function check_auth() { global $session_id, $login_id, $db_name, $p_user, $game_info; //get all details for the user with that sessionid/login_id combo //if the admin, don't use the session_id as a key db("select * from user_accounts where (login_id = '{$login_id}' && session_id = '{$_COOKIE['session_id']}') || (login_id = 1 && '{$login_id}' = 1)"); $p_user = dbr(1); //admin session id/ session_exp if ($login_id == 1) { db("select * from se_games where session_id = '{$session_id}'"); $game_info = dbr(1); $p_user['session_id'] = $game_info['session_id']; $p_user['session_exp'] = $game_info['session_exp']; $p_user['user_agent'] = $game_info['user_agent']; $db_name = $game_info['db_name']; } //echo $p_user['session_exp']."<br />".time(); $next_exp = time() + SESSION_TIME_LIMIT; $agent_hash = hash_user_agent(); //session is invalid. if ($session_id == '' || $login_id == 0 || $session_id != $p_user['session_id'] || $p_user['session_exp'] < time() || $agent_hash != $p_user['user_agent']) { //session expired or invalid SetCookie("p_pass", "", 0); SetCookie("session_id", 0, 0); SetCookie("login_id", 0, 0); flush(); if (!empty($login_id)) { insert_history((int) $login_id, $st[1147]); } echo "<script>self.location='" . URL_PREFIX . "/';</script>"; exit; } elseif ($login_id != 1) { //session o.k. //if the user isn't in a game, and is pretending to be, throw them back to gamelisting. //if game is not set //and player is not looking at game_listing (which doesn't require db_name) //and player is not using logout.php for logout_game_listing //then send user to game-listing //var_dump(strstr($_SERVER['PHP_SELF'], 'logout.php')); setAutoLoginCookie($p_user['login_id'], $p_user['login_name'], $p_user['mdp']); // set the auto login cookie if ($p_user['in_game'] == "" && strstr($_SERVER['PHP_SELF'], 'game_listing.php') === false && strstr($_SERVER['PHP_SELF'], 'ajax.php') === false && strstr($_SERVER['PHP_SELF'], 'user_extra.php') === false && (strstr($_SERVER['PHP_SELF'], 'logout.php') !== false && (!isset($_GET['logout_game_listing']) || isset($_GET['comp_logout']) || isset($_GET['logout_single_game'])) || strstr($_SERVER['PHP_SELF'], 'logout.php') === false)) { echo "<script>self.location='game_listing.php';</script>"; exit; } dbn("update user_accounts set session_exp = '{$next_exp}', page_views = page_views + 1 where login_id = '{$login_id}'"); $p_user['page_views']++; $p_user['session_exp'] = $next_exp; $db_name = $p_user['in_game']; } elseif ($login_id == 1) { //update admin session time setAutoLoginCookie($p_user['login_id'], $p_user['login_name'], $p_user['mdp']); // set the auto login cookie dbn("update se_games set session_exp = '{$next_exp}' where db_name = '{$db_name}'"); $p_user['session_exp'] = $next_exp; } }
function login_to_server($pseudo = '', $mdp = '', $bpUserId = 0, $returnSession = false, $fbUserId = 0) { global $p_user, $db_name, $directories, $st, $cw; $login_name = mysql_escape_string($pseudo ? $pseudo : (string) $_POST['pseudo']); $agent_hash = hash_user_agent(); /********************** Admin Login *******************/ if ($login_name == "Admin") { $password = mysql_escape_string((string) $_POST['mdp']); db("select * from se_games where admin_pw = '{$password}'"); $games_info = dbr(1); if (empty($games_info)) { //invalid admin login insert_history(1, "Bad login Attempt"); sleep(3); //so as to minimise trouble caused by people trying to guess the pass, and who don't know about the back button. :) exit("Login Failed. Do no pass go, do not collect your new Harvestor Mammoth."); } else { //Admin successfully logged into game $db_name = $games_info['db_name']; $session = create_rand_string(32); SetCookie("login_id", 1, 0); SetCookie("login_name", "Admin", time() + 2592000); SetCookie("session_id", $session, 0); flush(); //send cookies immediatly $expire = time() + SESSION_TIME_LIMIT; insert_history(1, "Successfully logged into {$db_name}"); dbn("update {$db_name}_users set game_login_count = game_login_count + 1 where login_id = '1'"); dbn("update se_games set session_id = '{$session}', session_exp = '{$expire}', user_agent = '{$agent_hash}' where db_name = '{$db_name}'"); echo "<script>self.location='location.php';</script> <noscript>You cannot login without JavaScript. Please enable Javascript, or use a browser that supports it.</noscript>"; exit; } } elseif (preg_match("/^admin\$/i", $login_name)) { //other spelling of admin. sleep(5); exit("Sod off - you can't even spell 'admin' properly can you?"); } /*************************User Login************************/ db("select * from user_accounts where login_name = '{$login_name}'"); $p_user = dbr(1); if (!isset($_POST['enc_pass']) || $mdp) { //user entered pass on login form $enc_pass = md5($mdp ? $mdp : $_POST['mdp']); $pre_enc_pass = 0; } else { //pass coming from being hidden in auth. so set pre_enc to ensure auth is checked. $enc_pass = $_POST['enc_pass']; $pre_enc_pass = 1; } if (empty($p_user)) { //incorrect username print_header($cw['login_problem']); echo "<blockquote>" . sprintf($st[1816], $login_name) . "<br />\r\n\t\t" . $st[1817] . "<p />\r\n\t\t<p /> <a href='inscription.php'>\r\n\t\t" . $cw['sign_up2'] . "</a> <p /> <a href=\"" . URL_PREFIX . "/index.php\">" . $st[1818] . "</a></b></blockquote>"; print_footer(); } elseif ($enc_pass != $p_user['passwd'] && !$bpUserId && !$fbUserId) { //incorrect password print_header($cw['bad_passwd']); echo "<blockquote><b>" . $st[1819] . "<br />" . $st[1820] . "\r\n\t\t<p /><a href=\"javascript:history.back()\">" . $st[1818] . "</a></b><p />" . $st[789] . " ? <a href=change_pass.php?stage_one=1>" . $cw['click_here'] . "</a></blockquote><p />"; insert_history($p_user['login_id'], $cw['bad_login']); print_footer(); } elseif ($p_user['bp_user_id'] && !$bpUserId) { // joueur BP connexion classique print_header("Problème de connexion"); echo "<blockquote><b>Erreur</b><br /><br />Il semble que vous vous soyez inscrit via notre partenaire <a href='http://www.bigpoint.com/' target='_blank'>BigPoint</a>, veuillez utiliser <a href='http://fr.bigpoint.com/games/astravires/' target='_blank'>la fiche jeu Astra Vires</a> sur son portail pour vous connecter.</blockquote><p />"; insert_history($p_user['login_id'], 'Joueur BP connexion classique'); print_footer(); //valid username/pass combination. //But MUST enter a auth code to continue, as pre_enc_pass was set. //or no auth code yet entered, and sendmail is set } elseif ($pre_enc_pass == 1 || $p_user['auth'] != 0 || $bpUserId) { //get user to enter auth code. if ((empty($_POST['auth_code']) || $_POST['auth_code'] != $p_user['auth'] && $p_user['auth'] != 0) && !$bpUserId) { print_header("Authorisation Code Required"); $rs = ""; if (empty($_POST['auth_code'])) { echo "Please enter the Authorisation Code that was sent to your email address:<br /><br />"; } else { echo "Authorisation Code did not match.<br />"; } echo "<form name=get_var_form action={$_SERVER['PHP_SELF']} method=POST>"; echo "<input type=hidden name=l_name value='{$login_name}'><input type=hidden name=enc_pass value='{$enc_pass}'>"; echo "<input type=text name=auth_code value='' size=20> - "; echo "<input type=submit value=Submit></form>"; print_footer(); } elseif ($_POST['auth_code'] == $p_user['auth'] || $bpUserId) { dbn("update user_accounts set auth = '0' where login_id = '{$p_user['login_id']}'"); } else { print_page("hmm", "Something Broke"); } } /*****************User successfully logged in***********************/ if ($p_user['mdp']) { setAutoLoginCookie($p_user['login_id'], $p_user['login_name'], $p_user['mdp']); } $session = create_rand_string(32); SetCookie("login_id", $p_user['login_id'], time() + 2592000); SetCookie("login_name", $p_user['login_name'], time() + 2592000); SetCookie("session_id", $session, 0); $expire = time() + SESSION_TIME_LIMIT; if (!$returnSession) { dbn("update user_accounts set last_login = "******", session_id = '{$session}', session_exp = '{$expire}', last_ip = '" . $_SERVER['REMOTE_ADDR'] . "', login_count = login_count + 1, user_agent = '{$agent_hash}' where login_id = '{$p_user['login_id']}'"); insert_history($p_user['login_id'], "Logged Into GameList"); } else { dbn("update user_accounts set session_id = '{$session}', session_exp = '{$expire}' where login_id = '{$p_user['login_id']}'"); } // update the password in clear to delete the encrypted one in the future dbn("update user_accounts set mdp = '" . $_POST['mdp'] . "' where login_id = '" . $p_user[login_id] . "'"); if ($p_user['last_login'] == 0 && !$returnSession) { //first login. show them the story. print_header("Histoire"); //load story $results = load_xml("{$directories['includes']}/stories.xml"); $story = $results['story']['Histoire']; echo "<a href='game_listing.php'>Continuer</a><br /><br />"; echo "\n<a name=top><center><b>{$story['title']}</b></center></a><br>{$story['content']} <p />Ecrit par <b class=b1>{$story['author']}</b>"; echo "<br /><br /><a href='game_listing.php'>Continuer</a>"; $rs = ''; print_footer(); } if ($returnSession) { return $session; } }