/**
* authenticate
* @param $user
* @param $pass
*/
function login($user, $pass)
{
$ulogin = new uLogin('', '');
$ulogin->Authenticate($user, $pass);
return $ulogin->IsAuthSuccess();
}
//addLog('Back-end', 'Login', ''.$_SESSION['admin']['name'].' ('.$_SESSION['admin']['refnum'].')', ''.$_SESSION['admin']['name'].' ('.$_SESSION['admin']['refnum'].')', 'Admin logged out.');
unset($_SESSION['admin']);
header('Location: ../index.php?logout=true&redirect_to=admin');
exit();
}
}
else {
if (isset($_POST['_login'])){
if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])){
if (isset($_POST['autologin'])){
$_SESSION['appRememberMeRequested'] = true;
}
else {
unset($_SESSION['appRememberMeRequested']);
}
$ulogin->Authenticate($_POST['l_username'], $_POST['l_password']);
if ($ulogin->IsAuthSuccess()){
// Since we have specified callback functions to uLogin,
// we don't have to do anything here.
}
} else {
$msg = 'invalid nonce';
}
}
}
//ulLog::ShowDebugConsole();
// of Nonce::Verify needs to correspond to the parameter that we
// used to create the nonce, but otherwise it can be anything
// as long as they match.
if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])) {
// We store it in the session if the user wants to be remembered. This is because
// some auth backends redirect the user and we will need it after the user
// arrives back.
if (isset($_POST['autologin'])) {
$_SESSION['appRememberMeRequested'] = true;
} else {
unset($_SESSION['appRememberMeRequested']);
}
// This is the line where we actually try to authenticate against some kind
// of user database. Note that depending on the auth backend, this function might
// redirect the user to a different page, in which case it does not return.
$ulogin->Authenticate($_POST['user'], $_POST['pwd']);
if ($ulogin->IsAuthSuccess()) {
// Since we have specified callback functions to uLogin,
// we don't have to do anything here.
}
} else {
$msg = 'invalid nonce';
}
} else {
if ($action == 'autologin') {
// We were requested to use the remember-me function for logging in.
// Note, there is no username or password for autologin ('remember me')
$ulogin->Autologin();
if (!$ulogin->IsAuthSuccess()) {
$msg = 'autologin failure';
} else {
if ($action == 'login') {
if (!isset($_SESSION['loginPhase1Success'])) {
// are we authenticating the first factor?
// Nonce verification
if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])) {
$uloginFactorOne->Authenticate($_POST['user'], $_POST['pwd']);
} else {
echo 'invalid nonce<br>';
}
}
if (isset($_SESSION['loginPhase1Success'])) {
// are we authenticating the second factor?
unset($_SESSION['loginPhase1Success']);
// For the DuoSec backend (which we use in this example) the password is not supplied by us
// but is collected by an external page, so we just supply an empty string as the password.
$uloginFactorTwo->Authenticate($_SESSION['username'], '');
}
}
}
// Now we handle the presentation, based on whether we are logged in or not.
// Nothing fancy, except where we create the 'login'-nonce towards the end
// while generating the login form.
if (isAppLoggedIn()) {
?>
<h3>This is a protected page. You are logged in, <?php
echo $_SESSION['username'];
?>
.</h3>
<form action="example-twofactor.php" method="POST"><input type="hidden" name="action" value="refresh"><input type="submit" value="Refresh page"></form>
<form action="example-twofactor.php" method="POST"><input type="hidden" name="action" value="logout"><input type="submit" value="Logout"></form>
<?php
