function adminLoginMenu() { global $CURRENT_USER; // login menu actions $action = @$_REQUEST['action']; if ($action == 'logoff') { user_logoff(); exit; } if ($action == 'loginSubmit') { security_dieUnlessPostForm(); security_dieUnlessInternalReferer(); security_dieOnInvalidCsrfToken(); foreach (array('username', 'password') as $field) { // v2.52 remove leading and trailing whitespace (for usability, users accidentally add whitespace) $_REQUEST[$field] = preg_replace("/^\\s+|\\s+\$/s", '', @$_REQUEST[$field]); } loginCookie_set(@$_REQUEST['username'], getPasswordDigest(@$_REQUEST['password'])); } // load current user $CURRENT_USER = getCurrentUser($loginExpired); // report any errors $errors = ''; if ($loginExpired) { $errors .= t("You've been logged out due to inactivity, please login again to continue."); } else { if (!$CURRENT_USER && $action == 'loginSubmit') { $errors .= t("Invalid username or password"); } else { if (@$CURRENT_USER['disabled']) { $errors .= t("Your account has been disabled."); } else { if (@$CURRENT_USER['isExpired']) { $errors .= t("Your account has expired."); } } } } if ($errors) { alert($errors); loginCookie_remove(); // if data in login cookie is invalid, remove login cookie so we don't keep checking it $CURRENT_USER = false; // if login is invalid, clear user variable usleep(mt_rand(1000000, 3000000)); // sleep somewhere between 1-3 seconds to delay brute force attacks (random sleep time makes it so attacker can't assume slow response is failed password) } // if no logged in user if (!$CURRENT_USER) { // perform login screen maintenance actions - useful place to run common operations if (!$action) { createMissingSchemaTablesAndFields(); // create/update missing schemas, etc // show helpful messages if (!mysql_count('accounts')) { alert(t("There are no user accounts in the database.")); } } // show login screen if user not logged in showInterface('login.php', false); exit; } // if user logged in if ($CURRENT_USER) { // reset login cookie (to update lastAccess time used to track session expiry) loginCookie_set(@$CURRENT_USER['username'], getPasswordDigest(@$CURRENT_USER['password'])); // redirect to last url - on valid login $redirectUrl = @$_REQUEST['redirectUrl']; if ($redirectUrl) { redirectBrowserToURL($redirectUrl, true); exit; } } }
if (!$result) { $error = "MySQL Error: " . mysql_error() . "\n"; // htmlencode() not needed here as message is shown in javascript alert // remove last inserted record if (isset($last_insert_id)) { mysql_query("DELETE FROM `{$escapedTableName}` WHERE num = '" . mysql_escape($last_insert_id) . "'"); } // show error message die($error); } } // My Account - update session login details if ($isMyAccountMenu) { $username = @$_REQUEST['username'] ? $_REQUEST['username'] : $CURRENT_USER['username']; $passwordHash = getPasswordDigest(coalesce(@$_REQUEST['password'], $CURRENT_USER['password'])); loginCookie_set($username, $passwordHash); } // User Accounts - update access levels if (@$_REQUEST['accessList'] && @$schema['accessList']['type'] == 'accessList') { _updateAccessList(); } // Category Sections - update category meta data if ($schema['menuType'] == 'category') { updateCategoryMetadata(); } doAction('record_postsave', $tableName, $isNewRecord, $oldRecord, $_REQUEST['num']); ### redisplay list page print $_REQUEST['num']; exit; // print record number or nothing to redisplay list page (done in edit_functions.js by ajax form submit code) //
function user_createLoginSession($username, $password = null) { loginCookie_set($username, getPasswordDigest($password)); }