public function ProcessLogin()
{
$loginName = '';
$loginPass = '';
if ((!isset($_POST['username']) || !isset($_POST['password'])) && !isset($_COOKIE['RememberToken'])) {
$GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true);
return;
}
// Is this an automatic login from "Remember Me" being ticked?
if (isset($_POST['username'])) {
$loginName = @$_POST['username'];
$loginPass = @$_POST['password'];
$query = sprintf("SELECT pk_userid, username, userpass, token, userimportpass FROM [|PREFIX|]users WHERE username='******' and userstatus='1'", $GLOBALS['ISC_CLASS_DB']->Quote($loginName));
} else {
if (isset($_COOKIE['RememberToken']) && trim($_COOKIE['RememberToken']) != '') {
$md5 = $_COOKIE['RememberToken'];
$query = sprintf("SELECT pk_userid, username, userpass, token, userimportpass FROM [|PREFIX|]users WHERE userstatus='1' AND md5(concat(username, token))='%s'", $GLOBALS['ISC_CLASS_DB']->Quote($md5));
} else {
// Otherwise, we have a bad username/password
$GLOBALS['ISC_CLASS_LOG']->LogAdminAction("invalid", $loginName);
$GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true);
die;
}
}
if (isset($_POST['remember']) || isset($_COOKIE['RememberToken'])) {
$remember = true;
} else {
$remember = false;
}
ob_start();
// Try and find a user with the same credentials
$userResult = $GLOBALS["ISC_CLASS_DB"]->Query($query);
if ($userRow = $GLOBALS["ISC_CLASS_DB"]->Fetch($userResult)) {
if (!$remember) {
ISC_SetCookie("RememberToken", "", time() - 3600 * 24 * 365, true);
}
// Was this an improted password?
if ($userRow['userimportpass'] != '' && $userRow['userpass'] != md5($loginPass)) {
if (ValidateImportPassword($loginPass, $userRow['userimportpass'])) {
// Valid login from an import password. We now store the Interspire Shopping Cart version of the password
$updatedUser = array("userpass" => md5($loginPass), "userimportpass" => "");
$GLOBALS['ISC_CLASS_DB']->UpdateQuery("users", $updatedUser, "pk_userid='" . $GLOBALS['ISC_CLASS_DB']->Quote($userRow['pk_userid']) . "'");
} else {
unset($userRow['pk_userid']);
}
} else {
// Is this a "Remember Me" auto login or a form login?
if (isset($_POST['username'])) {
if ($userRow['userpass'] != md5($loginPass)) {
unset($userRow['pk_userid']);
}
} else {
// If they get here then "Remember Me" was set and valid so we don't have to do anything
}
}
if (isset($userRow['pk_userid'])) {
// Set the auth session variable to true
$_COOKIE['STORESUITE_CP_TOKEN'] = $userRow['token'];
ISC_SetCookie("STORESUITE_CP_TOKEN", $userRow['token'], 0, true);
if ($remember) {
ISC_SetCookie("RememberToken", md5($userRow['username'] . $userRow['token']), time() + 3600 * 24 * 365, true);
}
// Log the successful login to the administrators log
$GLOBALS['ISC_CLASS_LOG']->LogAdminAction("valid");
// Everything was OK and the user has been logged in successfully
?>
<script type="text/javascript">
document.location.href='index.php?ToDo=';
</script>
<?php
die;
}
}
// Otherwise, we have a bad username/password
$GLOBALS['ISC_CLASS_LOG']->LogAdminAction("invalid", $loginName);
$GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true);
die;
}
public function ProcessLogin()
{
//zcs=>authenticate captcha when it is not a QA user
if (GetConfig('UserQA') != $_POST['username']) {
$GLOBALS['ISC_CLASS_CAPTCHA'] = GetClass('ISC_CAPTCHA');
$captcha = trim($_REQUEST['captcha']);
if (isc_strtolower($captcha) != isc_strtolower($GLOBALS['ISC_CLASS_CAPTCHA']->LoadSecret())) {
// Captcha validation failed
$GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(false, false, GetLang('InvalidCaptcha'));
die;
}
}
//<=zcs
$loginName = '';
$loginPass = '';
if ((!isset($_POST['username']) || !isset($_POST['password'])) && !isset($_COOKIE['RememberToken'])) {
$GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true);
return;
}
// Is this an automatic login from "Remember Me" being ticked?
if (isset($_POST['username'])) {
$loginName = @$_POST['username'];
$loginPass = @$_POST['password'];
//zcs= add "fails" "userstatus" & remove " and userstatus='1'"
$query = sprintf("SELECT pk_userid, username, userpass, token, userimportpass, fails, userstatus FROM [|PREFIX|]users WHERE username='******'", $GLOBALS['ISC_CLASS_DB']->Quote($loginName));
} else {
if (isset($_COOKIE['RememberToken']) && trim($_COOKIE['RememberToken']) != '') {
$md5 = $_COOKIE['RememberToken'];
//zcs= add "fails" "userstatus" & remove " userstatus='1' AND"
$query = sprintf("SELECT pk_userid, username, userpass, token, userimportpass, fails, userstatus FROM [|PREFIX|]users WHERE md5(concat(username, token))='%s'", $GLOBALS['ISC_CLASS_DB']->Quote($md5));
} else {
// Otherwise, we have a bad username/password
$GLOBALS['ISC_CLASS_LOG']->LogAdminAction("invalid", $loginName);
$GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true);
die;
}
}
if (isset($_POST['remember']) || isset($_COOKIE['RememberToken'])) {
$remember = true;
} else {
$remember = false;
}
ob_start();
// Try and find a user with the same credentials
$userResult = $GLOBALS["ISC_CLASS_DB"]->Query($query);
if ($userRow = $GLOBALS["ISC_CLASS_DB"]->Fetch($userResult)) {
//zcs=>if already locked user, change message & get out
if ($userRow['userstatus'] == 0) {
$GLOBALS['ISC_CLASS_LOG']->LogAdminAction("has been locked", $loginName);
$GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(false, false, GetLang('LockedUser'));
die;
}
//<=zcs
if (!$remember) {
ISC_SetCookie("RememberToken", "", time() - 3600 * 24 * 365, true);
}
// Was this an improted password?
if ($userRow['userimportpass'] != '' && $userRow['userpass'] != md5($loginPass)) {
if (ValidateImportPassword($loginPass, $userRow['userimportpass'])) {
// Valid login from an import password. We now store the Interspire Shopping Cart version of the password
$updatedUser = array("userpass" => md5($loginPass), "userimportpass" => "", 'fails' => 0);
$GLOBALS['ISC_CLASS_DB']->UpdateQuery("users", $updatedUser, "pk_userid='" . $GLOBALS['ISC_CLASS_DB']->Quote($userRow['pk_userid']) . "'");
} else {
$this->doLoginFailed($userRow['pk_userid'], $userRow['fails']);
//zcs=if failed
unset($userRow['pk_userid']);
}
} else {
// Is this a "Remember Me" auto login or a form login?
if (isset($_POST['username'])) {
if ($userRow['userpass'] != md5($loginPass)) {
$this->doLoginFailed($userRow['pk_userid'], $userRow['fails']);
//zcs=if failed
unset($userRow['pk_userid']);
} else {
//zcs=>clear last fails
if ($userRow['fails'] > 0) {
$this->clearFails($userRow['pk_userid']);
}
//<=zcs
}
} else {
// If they get here then "Remember Me" was set and valid so we don't have to do anything
}
}
if (isset($userRow['pk_userid'])) {
// Set the auth session variable to true
$_COOKIE['STORESUITE_CP_TOKEN'] = $userRow['token'];
ISC_SetCookie("STORESUITE_CP_TOKEN", $userRow['token'], 0, true);
if ($remember) {
ISC_SetCookie("RememberToken", md5($userRow['username'] . $userRow['token']), time() + 3600 * 24 * 365, true);
}
// Log the successful login to the administrators log
$GLOBALS['ISC_CLASS_LOG']->LogAdminAction("valid");
// Everything was OK and the user has been logged in successfully
?>
<script type="text/javascript">
document.location.href='index.php?ToDo=';
</script>
<?php
die;
}
}
// Otherwise, we have a bad username/password
$GLOBALS['ISC_CLASS_LOG']->LogAdminAction("invalid", $loginName);
$GLOBALS['ISC_CLASS_ADMIN_AUTH']->DoLogin(true);
die;
}
