Esempio n. 1
0
     }
 } else {
     $status = -2;
     // User just visited login page no error. -1 = error
 }
 if ($status == USER_ACCOUNT_ACTIVE) {
     // logged in AOK.
     if ($mode === 'tokenexpired') {
         resend_request();
         // won't come back
     }
     DB_change($_TABLES['users'], 'pwrequestid', "NULL", 'uid', $uid);
     $userdata = SESS_getUserDataFromId($uid);
     $_USER = $userdata;
     $sessid = SESS_newSession($_USER['uid'], $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
     SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
     PLG_loginUser($_USER['uid']);
     // Now that we handled session cookies, handle longterm cookie
     if (!isset($_COOKIE[$_CONF['cookie_name']]) || !isset($_COOKIE['cookie_password'])) {
         // Either their cookie expired or they are new
         $cooktime = COM_getUserCookieTimeout();
         if ($VERBOSE) {
             COM_errorLog("Trying to set permanent cookie with time of {$cooktime}", 1);
         }
         if ($cooktime > 0) {
             // They want their cookie to persist for some amount of time so set it now
             if ($VERBOSE) {
                 COM_errorLog('Trying to set permanent cookie', 1);
             }
             SEC_setCookie($_CONF['cookie_name'], $_USER['uid'], time() + $cooktime);
             SEC_setCookie($_CONF['cookie_password'], $_USER['passwd'], time() + $cooktime);
Esempio n. 2
0
/**
* This gets the state for the user
*
* Much of this code if from phpBB (www.phpbb.org).  This checks the session
* cookie and long term cookie to get the users state.
*
* @return   array   returns $_USER array
*
*/
function SESS_sessionCheck()
{
    global $_CONF, $_TABLES, $_USER, $_SESS_VERBOSE;
    if ($_SESS_VERBOSE) {
        COM_errorLog("***Inside SESS_sessionCheck***", 1);
    }
    unset($_USER);
    // We MUST do this up here, so it's set even if the cookie's not present.
    $user_logged_in = 0;
    $logged_in = 0;
    $userdata = array();
    // Check for a cookie on the users's machine.  If the cookie exists, build
    // an array of the users info and setup the theme.
    if (isset($_COOKIE[$_CONF['cookie_session']])) {
        $sessid = COM_applyFilter($_COOKIE[$_CONF['cookie_session']]);
        if ($_SESS_VERBOSE) {
            COM_errorLog("got {$sessid} as the session id from lib-sessions.php", 1);
        }
        $userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
        if ($_SESS_VERBOSE) {
            COM_errorLog("Got {$userid} as User ID from the session ID", 1);
        }
        if ($userid > 1) {
            // Check user status
            $status = SEC_checkUserStatus($userid);
            if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
                $user_logged_in = 1;
                SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
                $userdata = SESS_getUserDataFromId($userid);
                if ($_SESS_VERBOSE) {
                    COM_errorLog("Got " . count($userdata) . " pieces of data from userdata", 1);
                    COM_errorLog(COM_debug($userdata), 1);
                }
                $_USER = $userdata;
                $_USER['auto_login'] = false;
            }
        } else {
            // Session probably expired, now check permanent cookie
            if (isset($_COOKIE[$_CONF['cookie_name']])) {
                $userid = $_COOKIE[$_CONF['cookie_name']];
                if (empty($userid) || $userid == 'deleted') {
                    unset($userid);
                } else {
                    $userid = COM_applyFilter($userid, true);
                    $cookie_password = '';
                    $userpass = '';
                    if ($userid > 1 && isset($_COOKIE[$_CONF['cookie_password']])) {
                        $cookie_password = $_COOKIE[$_CONF['cookie_password']];
                        $userpass = DB_getItem($_TABLES['users'], 'passwd', "uid = {$userid}");
                    }
                    if (empty($cookie_password) || $cookie_password != $userpass) {
                        // User may have modified their UID in cookie, ignore them
                    } else {
                        if ($userid > 1) {
                            // Check user status
                            $status = SEC_checkUserStatus($userid);
                            if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
                                $user_logged_in = 1;
                                $sessid = SESS_newSession($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
                                SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
                                $userdata = SESS_getUserDataFromId($userid);
                                $_USER = $userdata;
                                $_USER['auto_login'] = true;
                            }
                        }
                    }
                }
            }
        }
    } else {
        if ($_SESS_VERBOSE) {
            COM_errorLog('session cookie not found from lib-sessions.php', 1);
        }
        // Check if the persistent cookie exists
        if (isset($_COOKIE[$_CONF['cookie_name']])) {
            // Session cookie doesn't exist but a permanent cookie does.
            // Start a new session cookie;
            if ($_SESS_VERBOSE) {
                COM_errorLog('perm cookie found from lib-sessions.php', 1);
            }
            $userid = $_COOKIE[$_CONF['cookie_name']];
            if (empty($userid) || $userid == 'deleted') {
                unset($userid);
            } else {
                $userid = COM_applyFilter($userid, true);
                $cookie_password = '';
                $userpass = '';
                if ($userid > 1 && isset($_COOKIE[$_CONF['cookie_password']])) {
                    $userpass = DB_getItem($_TABLES['users'], 'passwd', "uid = {$userid}");
                    $cookie_password = $_COOKIE[$_CONF['cookie_password']];
                }
                if (empty($cookie_password) || $cookie_password != $userpass) {
                    // User could have modified UID in cookie, don't do shit
                } else {
                    if ($userid > 1) {
                        // Check user status
                        $status = SEC_checkUserStatus($userid);
                        if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
                            $user_logged_in = 1;
                            // Create new session and write cookie
                            $sessid = SESS_newSession($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
                            SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
                            $userdata = SESS_getUserDataFromId($userid);
                            $_USER = $userdata;
                            $_USER['auto_login'] = true;
                        }
                    }
                }
            }
        }
    }
    if ($_SESS_VERBOSE) {
        COM_errorLog("***Leaving SESS_sessionCheck***", 1);
    }
    // Ensure $_USER is set to avoid warnings (path exposure...)
    if (isset($_USER)) {
        return $_USER;
    } else {
        return NULL;
    }
}
Esempio n. 3
0
/**
* This gets the state for the user
*
* Much of this code if from phpBB (www.phpbb.org).  This checks the session
* cookie and long term cookie to get the users state.
*
* @return   void
*
*/
function SESS_sessionCheck()
{
    global $_CONF, $_TABLES, $_USER, $_SESS_VERBOSE;
    if ($_SESS_VERBOSE) {
        COM_errorLog("*** Inside SESS_sessionCheck ***", 1);
    }
    $_USER = array();
    // Check for a cookie on the users's machine.  If the cookie exists, build
    // an array of the users info and setup the theme.
    // Flag indicates if session cookie and session data exist
    $session_exists = true;
    if (isset($_COOKIE[$_CONF['cookie_session']])) {
        $sessid = COM_applyFilter($_COOKIE[$_CONF['cookie_session']]);
        if ($_SESS_VERBOSE) {
            COM_errorLog("Got {$sessid} as the session ID", 1);
        }
        $userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
        if ($_SESS_VERBOSE) {
            COM_errorLog("Got {$userid} as User ID from the session ID", 1);
        }
        if ($userid > 1) {
            // Check user status
            $status = SEC_checkUserStatus($userid);
            if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
                SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
                $_USER = SESS_getUserDataFromId($userid);
                if ($_SESS_VERBOSE) {
                    $str = "Got " . count($_USER) . " pieces of data from userdata \n";
                    foreach ($_USER as $k => $v) {
                        $str .= sprintf("%15s [%s] \n", $k, $v);
                    }
                    COM_errorLog($str, 1);
                }
                $_USER['auto_login'] = false;
            }
        } elseif ($userid == 1) {
            // Anonymous User has session so update any information
            SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
        } else {
            // Session probably expired
            $session_exists = false;
        }
    } else {
        if ($_SESS_VERBOSE) {
            COM_errorLog("Session cookie not found", 1);
        }
        $session_exists = false;
    }
    if ($session_exists === false) {
        // Check if the permanent cookie exists
        $userid = '';
        if (isset($_COOKIE[$_CONF['cookie_name']])) {
            $userid = COM_applyFilter($_COOKIE[$_CONF['cookie_name']], true);
        }
        if (!empty($userid)) {
            // Session cookie or session data don't exist, but a permanent cookie does.
            // Start a new session cookie and session data;
            if ($_SESS_VERBOSE) {
                COM_errorLog("Got {$userid} as User ID from the permanent cookie", 1);
            }
            $cookie_password = '';
            $userpass = '';
            if ($userid > 1 && isset($_COOKIE[$_CONF['cookie_password']])) {
                $cookie_password = $_COOKIE[$_CONF['cookie_password']];
                $userpass = DB_getItem($_TABLES['users'], 'passwd', "uid = {$userid}");
            }
            if (empty($cookie_password) || $cookie_password != $userpass) {
                if ($_SESS_VERBOSE) {
                    COM_errorLog("Password comparison failed or cookie password missing", 1);
                }
                // Invalid or manipulated cookie data
                $ctime = time() - 10000;
                SEC_setCookie($_CONF['cookie_session'], '', $ctime);
                SEC_setCookie($_CONF['cookie_password'], '', $ctime);
                SEC_setCookie($_CONF['cookie_name'], '', $ctime);
                COM_clearSpeedlimit($_CONF['login_speedlimit'], 'login');
                if (COM_checkSpeedlimit('login', $_CONF['login_attempts']) > 0) {
                    if (!defined('XHTML')) {
                        define('XHTML', '');
                    }
                    COM_displayMessageAndAbort(82, '', 403, 'Access denied');
                }
                COM_updateSpeedlimit('login');
            } elseif ($userid > 1) {
                if ($_SESS_VERBOSE) {
                    COM_errorLog("Password comparison passed", 1);
                }
                // Check user status
                $status = SEC_checkUserStatus($userid);
                if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
                    if ($_SESS_VERBOSE) {
                        COM_errorLog("Create new session and write cookie", 1);
                    }
                    // Create new session and write cookie
                    $sessid = SESS_newSession($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
                    SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
                    $_USER = SESS_getUserDataFromId($userid);
                    $_USER['auto_login'] = true;
                }
            }
        } else {
            if ($_SESS_VERBOSE) {
                COM_errorLog("Permanent cookie not found", 1);
            }
            // Anonymous user has session id but it has been expired and wiped from the db so reset.
            // Or new anonymous user so create new session and write cookie.
            $userid = 1;
            $sessid = SESS_newSession($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
            SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
        }
    }
    if ($_SESS_VERBOSE) {
        COM_errorLog("*** Leaving SESS_sessionCheck ***", 1);
    }
    $_USER['session_id'] = $sessid;
}