function phorum_user_check_session( $cookie = PHORUM_SESSION_LONG_TERM ) { $PHORUM = $GLOBALS["PHORUM"]; // If we do URI based authentication, we will only look at the // PHORUM_SESSION_LONG_TERM session (which is the session key that is // stored in the URI). Here we rewrite requests for // PHORUM_SESSION_SHORT_TERM so we will handle tighter security correctly. if ( isset($PHORUM["use_cookies"]) && ! $PHORUM["use_cookies"] && $cookie == PHORUM_SESSION_SHORT_TERM) { $cookie = PHORUM_SESSION_LONG_TERM; } if ( ( $cookie != PHORUM_SESSION_LONG_TERM || ( isset( $PHORUM["use_cookies"] ) && $PHORUM["use_cookies"] ) ) && isset( $_COOKIE[$cookie] ) ) { // REAL cookies ;) $sessid = $_COOKIE[$cookie]; $GLOBALS["PHORUM"]["use_cookies"]=true; } elseif ( isset( $PHORUM["args"][$cookie] ) ) { // in the p5-urls $sessid = $PHORUM["args"][$cookie]; $GLOBALS["PHORUM"]["use_cookies"]=false; } elseif ( isset( $_POST[$cookie] ) ) { // from post-forms $sessid = $_POST[$cookie]; $GLOBALS["PHORUM"]["use_cookies"]=false; } elseif ( isset( $_GET[$cookie] ) ) { // should rarely happen but helps in some cases $sessid = $_GET[$cookie]; $GLOBALS["PHORUM"]["use_cookies"]=false; } $success = false; if ( !empty( $sessid ) && $GLOBALS["PHORUM"]["use_cookies"]) { // this part is for cookie-authentication where we have username and password list( $userid, $md5session ) = explode( ":", $sessid, 2 ); if(!is_numeric($userid)) { phorum_user_clear_session( $cookie ); return false; } $user=phorum_user_get($userid, true, true); if (empty($user)) { phorum_user_clear_session( $cookie ); return false; } if ( ($cookie==PHORUM_SESSION_LONG_TERM && !empty($user['cookie_sessid_lt']) && $user['cookie_sessid_lt'] == $md5session) || ($cookie==PHORUM_SESSION_SHORT_TERM && !empty($user['sessid_st']) && $user['sessid_st'] == $md5session) || ($cookie==PHORUM_SESSION_ADMIN && !empty($user['cookie_sessid_lt']) && md5($user['cookie_sessid_lt'].$PHORUM["admin_session_salt"]) == $md5session) ) { if ( $user["active"] ) { // write access is false by default, need to check the st-cookie too $user['write_access']=false; $GLOBALS["PHORUM"]["user"] = $user; $success = true; phorum_user_create_session( $cookie ); } else { phorum_user_clear_session( $cookie ); } } } elseif( !empty( $sessid ) && !$GLOBALS["PHORUM"]["use_cookies"]) { // this part is for uri-authentication where we only have a session-id $uri_session_id = urldecode( $sessid ); if ( $user_id = phorum_db_user_check_field('sessid_st',$uri_session_id,'=')) { $user = phorum_user_get( $user_id, true, true ); if ( $user["active"] ) { // write access is enabled for uri-authentication as thats requiring login at every visit $user['write_access']=true; $GLOBALS["PHORUM"]["user"] = $user; $success = true; phorum_user_create_session( $cookie, false, $user['sessid_st'] ); } else { phorum_user_clear_session( $cookie ); } } } // track user activity if($success && $PHORUM["track_user_activity"] && $GLOBALS["PHORUM"]["user"]["date_last_active"] < time() - $PHORUM["track_user_activity"] ) { $tmp_user["user_id"] = $GLOBALS["PHORUM"]["user"]["user_id"]; $tmp_user["date_last_active"] = time(); if(isset($PHORUM['forum_id'])) { $tmp_user["last_active_forum"]= $PHORUM['forum_id']; } else { $tmp_user["last_active_forum"]= 0; } phorum_user_save_simple( $tmp_user); } return $success; }
define('phorum_page','login'); include_once( "./common.php" ); include_once( "./include/users.php" ); include_once( "./include/email_functions.php" ); // ---------------------------------------------------------------------------- // Handle logout // ---------------------------------------------------------------------------- if ($PHORUM['DATA']['LOGGEDIN'] && !empty($PHORUM["args"]["logout"])) { // killing long-term cookie phorum_user_clear_session(PHORUM_SESSION_LONG_TERM); // killing short-term (write) cookie phorum_user_clear_session(PHORUM_SESSION_SHORT_TERM); // reset the sessid if not using cookies if(!$PHORUM['use_cookies']) { $new_sessid=md5($_POST['username'].microtime().$_POST['password']); $user=array( 'user_id'=>$PHORUM['user']['user_id'], 'sessid_st'=>$new_sessid ); phorum_user_save_simple($user); } // Determine the URL to redirect the user to. The hook "after_logout"
<?php //////////////////////////////////////////////////////////////////////////////// // // // Copyright (C) 2006 Phorum Development Team // // http://www.phorum.org // // // // This program is free software. You can redistribute it and/or modify // // it under the terms of either the current Phorum License (viewable at // // phorum.org) or the Phorum License that was distributed with this file // // // // This program is distributed in the hope that it will be useful, // // but WITHOUT ANY WARRANTY, without even the implied warranty of // // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // // // // You should have received a copy of the Phorum License // // along with this program. // //////////////////////////////////////////////////////////////////////////////// if(!defined("PHORUM_ADMIN")) return; phorum_user_clear_session("phorum_admin_session"); phorum_redirect_by_url($_SERVER['PHP_SELF']); exit(); ?>