/** * authenticate * @param $user * @param $pass */ function login($user, $pass) { $ulogin = new uLogin('', ''); $ulogin->Authenticate($user, $pass); return $ulogin->IsAuthSuccess(); }
//addLog('Back-end', 'Login', ''.$_SESSION['admin']['name'].' ('.$_SESSION['admin']['refnum'].')', ''.$_SESSION['admin']['name'].' ('.$_SESSION['admin']['refnum'].')', 'Admin logged out.'); unset($_SESSION['admin']); header('Location: ../index.php?logout=true&redirect_to=admin'); exit(); } } else { if (isset($_POST['_login'])){ if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])){ if (isset($_POST['autologin'])){ $_SESSION['appRememberMeRequested'] = true; } else { unset($_SESSION['appRememberMeRequested']); } $ulogin->Authenticate($_POST['l_username'], $_POST['l_password']); if ($ulogin->IsAuthSuccess()){ // Since we have specified callback functions to uLogin, // we don't have to do anything here. } } else { $msg = 'invalid nonce'; } } } //ulLog::ShowDebugConsole();
// of Nonce::Verify needs to correspond to the parameter that we // used to create the nonce, but otherwise it can be anything // as long as they match. if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])) { // We store it in the session if the user wants to be remembered. This is because // some auth backends redirect the user and we will need it after the user // arrives back. if (isset($_POST['autologin'])) { $_SESSION['appRememberMeRequested'] = true; } else { unset($_SESSION['appRememberMeRequested']); } // This is the line where we actually try to authenticate against some kind // of user database. Note that depending on the auth backend, this function might // redirect the user to a different page, in which case it does not return. $ulogin->Authenticate($_POST['user'], $_POST['pwd']); if ($ulogin->IsAuthSuccess()) { // Since we have specified callback functions to uLogin, // we don't have to do anything here. } } else { $msg = 'invalid nonce'; } } else { if ($action == 'autologin') { // We were requested to use the remember-me function for logging in. // Note, there is no username or password for autologin ('remember me') $ulogin->Autologin(); if (!$ulogin->IsAuthSuccess()) { $msg = 'autologin failure'; } else {
if ($action == 'login') { if (!isset($_SESSION['loginPhase1Success'])) { // are we authenticating the first factor? // Nonce verification if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])) { $uloginFactorOne->Authenticate($_POST['user'], $_POST['pwd']); } else { echo 'invalid nonce<br>'; } } if (isset($_SESSION['loginPhase1Success'])) { // are we authenticating the second factor? unset($_SESSION['loginPhase1Success']); // For the DuoSec backend (which we use in this example) the password is not supplied by us // but is collected by an external page, so we just supply an empty string as the password. $uloginFactorTwo->Authenticate($_SESSION['username'], ''); } } } // Now we handle the presentation, based on whether we are logged in or not. // Nothing fancy, except where we create the 'login'-nonce towards the end // while generating the login form. if (isAppLoggedIn()) { ?> <h3>This is a protected page. You are logged in, <?php echo $_SESSION['username']; ?> .</h3> <form action="example-twofactor.php" method="POST"><input type="hidden" name="action" value="refresh"><input type="submit" value="Refresh page"></form> <form action="example-twofactor.php" method="POST"><input type="hidden" name="action" value="logout"><input type="submit" value="Logout"></form> <?php