incl('confirm_code'); confirm_code(Flight::request()); }); Flight::route('/confirmations', function () { method_not_allowed(); }); Flight::route('POST /confirmations/new', function () { incl('new_confirm_code'); new_confirm_code(Flight::request()); }); Flight::route('/confirmations/new', function () { method_not_allowed(); }); Flight::route('POST /sessions', function () { incl('create_session'); create_session(Flight::request()); }); Flight::route('DELETE /sessions', function () { incl('delete_session'); delete_session(Flight::request()); }); Flight::route('/sessions', function () { method_not_allowed(); }); Flight::route('POST /programming_languages', function () { incl('create_programming_language'); create_programming_language(Flight::request()); }); Flight::route('GET /programming_languages', function () { incl('get_programming_languages'); get_programming_languages(Flight::request());
function login($users, $passwords, $user, $password) { if (verify_password($users, $passwords, $user, $password)) { create_session(); $login_log[count($login_log)] = [date("Y-m-d H-i-s")]; } }
function login($email, $password) { if (check_password($email, $password)) { return create_session(user_id($email)); } else { return false; } }
/** * Get the ID of the currently active member. * It see's if the session exists / cookie is valid -- and gets the member id accordingly * * @param boolean Whether to just do a quick check, don't establish new sessions * @return MEMBER The member requesting this web page (possibly the guest member - which strictly speaking, is not a member) */ function get_member($quick_only = false) { global $SESSION_CACHE, $MEMBER_CACHED, $GETTING_MEMBER, $SITE_INFO; if ($MEMBER_CACHED !== NULL) { $GETTING_MEMBER = false; return $MEMBER_CACHED; } // If lots of aging sessions, clean out reset($SESSION_CACHE); if (count($SESSION_CACHE) > 50 && $SESSION_CACHE[key($SESSION_CACHE)]['last_activity'] < time() - 60 * 60 * max(1, intval(get_option('session_expiry_time')))) { delete_expired_sessions_or_recover(); } // Try via backdoor that someone with full server access can place $backdoor_ip_address = mixed(); // Enable to a real IP address to force login from FTP access (if lost admin password) if (array_key_exists('backdoor_ip', $SITE_INFO)) { $backdoor_ip_address = $SITE_INFO['backdoor_ip']; } if (is_string($backdoor_ip_address) && get_ip_address() == $backdoor_ip_address) { require_code('users_active_actions'); $MEMBER_CACHED = restricted_manually_enabled_backdoor(); // Will have created a session in here already return $MEMBER_CACHED; } if ($GETTING_MEMBER) { if (!isset($GLOBALS['FORUM_DRIVER'])) { return db_get_first_id(); } // :S return $GLOBALS['FORUM_DRIVER']->get_guest_id(); } $GETTING_MEMBER = true; global $FORCE_INVISIBLE_GUEST; if ($FORCE_INVISIBLE_GUEST) { $GETTING_MEMBER = false; if (!isset($GLOBALS['FORUM_DRIVER'])) { fatal_exit(do_lang_tempcode('INTERNAL_ERROR')); } $MEMBER_CACHED = $GLOBALS['FORUM_DRIVER']->get_guest_id(); return $MEMBER_CACHED; } $member = NULL; $cookie_bits = explode(':', str_replace('|', ':', get_member_cookie())); $base = $cookie_bits[0]; // Try by session $session = get_session_id(); if ($session != -1 && get_param_integer('keep_force_htaccess', 0) == 0) { $ip = get_ip_address(3); // I hope AOL can cope with this $allow_unbound_guest = true; // Note: Guest sessions are not IP bound $member_row = NULL; if ($SESSION_CACHE !== NULL && array_key_exists($session, $SESSION_CACHE) && $SESSION_CACHE[$session] !== NULL && array_key_exists('the_user', $SESSION_CACHE[$session]) && (get_option('ip_strict_for_sessions') == '0' || $SESSION_CACHE[$session]['ip'] == $ip || is_guest($SESSION_CACHE[$session]['the_user']) && $allow_unbound_guest || $SESSION_CACHE[$session]['session_confirmed'] == 0 && !is_guest($SESSION_CACHE[$session]['the_user'])) && $SESSION_CACHE[$session]['last_activity'] > time() - 60 * 60 * max(1, intval(get_option('session_expiry_time')))) { $member_row = $SESSION_CACHE[$session]; } if ($member_row !== NULL && (!array_key_exists($base, $_COOKIE) || !is_guest($member_row['the_user']))) { $member = $member_row['the_user']; if ($member !== NULL && time() - $member_row['last_activity'] > 10) { //$GLOBALS['SITE_DB']->query_update('sessions',array('last_activity'=>time(),'the_zone'=>get_zone_name(),'the_page'=>get_page_name()),array('the_session'=>$session),'',1); Done in get_page_title now $SESSION_CACHE[$session]['last_activity'] = time(); if (get_value('session_prudence') !== '1') { persistant_cache_set('SESSION_CACHE', $SESSION_CACHE); } } global $SESSION_CONFIRMED; $SESSION_CONFIRMED = $member_row['session_confirmed']; if (get_forum_type() == 'ocf') { $GLOBALS['FORUM_DRIVER']->ocf_flood_control($member); } if (!is_guest($member) && $GLOBALS['FORUM_DRIVER']->is_banned($member)) { warn_exit(do_lang_tempcode('USER_BANNED')); } // Test this member still exists if ($GLOBALS['FORUM_DRIVER']->get_username($member) === NULL) { $member = $GLOBALS['FORUM_DRIVER']->get_guest_id(); } if (array_key_exists($base, $_COOKIE)) { global $IS_A_COOKIE_LOGIN; $IS_A_COOKIE_LOGIN = true; } } else { require_code('users_inactive_occasionals'); set_session_id(-1); } } if ($member === NULL && get_session_id() == -1 && get_param_integer('keep_force_htaccess', 0) == 0) { // Try by cookie (will defer to forum driver to authorise against detected cookie) require_code('users_inactive_occasionals'); $member = try_cookie_login(); // Can forum driver help more directly? if (method_exists($GLOBALS['FORUM_DRIVER'], 'get_member')) { $member = $GLOBALS['FORUM_DRIVER']->get_member(); } } // Try via additional login providers. They can choose whether to respect existing $member of get_session_id() settings. Some may do an account linkage, so we need to let them decide what to do. $hooks = find_all_hooks('systems', 'login_providers'); foreach (array_keys($hooks) as $hook) { require_code('hooks/systems/login_providers/' . $hook); $ob = object_factory('Hook_login_provider_' . $hook); $member = $ob->try_login($member); } // Guest or banned if ($member === NULL) { $member = $GLOBALS['FORUM_DRIVER']->get_guest_id(); $is_guest = true; } else { $is_guest = is_guest($member); } // If we are doing a very quick init, bomb out now - no need to establish session etc global $SITE_INFO; if ($quick_only) { $GETTING_MEMBER = false; return $member; } // If one of the try_* functions hasn't actually created the session, call it here $session = get_session_id(); if ($session == -1) { require_code('users_inactive_occasionals'); create_session($member); } // If we are logged in, maybe do some further processing if (!$is_guest) { // Is there a su operation? $ks = get_param('keep_su', ''); if ($ks != '') { require_code('users_inactive_occasionals'); $member = try_su_login($member); } // Run hooks, if any exist $hooks = find_all_hooks('systems', 'upon_login'); foreach (array_keys($hooks) as $hook) { require_code('hooks/systems/upon_login/' . filter_naughty($hook)); $ob = object_factory('upon_login' . filter_naughty($hook), true); if ($ob === NULL) { continue; } $ob->run(false, NULL, $member); // false means "not a new login attempt" } } // Ok we have our answer $MEMBER_CACHED = $member; $GETTING_MEMBER = false; // We call this to ensure any HTTP-auth specific code has a chance to run is_httpauth_login(); return $member; }
<?php require_once "libraries/lib.php"; $uname = esc($_POST['uname']); $upass = esc($_POST['upass']); if (strlen(trim($uname)) > 0 && strlen(trim($upass)) > 0) { $user_id = validate_credentials(); if ($user_id > 0) { create_session($user_id); } header("Location: index.php?op=dashboard"); }
function handle_facebook_connection_login($current_logged_in_member) { if (!class_exists('ocp_tempcode')) { return NULL; } if (is_guest($current_logged_in_member)) { $current_logged_in_member = NULL; // We are not a normal cookie login so ocPortal has loaded up a Guest session already in the expectation of keeping it. Unsetting it will force a rebind (existing session may be reused though) require_code('users_inactive_occasionals'); set_session_id(-1); } // If already session-logged-in onto a Facebook account, don't bother doing anything if (!is_null($current_logged_in_member) && $GLOBALS['FORUM_DRIVER']->get_member_row_field($current_logged_in_member, 'm_password_compat_scheme') == 'facebook') { return $current_logged_in_member; } // Who is this user, from Facebook's point of view? global $FACEBOOK_CONNECT; $facebook_uid = $FACEBOOK_CONNECT->getUser(); if (is_null($facebook_uid)) { return $current_logged_in_member; } try { $details = $FACEBOOK_CONNECT->api('/me'); } catch (Exception $e) { return $current_logged_in_member; } $details2 = $FACEBOOK_CONNECT->api('/me', array('fields' => 'picture', 'type' => 'normal')); if (!is_array($details) || !is_array($details2)) { return $current_logged_in_member; } $details = array_merge($details, $details2); if (!isset($details['name'])) { return $current_logged_in_member; } $username = $details['name']; $photo_url = array_key_exists('picture', $details) ? $details['picture'] : ''; if (is_array($photo_url)) { $photo_url = $photo_url['data']['url']; } if ($photo_url != '') { $photo_url = 'http://graph.facebook.com/' . strval($facebook_uid) . '/picture?type=large'; // In case URL changes } $avatar_url = $photo_url == '' ? mixed() : $photo_url; $photo_thumb_url = ''; if ($photo_url != '') { $photo_thumb_url = $photo_url; } $email_address = array_key_exists('email', $details) ? $details['email'] : ''; $timezone = mixed(); if (isset($details['timezone'])) { require_code('temporal'); $timezone = convert_timezone_offset_to_formal_timezone($details['timezone']); } $language = mixed(); if (isset($details['locale'])) { $language = strtoupper($details['locale']); } if ($language !== NULL) { if (!file_exists(get_custom_file_base() . '/lang_custom/' . $language)) { $language = preg_replace('#\\_.*$#', '', $language); if (!file_exists(get_custom_file_base() . '/lang_custom/' . $language)) { $language = ''; } } } $dob = array_key_exists('birthday', $details) ? $details['birthday'] : ''; $dob_day = mixed(); $dob_month = mixed(); $dob_year = mixed(); if ($dob != '') { $_dob = explode('/', $dob); $dob_day = intval($_dob[1]); $dob_month = intval($_dob[0]); $dob_year = intval($_dob[2]); } // See if they have logged in before - i.e. have a synched account $member_row = $GLOBALS['FORUM_DB']->query_select('f_members', array('*'), array('m_password_compat_scheme' => 'facebook', 'm_pass_hash_salted' => $facebook_uid), 'ORDER BY id DESC', 1); $member = array_key_exists(0, $member_row) ? $member_row[0]['id'] : NULL; if (is_guest($member)) { $member = NULL; } /*if (!is_null($member)) // Useful for debugging { require_code('ocf_members_action2'); ocf_delete_member($member); $member=NULL; }*/ // If logged in before using Facebook, see if they've changed their name or email or timezone on Facebook -- if so, try and update locally to match if (!is_null($member)) { if (!is_null($current_logged_in_member) && $current_logged_in_member !== NULL && !is_guest($current_logged_in_member) && $current_logged_in_member != $member) { return $current_logged_in_member; } // User has an active login, and the Facebook account is bound to a DIFFERENT login. Take precedence to the other login that is active on top of this $last_visit_time = $member[0]['m_last_visit_time']; if ($timezone !== NULL) { if (tz_time(time(), $timezone) == tz_time(time(), $member[0]['m_timezone_offset'])) { $timezone = $member[0]['m_timezone_offset']; } // If equivalent, don't change } $test = $GLOBALS['FORUM_DB']->query_value_null_ok('f_members', 'id', array('m_username' => $username)); if (!is_null($test)) { $update_map = array('m_username' => $username, 'm_dob_day' => $dob_day, 'm_dob_month' => $dob_month, 'm_dob_year' => $dob_year); if ($email_address != '') { $update_map['m_email_address'] = $email_address; } if ($avatar_url !== NULL && ($test == '' || strpos($test, 'facebook') !== false || strpos($test, 'fbcdn') !== false)) { if ($timezone !== NULL) { $update_map['m_timezone_offset'] = $timezone; } $update_map['m_avatar_url'] = $avatar_url; $update_map['m_photo_url'] = $photo_url; $update_map['m_photo_thumb_url'] = $photo_thumb_url; } $GLOBALS['FORUM_DB']->query_update('f_members', $update_map, array('m_password_compat_scheme' => 'facebook', 'm_pass_hash_salted' => strval($facebook_uid)), '', 1); if ($username != $member[0]['m_username']) { // Fix cacheing for usernames $to_fix = array('f_forums/f_cache_last_username', 'f_posts/p_poster_name_if_guest', 'f_topics/t_cache_first_username', 'f_topics/t_cache_last_username'); foreach ($to_fix as $fix) { list($table, $field) = explode('/', $fix); $GLOBALS['FORUM_DB']->query_update($table, array($field => $username), array($field => $member[0]['m_username'])); } } } } // Not logged in before using Facebook, so we need to create an account, or bind to the active ocPortal login if there is one $in_a_sane_place = get_page_name() != 'login' && (running_script('index') || running_script('execute_temp')); // If we're in some weird script, or the login module UI, it's not a sane place, don't be doing account creation yet if (is_null($member) && $in_a_sane_place) { // Bind to existing ocPortal login? if (!is_null($current_logged_in_member)) { /*if (post_param_integer('associated_confirm',0)==0) Won't work because Facebook is currently done in JS and cookies force this. If user wishes to cancel they must go to http://www.facebook.com/settings?tab=applications and remove the app, then run a lost password reset. { $title=get_page_title('LOGIN_FACEBOOK_HEADER'); $message=do_lang_tempcode('LOGGED_IN_SURE_FACEBOOK',escape_html($GLOBALS['FORUM_DRIVER']->get_username($current_logged_in_member))); $middle=do_template('YESNO_SCREEN',array('TITLE'=>$title,'TEXT'=>$message,'HIDDEN'=>form_input_hidden('associated_confirm','1'),'URL'=>get_self_url_easy())); $tpl=globalise($middle,NULL,'',true); $tpl->evaluate_echo(); exit(); }*/ $GLOBALS['FORUM_DB']->query_update('f_members', array('m_password_compat_scheme' => 'facebook', 'm_pass_hash_salted' => $facebook_uid), array('id' => $current_logged_in_member), '', 1); require_code('site'); require_lang('facebook'); attach_message(do_lang_tempcode('FACEBOOK_ACCOUNT_CONNECTED', escape_html(get_site_name()), escape_html($GLOBALS['FORUM_DRIVER']->get_username($current_logged_in_member)), array(escape_html($username))), 'inform'); return $current_logged_in_member; } // If we're still here, we have to create a new account... // ------------------------------------------------------- $completion_form_submitted = post_param('email_address', '') != ''; // If there's a conflicting username, we may need to change it (suffix a number) require_code('ocf_members_action2'); $username = get_username_from_human_name($username); // Ask ocP to finish off the profile from the information presented in the POST environment (a standard mechanism in ocPortal, for third party logins of various kinds) require_lang('ocf'); require_code('ocf_members'); require_code('ocf_groups'); require_code('ocf_members2'); require_code('ocf_members_action'); $_custom_fields = ocf_get_all_custom_fields_match(ocf_get_all_default_groups(true), NULL, NULL, NULL, 1); if (!$completion_form_submitted && count($_custom_fields) != 0 && get_value('no_finish_profile') !== '1') { $GLOBALS['FACEBOOK_FINISHING_PROFILE'] = true; $middle = ocf_member_external_linker_ask($username, 'facebook', $email_address, $dob_day, $dob_month, $dob_year); $tpl = globalise($middle, NULL, '', true); $tpl->evaluate_echo(); exit; } else { $username = post_param('username', $username); if (count($_custom_fields) != 0 && get_value('no_finish_profile') !== '1') { // Was not auto-generated, so needs to be checked ocf_check_name_valid($username, NULL, NULL); } $member = ocf_member_external_linker($username, $facebook_uid, 'facebook', false, $email_address, $dob_day, $dob_month, $dob_year, $timezone, $language, $avatar_url, $photo_url, $photo_thumb_url); } } if (!is_null($member)) { require_code('users_inactive_occasionals'); create_session($member, 1, isset($_COOKIE[get_member_cookie() . '_invisible']) && $_COOKIE[get_member_cookie() . '_invisible'] == '1'); // This will mark it as confirmed } return $member; }
$username = from($_REQUEST, 'username'); $email = from($_REQUEST, 'email'); $password = from($_REQUEST, 'password'); if (account_exists($email)) { redirect('/register?error=Account already exists'); } account_create($email, $username, $password); redirect('/login?success=Account created, you can now login'); }); get('/logout', function () { destroy_session(); redirect(); }); get('/regenerate', function () { if (logged_in()) { create_session(user_email()); } redirect(); }); // Apply // -------------------------------------------------------------------------------- get('/apply', function () { redirect(); }); get('/apply/:position', function ($position) { $p = p_item($position, true); if (isset($p)) { render('apply', array('head_title' => 'Apply', 'p' => $p)); } else { render('err404', null, false); }
function login() { //login $url = "http://ec2-52-32-172-4.us-west-2.compute.amazonaws.com/Token"; $fields = array('grant_type' => "password", 'username' => $_POST["form-email"], 'password' => $_POST["pswd"]); $fields_string = ""; foreach ($fields as $key => $value) { $fields_string .= $key . '=' . $value . '&'; } rtrim($fields_string, '&'); $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, count($fields)); curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($ch); $code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); //echo $result; //exit(); $msg = json_decode($result); //login the user if ($code == "200") { $response = array($code, $result, $msg->accountType); //custom_handler_init(); //return $status; session_start(); session_set_cookie_params(3600 * 24 * 365); create_session($msg); return $response; } else { $response = array($code, $msg->error_description); echo $msg->error_description . " " . $code; //exit; header("Location: login.php?login=true&error=" . urlencode($msg->error_description . " Error code" . $code)); } }
# #} else { $conn = connect(); $user = $_POST['USER']; // make the string safe $pass = md5($_POST['PASS']); #$pass = $_POST['PASS']; $result = select($conn, "*", "users", "username='******' AND password='******'"); mysql_close($conn); while ($row = mysql_fetch_assoc($result)) { // User provided proper credentials echo "<pre>"; print_r($row); echo "</pre>"; if ($row['username'] == $user) { destroy_session($user); // if user is logging in twice w/o logging out create_session($user, $row['user_type'], $row['last_name'], $row['uid']); if ($row['user_type'] == 1) { header('Location: pages/dr_participants.php'); } else { if ($row['user_type'] == 0) { header('Location: pages/p_day.php'); } } exit; } } // user failed to log in echo "\n<DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 3.2//EN\">\n<HEAD>\n<TITLE>fb4ho</TITLE>\n</HEAD>\t\n<BODY BGCOLOR=WHITE>\n<TABLE ALIGN=\"CENTER\">\n<TR><TD>\n<IMG SRC='title.gif' WIDTH=500px HEIGHT=100px/>\n</TD></TR>\n<TR><TD>\n<H2> Login Failed! </H2>\n<a href=\"index.php\">Back</a>\n</TD></TR>\n</TABLE>\n</BODY>"; exit;
<?php include "opentape_common.php"; check_cookie(); if (is_logged_in()) { header("Location: " . $REL_PATH . "code/edit.php"); } if (!empty($_POST['pass'])) { $res = check_password($_POST['pass']); if ($res === true) { error_log("Password OK, creating session..."); $res = create_session(); if ($res === true) { header("Location: " . $REL_PATH . "code/edit.php"); } elseif ($res == -1) { // failed to check password due to some filesystem issue header("Location: " . $REL_PATH . "code/warning.php"); } } elseif ($res === false) { $status_msg = 'Bad Password :('; } elseif ($res == -1) { // failed to check password due to some filesystem issue header("Location: " . $REL_PATH . "code/warning.php"); } } // check for new versions once a week $prefs_struct = get_opentape_prefs(); // 604800 = week in seconds if ((!isset($prefs_struct['check_updates']) || $prefs_struct['check_updates'] == 1) && (!isset($prefs_struct['last_update_check']) || time() - $prefs_struct['last_update_check'] > 604800)) { $prefs_struct = check_for_update(); if ($prefs_struct === false) {
/** * Standard login provider hook. * * @param ?MEMBER Member ID already detected as logged in (NULL: none). May be a guest ID. * @return ?MEMBER Member ID now detected as logged in (NULL: none). May be a guest ID. */ function try_login($member) { // Some kind of OpenID provider try { require_code('openid'); require_code('developer_tools'); if (!isset($_REQUEST['openid_mode'])) { if (array_key_exists('openid_identifier', $_POST)) { destrictify(); $openid = new LightOpenID(); $openid->identity = $_POST['openid_identifier']; $openid->required = array('namePerson/friendly', 'namePerson', 'contact/email', 'birthDate', 'pref/language', 'media/image/default'); header('Location: ' . $openid->authUrl()); exit; } } elseif ($_GET['openid_mode'] == 'cancel') { destrictify(); require_code('site'); require_code('site2'); attach_message('You cancelled your OpenID login, so you are not logged into the site.', 'inform'); } else { destrictify(); $openid = new LightOpenID(); if ($openid->validate()) { $attributes = $openid->getAttributes(); // If member already existed, no action needed - just create a session to existing record $member = $GLOBALS['FORUM_DB']->query_value_null_ok('f_members', 'id', array('m_password_compat_scheme' => 'openid', 'm_pass_hash_salted' => $openid->identity)); if (!is_null($member)) { require_code('users_inactive_occasionals'); create_session($member, 1, isset($_COOKIE[get_member_cookie() . '_invisible']) && $_COOKIE[get_member_cookie() . '_invisible'] == '1'); // This will mark it as confirmed return $member; } require_code('ocf_members'); require_code('ocf_groups'); require_lang('ocf'); if (running_script('index') || running_script('execute_temp')) { require_code('ocf_members_action'); require_code('ocf_members_action2'); $email = ''; if (array_key_exists('contact/email', $attributes)) { $email = $attributes['contact/email']; } $username = $openid->identity; // Yuck, we'll try and build on this if (array_key_exists('namePerson/friendly', $attributes)) { $username = $attributes['namePerson/friendly']; } elseif (array_key_exists('namePerson', $attributes)) { $username = $attributes['namePerson']; } elseif ($email != '') { $username = substr($email, 0, strpos($email, '@')); } if ($username != '') { $_username = $username; $i = 1; do { $test = $GLOBALS['FORUM_DB']->query_value_null_ok('f_members', 'id', array('m_username' => $_username)); if (!is_null($test)) { $i++; $_username = $username . ' (' . strval($i) . ')'; } } while (!is_null($test)); $username = $_username; } $dob = ''; if (array_key_exists('birthDate', $attributes)) { $dob = $attributes['birthDate']; } $dob_day = mixed(); $dob_month = mixed(); $dob_year = mixed(); if ($dob != '') { $dob_bits = explode('-', $dob); $dob_day = intval($dob_bits[2]); $dob_month = intval($dob_bits[1]); $dob_year = intval($dob_bits[0]); } $language = mixed(); if (array_key_exists('pref/language', $attributes)) { if (file_exists(get_file_base() . '/lang_custom/' . $attributes['pref/language'])) { $language = $attributes['pref/language']; } } require_code('config2'); set_option('maximum_password_length', '1000'); $member = ocf_member_external_linker($username, $openid->identity, 'openid', false, $email, $dob_day, $dob_month, $dob_year, NULL, $language); $avatar = ''; if (array_key_exists('media/image/default', $attributes)) { $avatar = $attributes['media/image/default']; } ocf_member_choose_avatar($avatar, $member); } if (!is_null($member)) { require_code('users_inactive_occasionals'); create_session($member, 1, isset($_COOKIE[get_member_cookie() . '_invisible']) && $_COOKIE[get_member_cookie() . '_invisible'] == '1'); // This will mark it as confirmed } } else { require_code('site'); require_code('site2'); attach_message('An unknown error occurred during OpenID login.', 'warn'); } } } catch (ErrorException $e) { require_code('site'); require_code('site2'); attach_message($e->getMessage(), 'warn'); } return $member; }
/** * Process a login. * * @param ID_TEXT Username */ function handle_active_login($username) { global $SESSION_CACHE; $result = array(); $member_cookie_name = get_member_cookie(); $colon_pos = strpos($member_cookie_name, ':'); if ($colon_pos !== false) { $base = substr($member_cookie_name, 0, $colon_pos); $real_member_cookie = substr($member_cookie_name, $colon_pos + 1); $real_pass_cookie = substr(get_pass_cookie(), $colon_pos + 1); $serialized = true; } else { $real_member_cookie = get_member_cookie(); $base = $real_member_cookie; $real_pass_cookie = get_pass_cookie(); $serialized = false; } $password = trim(post_param('password')); $login_array = $GLOBALS['FORUM_DRIVER']->forum_authorise_login($username, NULL, apply_forum_driver_md5_variant($password, $username), $password); $member = $login_array['id']; // Run hooks, if any exist $hooks = find_all_hooks('systems', 'upon_login'); foreach (array_keys($hooks) as $hook) { require_code('hooks/systems/upon_login/' . filter_naughty($hook)); $ob = object_factory('upon_login' . filter_naughty($hook), true); if (is_null($ob)) { continue; } $ob->run(true, $username, $member); // true means "a new login attempt" } if (!is_null($member)) { $remember = post_param_integer('remember', 0); // Create invisibility cookie if (array_key_exists(get_member_cookie() . '_invisible', $_COOKIE) || $remember == 1) { $invisible = post_param_integer('login_invisible', 0); ocp_setcookie(get_member_cookie() . '_invisible', strval($invisible)); $_COOKIE[get_member_cookie() . '_invisible'] = strval($invisible); } // Store the cookies if ($remember == 1) { global $IS_A_COOKIE_LOGIN; $IS_A_COOKIE_LOGIN = true; // Create user cookie if (method_exists($GLOBALS['FORUM_DRIVER'], 'forum_create_cookie')) { $GLOBALS['FORUM_DRIVER']->forum_create_cookie($member, NULL, $password); } else { if ($GLOBALS['FORUM_DRIVER']->is_cookie_login_name()) { $name = $GLOBALS['FORUM_DRIVER']->get_username($member); if ($serialized) { $result[$real_member_cookie] = $name; } else { ocp_setcookie(get_member_cookie(), $name, false, true); $_COOKIE[get_member_cookie()] = $name; } } else { if ($serialized) { $result[$real_member_cookie] = $member; } else { ocp_setcookie(get_member_cookie(), strval($member), false, true); $_COOKIE[get_member_cookie()] = strval($member); } } // Create password cookie if (!$serialized) { if ($GLOBALS['FORUM_DRIVER']->is_hashed()) { ocp_setcookie(get_pass_cookie(), apply_forum_driver_md5_variant($password, $username), false, true); } else { ocp_setcookie(get_pass_cookie(), $password, false, true); } } else { if ($GLOBALS['FORUM_DRIVER']->is_hashed()) { $result[$real_pass_cookie] = apply_forum_driver_md5_variant($password, $username); } else { $result[$real_pass_cookie] = $password; } $_result = serialize($result); ocp_setcookie($base, $_result, false, true); } } } // Create session require_code('users_inactive_occasionals'); create_session($member, 1, post_param_integer('login_invisible', 0) == 1); } else { $GLOBALS['SITE_DB']->query_insert('failedlogins', array('failed_account' => substr(trim(post_param('login_username')), 0, 80), 'date_and_time' => time(), 'ip' => get_ip_address())); $count = $GLOBALS['SITE_DB']->query_value_null_ok_full('SELECT COUNT(*) FROM ' . get_table_prefix() . 'failedlogins WHERE date_and_time>' . strval(time() - 60 * 15) . ' AND ' . db_string_equal_to('ip', get_ip_address())); if ($count > 30) { log_hack_attack_and_exit('BRUTEFORCE_LOGIN_HACK'); } } }
ini_set('session.cookie_lifetime', 0); // ini_set('session.cookie_secure', 1); only on https ini_set('session.cookie_httponly', 1); ini_set('session.use_cookies', 1); ini_set('session.use_only_cookies', 1); ini_set('session.cache_expire', 30); ini_set('default_socket_timeout', 60); ini_set('session.entropy_file', '/dev/urandom'); ini_set('session.entropy_length', 256); ini_set('session.gc_maxlifetime', 2678400); session_set_cookie_params(0); session_start(); // Reset session variables in case stuff changed if (logged_in()) { if (account_exists(user_email())) { create_session(user_email(), false); } else { destroy_session(); } } function destroy_session() { if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]); } if (isset($_COOKIE['login'])) { unset($_COOKIE['login']); setcookie('login', '', time() - 3600, '/'); } session_unset();
echo '{"status":false,"command":"' . $command . '","debug":"You must authenticate."}'; exit; } //error_log ("$command - " . print_r($args,1)); if (isset($args['password1']) && !strcmp($args['password1'], $args['password2']) && !strcmp($command, "create_password")) { // don't allow people to set password using this method once the file exists if (is_password_set()) { echo '{"status":false,"command":"' . $command . '","debug":"The password is already configured, login to change it."}'; } if (set_password($args['password1'])) { // proceed to next step, nothing here really... } else { echo '{"status":false,"command":"' . $command . '","debug":""}'; exit; } if (create_session()) { echo '{"status":true,"command":"create_password","debug":""}'; } else { echo '{"status":false,"command":"' . $command . '","debug":""}'; } } elseif (isset($args['password1']) && !strcmp($args['password1'], $args['password2']) && !strcmp($command, "change_password")) { if (set_password($args['password1'])) { echo '{"status":true,"command":"' . $command . '","debug":""}'; } else { echo '{"status":false,"command":"' . $command . '","debug":""}'; } } elseif (!strcmp($command, "rename")) { if (get_magic_quotes_gpc()) { $_POST['artist'] = stripslashes($_POST['artist']); $_POST['title'] = stripslashes($_POST['title']); }
function foreignagent_handler($path_tail, $data) { log_message('info', "[hypergrid] foreignagent_handler called"); $data = decodedata($data); $config =& get_config(); $userid = $path_tail[0]; log_message('info', "foreign_agent called for {$userid} with {$data}"); $osd = decode_recursive_json($data); if ($osd == null) { log_message('error', sprintf('[hypergrid] failed to decode foreignagent json string %s', $data)); sendresponse(false, 'failed to decode foreignagent string'); } $dest_x = $osd['destination_x']; $dest_y = $osd['destination_y']; if ($dest_x == null) { $dest_x = 0; } if ($dest_y == null) { $dest_y = 0; } $caps_path = $osd['caps_path']; $username = $osd['first_name'] . ' ' . $osd['last_name']; $circuit_code = $osd['circuit_code']; $session_id = $osd['session_id']; $secure_session_id = $osd['secure_session_id']; $service_session_id = $osd['service_session_id']; $start_pos = $osd['start_pos']; $appearance = $osd['packed_appearance']; //$service_urls['HomeURI'] = $osd['service_urls'][1]; //$service_urls['GatekeeperURI'] = $osd['service_urls'][3]; //$service_urls['InventoryServerURI'] = $osd['service_urls'][5]; //$service_urls['AssetServerURI'] = $osd['service_urls'][7]; if (isset($osd['client_ip'])) { $client_ip = $osd['client_ip']; } else { log_message('info', '[hypergrid] no client ip specified in foreignagent request'); $client_ip = null; } if (empty($osd['destination_uuid'])) { header("HTTP/1.1 400 Bad Request"); echo "missing destination_uuid"; exit; } $dest_uuid = $osd['destination_uuid']; $scene = lookup_scene_by_id($dest_uuid); if ($scene == null) { header("HTTP/1.1 400 Bad Request"); echo "invalid destination uuid"; exit; } $dest_name = $scene->Name; $homeuri = $osd['serviceurls']['HomeURI']; // $username = $osd['first_name'] . ' ' . $osd['last_name'] . '@' . $service_urls['HomeURI']; $username = $osd['first_name'] . ' ' . $osd['last_name']; log_message('info', "[hypergrid] check user name {$username} with homeuri {$homeuri}"); if ($homeuri != $config['hypergrid_uri']) { $username = $username . '@' . $homeuri; hg_register_user($userid, $username, $homeuri); } $extradata = null; if ($client_ip != null) { $extradata = array('ClientIP' => $client_ip); } log_message('info', "[hypergrid] create session for {$username}"); create_session($userid, $session_id, $secure_session_id, $extradata); $result = create_opensim_presence_full($scene->Address, $dest_name, $dest_uuid, $dest_x, $dest_y, $userid, $circuit_code, $username, $appearance, $session_id, $secure_session_id, $start_pos, $caps_path, $client_ip, $osd['serviceurls'], 1073741824, $service_session_id, $seedCaps); sendresponse($result, 'no reason given'); }
function foreignagent_handler($path_tail, $data) { log_message('debug', "server method is " . $_SERVER['REQUEST_METHOD']); $userid = $path_tail[0]; log_message('info', "foreign_agent called for {$userid} with {$data}"); $osd = decode_recursive_json($data); $dest_x = $osd['destination_x']; $dest_y = $osd['destination_y']; if ($dest_x == null) { $dest_x = 0; } if ($dest_y == null) { $dest_y = 0; } $caps_path = $osd['caps_path']; $username = $osd['first_name'] . ' ' . $osd['last_name']; $circuit_code = $osd['circuit_code']; $session_id = $osd['session_id']; $secure_session_id = $osd['secure_session_id']; $service_session_id = $osd['service_session_id']; $start_pos = $osd['start_pos']; $appearance = $osd['wearables']; if (isset($osd['attachments'])) { $attachments = $osd['attachments']; } else { $attachments = array(); } $service_urls['HomeURI'] = $osd['service_urls'][1]; $service_urls['GatekeeperURI'] = $osd['service_urls'][3]; $service_urls['InventoryServerURI'] = $osd['service_urls'][5]; $service_urls['AssetServerURI'] = $osd['service_urls'][7]; $client_ip = $osd['client_ip']; $dest_uuid = $osd['destination_uuid']; $dest_name = $osd['destination_name']; if ($dest_uuid == null || $dest_name == null) { header("HTTP/1.1 400 Bad Request"); echo "missing destination_name and/or destination_uuid"; exit; } $scene = lookup_scene_by_id($dest_uuid); $username = $osd['first_name'] . ' ' . $osd['last_name'] . '@' . $service_urls['HomeURI']; bump_user($userid, $username, "{$username}@HG LOLOL"); create_session($userid, $session_id, $secure_session_id); $result = create_opensim_presence_full($scene->Address, $dest_name, $dest_uuid, $dest_x, $dest_y, $userid, $circuit_code, $username, $appearance, $attachments, $session_id, $secure_session_id, $start_pos, $caps_path, $client_ip, $service_urls, 1073741824, $service_session_id); echo "{'success': {$result}, 'reason': 'no reason set lol', 'your_ip': '" . $_SERVER['REMOTE_ADDR'] . "'}"; exit; }
/** * Do a cookie login. * * @return MEMBER Logged in member (NULL: no login happened) */ function try_cookie_login() { $member = NULL; // Preprocess if this is a serialized cookie $member_cookie_name = get_member_cookie(); $bar_pos = strpos($member_cookie_name, '|'); $colon_pos = strpos($member_cookie_name, ':'); if ($colon_pos !== false) { $base = substr($member_cookie_name, 0, $colon_pos); if (array_key_exists($base, $_COOKIE) && $_COOKIE[$base] != '') { $real_member_cookie = substr($member_cookie_name, $colon_pos + 1); $real_pass_cookie = substr(get_pass_cookie(), $colon_pos + 1); $the_cookie = $_COOKIE[$base]; if (get_magic_quotes_gpc()) { $the_cookie = stripslashes($_COOKIE[$base]); } secure_serialized_data($the_cookie, array()); $unserialize = @unserialize($the_cookie); if (is_array($unserialize)) { if (array_key_exists($real_member_cookie, $unserialize)) { $the_member = $unserialize[$real_member_cookie]; if (get_magic_quotes_gpc()) { $the_member = addslashes(@strval($the_member)); } $_COOKIE[get_member_cookie()] = $the_member; } if (array_key_exists($real_pass_cookie, $unserialize)) { $the_pass = $unserialize[$real_pass_cookie]; if (get_magic_quotes_gpc()) { $the_pass = addslashes($the_pass); } $_COOKIE[get_pass_cookie()] = $the_pass; } } } } elseif ($bar_pos !== false) { $base = substr($member_cookie_name, 0, $bar_pos); if (array_key_exists($base, $_COOKIE) && $_COOKIE[$base] != '') { $real_member_cookie = substr($member_cookie_name, $bar_pos + 1); $real_pass_cookie = substr(get_pass_cookie(), $bar_pos + 1); $the_cookie = $_COOKIE[$base]; if (get_magic_quotes_gpc()) { $the_cookie = stripslashes($_COOKIE[$base]); } $cookie_contents = explode('||', $the_cookie); $the_member = $cookie_contents[intval($real_member_cookie)]; if (get_magic_quotes_gpc()) { $the_member = addslashes($the_member); } $_COOKIE[get_member_cookie()] = $the_member; $the_pass = $cookie_contents[intval($real_pass_cookie)]; if (get_magic_quotes_gpc()) { $the_pass = addslashes($the_pass); } $_COOKIE[get_pass_cookie()] = $the_pass; } } if (array_key_exists(get_member_cookie(), $_COOKIE) && array_key_exists(get_pass_cookie(), $_COOKIE)) { $store = $_COOKIE[get_member_cookie()]; $pass = $_COOKIE[get_pass_cookie()]; if (get_magic_quotes_gpc()) { $store = stripslashes($store); $pass = stripslashes($pass); } if ($GLOBALS['FORUM_DRIVER']->is_cookie_login_name()) { $username = $store; $store = strval($GLOBALS['FORUM_DRIVER']->get_member_from_username($store)); } else { $username = $GLOBALS['FORUM_DRIVER']->get_username(intval($store)); } $member = intval($store); if (!is_guest($member)) { if ($GLOBALS['FORUM_DRIVER']->is_hashed()) { // Test password hash $login_array = $GLOBALS['FORUM_DRIVER']->forum_authorise_login(NULL, $member, $pass, $pass, true); $member = $login_array['id']; } else { // Test password plain $login_array = $GLOBALS['FORUM_DRIVER']->forum_authorise_login(NULL, $member, apply_forum_driver_md5_variant($pass, $username), $pass, true); $member = $login_array['id']; } if (!is_null($member)) { global $IS_A_COOKIE_LOGIN; $IS_A_COOKIE_LOGIN = true; create_session($member, 0, isset($_COOKIE[get_member_cookie() . '_invisible']) && $_COOKIE[get_member_cookie() . '_invisible'] == '1'); } } } return $member; }
</style> </head> <body> <div class="container"> <?php if (session("login") && session("yetki") == 1) { require_once "nav.php"; } else { if ($_POST) { $username = post("username"); $password = md5(post("password")); if (checkLogin($username, $password)) { $session = array("login" => true, "yetki" => 1); create_session($session); echo '<div class="alert alert-success" role="alert">Login success...</div>'; go(ADMIN_URL); } else { echo '<div class="alert alert-danger" role="alert">Wrong username or password!</div>'; } } ?> <div class="row" style="padding-top: 15%;"> <!-- Login --> <div class="col-md-8"> </div> <div class="col-md-4 col-md-offset-4"> <div class="panel panel-default"> <div class="panel-heading"> <h4>Management Login</h4>
function control_access($nom_script, $infos_login, $id_session, $bd) { //recherche la session $session_courante = get_session($id_session, $bd); //cas 1: la session existe, on verifie sa validite if (is_object($session_courante)) { // la session existe, est-elle valide? if (is_valid_session($session_courante, $bd)) { // on renvoie l'objet session return $session_courante; } else { echo "<B> Your session is not (or no longer) valid.<P></B>\n"; } } // Cas 2.a: La session n'existe pas mais un login et pwd ont ete fournis if (isset($infos_login['visitor_login']) & isset($infos_login['visitor_pwd'])) { // Les login/pwd sont-ils corrects? if (create_session($bd, $infos_login['visitor_login'], $infos_login['visitor_pwd'], $id_session)) { // on renvoie l'object session return get_session($id_session, $bd); } else { echo "<B> Identification failed.<P></B>\n"; } } // Cas 2.b: La session n'existe pas // et il faut afficher le formulaire d'identification LoginForm($nom_script); }
function valid_admin() { global $U; if (isset($_REQUEST['session'])) { check_session(); } elseif (isset($_REQUEST['nick']) && isset($_REQUEST['pass'])) { create_session(true); } if (isset($U['status'])) { if ($U['status'] >= 7) { return true; } send_access_denied(); } return false; }
<?php /*********************************************** DAVE PHP API https://github.com/evantahler/PHP-DAVE-API Evan Tahler | 2011 I am an example function to view a user. If "this" user is viewing (indicated by propper password hash along with another key, all data is shown), otherwise, just basic info is returned. I contain example useage of the session functions ***********************************************/ if ($ERROR == 100) { $AuthResp = AuthenticateUser(); if ($AuthResp[0] !== true) { $ERROR = $AuthResp[1]; $OUTPUT['LOGIN'] = "******"; } else { $ReturnedUser = $AuthResp[1]; $OUTPUT['LOGIN'] = "******"; $OUTPUT['SessionKey'] = create_session(); $SessionData = array(); $SessionData["login_time"] = time(); $userData = $ReturnedUser; foreach ($userData as $k => $v) { $SessionData[$k] = $v; } update_session($OUTPUT['SessionKey'], $SessionData); $OUTPUT['SESSION'] = get_session_data($OUTPUT['SessionKey']); } }
mcrypt_module_close($mc); $debugtrace .= '<br>check2 hash'; $hash = hash_hmac($hmac_algo, session_id() . $_SESSION['expires'] . $data, $k); if ($_SESSION['expires'] < time() || $_SESSION['hash'] != $hash) { $debugdata .= '<br>>>cs2 expire=' . ($_SESSION['expires'] < time() ? 't' : 'f') . ' hash=' . ($_SESSION['hash'] != $hash ? 't' : 'f') . '(expirecomp=' . $_SESSION['expires'] . ' vs ' . time() . ' | hashcomp=' . $_SESSION['hash'] . ' vs ' . $hash . ' )'; $debugtrace .= '<br>check2 createonfail'; create_session(); } else { $debugtrace .= '<br>check2 success'; $session_data = json_decode($data, true); } } if ($session_data['ip'] != $_SERVER['REMOTE_ADDR'] || $session_data['ua'] != substr($_SERVER['HTTP_USER_AGENT'], 0, 64)) { $debugdata .= '<br>>>cs3 ip=' . ($session_data['ip'] != $_SERVER['REMOTE_ADDR'] ? 't' : 'f') . ' ua=' . ($session_data['ua'] != substr($_SERVER['HTTP_USER_AGENT'], 0, 64) ? 't' : 'f') . '(ipcomp=' . $session_data['ip'] . ' vs ' . $_SERVER['REMOTE_ADDR'] . ' | uacomp=' . $session_data['ua'] . ' vs ' . substr($_SERVER['HTTP_USER_AGENT'], 0, 64) . ' )'; $debugtrace .= '<br>check3 createonfail'; create_session(); } else { $debugtrace .= '<br>check3 success'; save_session(); } if (strlen($debugdata) > 0) { $debugdata = '>>>Session Debug Start<<<<br><br>sessionname=' . $session_name . '<br>lifetime=' . $lifetime . '<br>path=' . $path . '<br>domain=' . $domain . '<br>secure=' . ($secure ? 't' : 'f') . '<br>httponly=' . ($httponly ? 't' : 'f') . '<br>hmacalgo=' . $hmac_algo . '<br>expire=' . $expire_time . '<br>sk=' . $sk . '<br>loginurl=' . $login_uri . '<br>uri=' . full_url($_SERVER) . '<br>sid=' . session_id() . '<br><br><pre>session=' . print_r($_SESSION, true) . '</pre><br><br><pre>sessiondata=' . print_r($session_data, true) . '</pre><br>' . $debugdata; } $debugtrace .= '<br>>>>TRACE END<<<'; if (!isset($session_data['loggedin'])) { $debugdata .= '<br>>>notloggedin'; $session_data['loggedin'] = false; } if ($session_data['loggedin'] == false && substr($_SERVER['REQUEST_URI'], 0, strlen($login_uri)) != $login_uri) { $debugdata .= '<br>>>redirect (uricomp=' . substr($_SERVER['REQUEST_URI'], 0, strlen($login_uri)) . ' vs ' . $login_uri . ')'; if ($session_debug === true) {
function do_login($username = NULL, $password = NULL, $force_login = FALSE) { global $auth_settings; destroy_expired_sessions(); $session_key = $_COOKIE[$auth_settings['cookie_name']]; $username = trim($username); // Check for session if forced login not specified if ($force_login != TRUE) { $login_id = session_key_to_login_id($session_key); if ($login_id !== FALSE) { //echo "Session detected!\n<br>"; return $login_id; } } else { // Destroy any prior session on a forced login destroy_session($session_key); } if (is_null($username)) { $username = $_POST['username']; } if (is_null($password)) { $password = $_POST['password']; } // Don't allow logins for locked out accounts $lo = check_lockout($username); if ($lo != 0) { auth_lockout(NULL, NULL, $username); return -1; } // Authenticate credentials and take lockout actions as required $login_id = authenticate_user($username, $password); if ($login_id > 0) { create_session(NULL, $login_id); return $login_id; } else { destroy_session($session_key); // Good user name, bad password if ($login_id == -1) { auth_lockout(NULL, NULL, $username); } // Bad user name if ($login_id == -2) { auth_lockout(); } return -2; } return -255; }