the new session.
loadSession();
session_regenerate_id();
$_SESSION = $oldSessionData;
// Version 4.3.2 didn't store the cookie of the new session.
if (version_compare(PHP_VERSION, '4.3.2') === 0 || isset($_COOKIE[session_name()]) && $_COOKIE[session_name()] != session_id()) {
setcookie(session_name(), session_id(), time() + $cookie_length, $cookie_url[1], '', 0);
}
$_SESSION['login_' . $cookiename] = $data;
}
}
}
}
header("Content-Type: application/json");
header("Connection: close");
initSession();
if (!isset($_POST["action"])) {
echo json_encode(array("success" => false, "message" => "Aucune action fournie"));
exit;
}
$action = $_POST["action"];
if ($action === "loadPublicGroups") {
loadPublicGroups($db);
}
if ($action === "loadSessionOrPublicGroups") {
if (isset($_SESSION["teamID"]) && !isset($_SESSION["closed"])) {
loadSession($db);
} else {
loadPublicGroups($db);
}
} else {
if ($action === "checkPassword") {
if (!isset($_POST["password"])) {
echo json_encode(array("success" => false, "message" => "Mot de passe manquant"));
} else {
$getTeams = $_POST["getTeams"];
$password = strtolower($_POST["password"]);
if (!openGroup($db, $password, $getTeams)) {
loginTeam($db, $password);
}
}
} else {
