$username = ""; if (isset($_POST["username"])) { $username = cleanValue($_POST["username"]); } $password = ""; if (isset($_POST["password"])) { $password = $_POST["password"]; } global $gCms; $userops =& $gCms->GetUserOperations(); $oneuser =& $userops->LoadUserByUsername($username, $password, true, true); debug_buffer("Got user by username"); debug_buffer($oneuser); if ($username != "" && $password != "" && isset($oneuser) && $oneuser == true && isset($_POST["loginsubmit"])) { debug_buffer("Starting login procedure. Setting userid so that other pages will pick it up and set a cookie."); generate_user_object($oneuser->id); $_SESSION['login_user_id'] = $oneuser->id; $_SESSION['login_user_username'] = $oneuser->username; $default_cms_lang = get_preference($oneuser->id, 'default_cms_language'); if ($default_cms_lang != '') { #setcookie('cms_language', $default_cms_lang); $_SESSION['login_cms_language'] = $default_cms_lang; } audit($oneuser->id, $oneuser->username, 'User Login'); #Now call the event Events::SendEvent('Core', 'LoginPost', array('user' => &$oneuser)); // redirect to upgrade if db_schema it's old $current_version = $CMS_SCHEMA_VERSION; $query = "SELECT version from " . cms_db_prefix() . "version"; $row = $db->GetRow($query); if ($row) {
/** * Checks to see if the user is logged in. If not, redirects the browser * to the admin login. * * @since 0.1 * @param string no_redirect - If true, then don't redirect if not logged in * @return boolean */ function check_login($no_redirect = false) { $config = cmsms()->GetConfig(); //Handle a current login if one is in queue in the SESSION if (isset($_SESSION['login_user_id'])) { debug_buffer("Found login_user_id. Going to generate the user object."); generate_user_object($_SESSION['login_user_id']); unset($_SESSION['login_user_id']); } if (isset($_SESSION['login_cms_language'])) { debug_buffer('Setting language to: ' . $_SESSION['login_cms_language']); cms_cookies::set('cms_language', $_SESSION['login_cms_language']); unset($_SESSION['login_cms_language']); } if (!isset($_SESSION["cms_admin_user_id"])) { debug_buffer('No session found. Now check for cookies'); if (isset($_COOKIE["cms_admin_user_id"]) && isset($_COOKIE["cms_passhash"])) { debug_buffer('Cookies found, do a passhash check'); if (check_passhash($_COOKIE["cms_admin_user_id"], $_COOKIE["cms_passhash"])) { debug_buffer('passhash check succeeded... creating session object'); generate_user_object($_COOKIE["cms_admin_user_id"]); } else { debug_buffer('passhash check failed... redirect to login'); $_SESSION["redirect_url"] = $_SERVER["REQUEST_URI"]; if (false == $no_redirect) { redirect($config['admin_url'] . "/login.php"); } return false; } } else { debug_buffer('No cookies found. Redirect to login.'); $_SESSION["redirect_url"] = $_SERVER["REQUEST_URI"]; if (false == $no_redirect) { redirect($config['admin_url'] . "/login.php"); } return false; } } debug_buffer('Session found. Moving on...'); global $CMS_ADMIN_PAGE; if ($config['debug'] === false && isset($CMS_ADMIN_PAGE)) { if (!isset($_SESSION[CMS_USER_KEY])) { // it's not in the session, try to grab something from cookies if (isset($_COOKIE[CMS_SECURE_PARAM_NAME])) { $_SESSION[CMS_USER_KEY] = $_COOKIE[CMS_SECURE_PARAM_NAME]; } } // now we've got to check the request // and make sure it matches the session key if (!isset($_SESSION[CMS_USER_KEY]) || !isset($_GET[CMS_SECURE_PARAM_NAME]) || !isset($_POST[CMS_SECURE_PARAM_NAME])) { $v = '<no$!tgonna!$happen>'; if (isset($_GET[CMS_SECURE_PARAM_NAME])) { $v = $_GET[CMS_SECURE_PARAM_NAME]; } else { if (isset($_POST[CMS_SECURE_PARAM_NAME])) { $v = $_POST[CMS_SECURE_PARAM_NAME]; } } if ($v != $_SESSION[CMS_USER_KEY] && !isset($config['stupidly_ignore_xss_vulnerability'])) { debug_buffer('Session key mismatch problem... redirect to login'); if (false == $no_redirect) { redirect($config['admin_url'] . '/login.php'); } return false; } } } return true; }