function zen_session_recreate()
{
if (PHP_VERSION >= 4.1) {
$session_backup = $_SESSION;
unset($_COOKIE[zen_session_name()]);
zen_session_destroy();
if (STORE_SESSIONS == 'db') {
session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
}
zen_session_start();
$_SESSION = $session_backup;
unset($session_backup);
}
}
}
}
// confirm where link came from
if (!strstr($_SERVER['HTTP_REFERER'], FILENAME_CHECKOUT_CONFIRMATION)) {
// zen_redirect(zen_href_link(FILENAME_CHECKOUT_PAYMENT,'','SSL'));
}
// BEGIN CC SLAM PREVENTION
if (!isset($_SESSION['payment_attempt'])) {
$_SESSION['payment_attempt'] = 0;
}
$_SESSION['payment_attempt']++;
$zco_notifier->notify('NOTIFY_CHECKOUT_SLAMMING_ALERT');
if ($_SESSION['payment_attempt'] > 3) {
$zco_notifier->notify('NOTIFY_CHECKOUT_SLAMMING_LOCKOUT');
$_SESSION['cart']->reset(TRUE);
zen_session_destroy();
zen_redirect(zen_href_link(FILENAME_TIME_OUT));
}
// END CC SLAM PREVENTION
if (!isset($credit_covers)) {
$credit_covers = FALSE;
}
// load selected payment module
require DIR_WS_CLASSES . 'payment.php';
$payment_modules = new payment($_SESSION['payment']);
// load the selected shipping module
require DIR_WS_CLASSES . 'shipping.php';
$shipping_modules = new shipping($_SESSION['shipping']);
require DIR_WS_CLASSES . 'order.php';
$order = new order();
// prevent 0-entry orders from being generated/spoofed
/**
* Verify login according to security requirements
* @param $admin_name
* @param $admin_pass
*/
function zen_validate_user_login($admin_name, $admin_pass)
{
global $db;
$camefrom = isset($_GET['camefrom']) ? $_GET['camefrom'] : FILENAME_DEFAULT;
$error = $expired = false;
$message = $redirect = '';
$expired_token = 0;
$result = zen_read_user($admin_name);
if (!isset($result) || $result == FALSE || $admin_name != $result['admin_name']) {
// invalid login
$error = true;
$message = ERROR_WRONG_LOGIN;
zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
} else {
if ($result['lockout_expires'] > time()) {
// account locked
$error = true;
$message = ERROR_SECURITY_ERROR;
// account locked. Simply give generic error, since otherwise we alert that the account name is correct
zen_record_admin_activity(TEXT_ERROR_ATTEMPTED_TO_LOG_IN_TO_LOCKED_ACCOUNT . ' ' . $admin_name, 'warning');
}
if ($result['reset_token'] != '') {
list($expired_token, $token) = explode('}', $result['reset_token']);
if ($expired_token > 0) {
if ($expired_token <= time() && $result['admin_pass'] != '') {
// reset the reset_token field to blank, since token has expired
$sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$db->Execute($sql);
$expired = false;
} else {
if (!zen_validate_password($admin_pass, $token)) {
$error = true;
$message = ERROR_WRONG_LOGIN;
zen_record_admin_activity(sprintf(TEXT_ERROR_INCORRECT_PASSWORD_DURING_RESET_FOR_USER) . ' ' . $admin_name, 'warning');
} else {
$error = true;
$expired = true;
$message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
}
}
}
}
if ($result['admin_pass'] == '') {
$error = true;
$expired = true;
$message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
} else {
$token = $result['admin_pass'];
if (!zen_validate_password($admin_pass, $token)) {
$error = true;
if (!$expired) {
$message = ERROR_WRONG_LOGIN;
zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
}
}
}
if (password_needs_rehash($token, PASSWORD_DEFAULT)) {
$token = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInAdminPassword($admin_pass, $admin_name);
}
// BEGIN 2-factor authentication
if ($error == FALSE && defined('ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE') && ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE != '') {
if (function_exists(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE)) {
$response = zen_call_function(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE, array($result['admin_id'], $result['admin_email'], $result['admin_name']));
if ($response !== TRUE) {
$error = TRUE;
$message = ERROR_WRONG_LOGIN;
zen_record_admin_activity('TFA Failure - Two-factor authentication failed', 'warning');
} elseif ($response === TRUE) {
zen_record_admin_activity('TFA Passed - Two-factor authentication passed', 'warning');
}
}
}
}
// BEGIN LOGIN SLAM PREVENTION
if ($error == TRUE) {
if (!isset($_SESSION['login_attempt'])) {
$_SESSION['login_attempt'] = 0;
}
$_SESSION['login_attempt']++;
$sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = failed_logins + 1, last_failed_attempt = now(), last_failed_ip = :ip: WHERE admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
$db->Execute($sql);
if (($_SESSION['login_attempt'] > 3 || $result['failed_logins'] > 3) && isset($result['admin_email']) && $result['admin_email'] != '' && ADMIN_SWITCH_SEND_LOGIN_FAILURE_EMAILS == 'Yes') {
$html_msg['EMAIL_CUSTOMERS_NAME'] = $result['admin_name'];
$html_msg['EMAIL_MESSAGE_HTML'] = sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']);
zen_record_admin_activity(sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), 'warning');
zen_mail($result['admin_name'], $result['admin_email'], TEXT_EMAIL_SUBJECT_LOGIN_FAILURES, sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), STORE_NAME, EMAIL_FROM, $html_msg, 'no_archive');
}
if ($expired_token < 10000) {
if ($_SESSION['login_attempt'] > 6 || $result['failed_logins'] > 6) {
$sql = "UPDATE " . TABLE_ADMIN . " SET lockout_expires = " . (time() + ADMIN_LOGIN_LOCKOUT_TIMER) . " WHERE admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$db->Execute($sql);
zen_session_destroy();
zen_record_admin_activity('Too many login failures. Account locked for ' . ADMIN_LOGIN_LOCKOUT_TIMER / 60 . ' minutes', 'warning');
sleep(15);
$redirect = zen_href_link(FILENAME_DEFAULT, '', 'SSL');
return array($error, $expired, $message, $redirect);
} else {
sleep(4);
}
}
}
// END LOGIN SLAM PREVENTION
// deal with expireds for SSL change
if ($error == FALSE && $result['pwd_last_change_date'] == '1990-01-01 14:02:22') {
$expired = true;
$error = true;
$message = ($message == '' ? '' : $message . '<br /><br />') . EXPIRED_DUE_TO_SSL;
}
// deal with expireds for PA-DSS
if ($error == FALSE && PADSS_PWD_EXPIRY_ENFORCED == 1 && $result['pwd_last_change_date'] < date('Y-m-d H:i:s', ADMIN_PASSWORD_EXPIRES_INTERVAL)) {
$expired = true;
$error = true;
}
if ($error == false) {
unset($_SESSION['login_attempt']);
$sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = 0, lockout_expires = 0, last_login_date = now(), last_login_ip = :ip: WHERE admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
$db->Execute($sql);
$_SESSION['admin_id'] = $result['admin_id'];
if (SESSION_RECREATE == 'True') {
zen_session_recreate();
}
$redirect = zen_href_link($camefrom, zen_get_all_get_params(array('camefrom')), 'SSL');
}
return array($error, $expired, $message, $redirect);
}