} } if (!$errors && ($user = new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])) { //update last login. db_query('UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() WHERE staff_id=' . db_input($user->getId())); //Figure out where the user is headed - destination! $dest = $_SESSION['_staff']['auth']['dest']; //Now set session crap and lets roll baby! $_SESSION['_staff'] = array(); //clear. $_SESSION['_staff']['userID'] = $_POST['username']; $user->refreshSession(); //set the hash. $_SESSION['TZ_OFFSET'] = $user->getTZoffset(); $_SESSION['daylight'] = $user->observeDaylight(); Sys::log(LOG_DEBUG, 'Inicio de sesión de Staff', sprintf("%s Identificado como [%s]", $user->getUserName(), $_SERVER['REMOTE_ADDR'])); //Debug. //Redirect to the original destination. (make sure it is not redirecting to login page.) $dest = $dest && (!strstr($dest, 'login.php') && !strstr($dest, 'ajax.php')) ? $dest : 'index.php'; session_write_close(); session_regenerate_id(); @header("Location: {$dest}"); require_once 'index.php'; //Just incase header is messed up. exit; } //If we get to this point we know the login failed. $_SESSION['_staff']['strikes'] += 1; if (!$errors && $_SESSION['_staff']['strikes'] > $cfg->getStaffMaxLogins()) { $msg = 'Acceso Denegado'; $errors['err'] = '¿Olvidaste tus datos de conexión?. Contacta con el Administrador';
function login($username, $passwd, &$errors, $strike = true) { global $ost, $cfg; if ($_SESSION['_staff']['laststrike']) { if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) { $errors['err'] = 'You\'ve reached maximum failed login attempts allowed.'; } else { //Timeout is over. //Reset the counter for next round of attempts after the timeout. $_SESSION['_staff']['laststrike'] = null; $_SESSION['_staff']['strikes'] = 0; } } if (!$errors && ($user = new StaffSession($username)) && $user->getId() && $user->check_passwd($passwd)) { //update last login && password reset stuff. $sql = 'UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() '; if ($user->isPasswdResetDue() && !$user->isAdmin()) { $sql .= ',change_passwd=1'; } $sql .= ' WHERE staff_id=' . db_input($user->getId()); db_query($sql); //Now set session crap and lets roll baby! $_SESSION['_staff'] = array(); //clear. $_SESSION['_staff']['userID'] = $username; $user->refreshSession(); //set the hash. $_SESSION['TZ_OFFSET'] = $user->getTZoffset(); $_SESSION['TZ_DST'] = $user->observeDaylight(); $ost->logDebug('Staff login', sprintf("%s logged in [%s]", $user->getUserName(), $_SERVER['REMOTE_ADDR'])); //Debug. $sid = session_id(); //Current ID session_regenerate_id(TRUE); //Destroy old session ID - needed for PHP version < 5.1.0 TODO: remove when we move to php 5.3 as min. requirement. if (($session = $ost->getSession()) && is_object($session) && $sid) { $session->destroy($sid); } session_write_close(); return $user; } //If we get to this point we know the login failed. $_SESSION['_staff']['strikes'] += 1; if (!$errors && $_SESSION['_staff']['strikes'] > $cfg->getStaffMaxLogins()) { $errors['err'] = 'Forgot your login info? Contact Admin.'; $_SESSION['_staff']['laststrike'] = time(); $alert = 'Excessive login attempts by a staff member?' . "\n" . 'Username: '******'username'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'] . "\n" . 'Timeout: ' . $cfg->getStaffLoginTimeout() / 60 . " minutes \n\n"; $ost->logWarning('Excessive login attempts (' . $_POST['username'] . ')', $alert, $cfg->alertONLoginError()); } elseif ($_SESSION['_staff']['strikes'] % 2 == 0) { //Log every other failed login attempt as a warning. $alert = 'Username: '******'username'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes']; $ost->logWarning('Failed staff login attempt (' . $_POST['username'] . ')', $alert, false); } return false; }
} } if (!$errors && ($user = new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])) { //update last login. db_query('UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() WHERE staff_id=' . db_input($user->getId())); //Figure out where the user is headed - destination! $dest = $_SESSION['_staff']['auth']['dest']; //Now set session crap and lets roll baby! $_SESSION['_staff'] = array(); //clear. $_SESSION['_staff']['userID'] = $_POST['username']; $user->refreshSession(); //set the hash. $_SESSION['TZ_OFFSET'] = $user->getTZoffset(); $_SESSION['daylight'] = $user->observeDaylight(); Sys::log(LOG_DEBUG, 'Staff login', sprintf("%s logged in [%s]", $user->getUserName(), $_SERVER['REMOTE_ADDR'])); //Debug. //Redirect to the original destination. (make sure it is not redirecting to login page.) $dest = $dest && (!strstr($dest, 'login.php') && !strstr($dest, 'ajax.php')) ? $dest : 'index.php'; session_write_close(); session_regenerate_id(); @header("Location: {$dest}"); require_once 'index.php'; //Just incase header is messed up. exit; } //If we get to this point we know the login failed. $_SESSION['_staff']['strikes'] += 1; if (!$errors && $_SESSION['_staff']['strikes'] > $cfg->getStaffMaxLogins()) { $msg = 'Acesso Negado'; $errors['err'] = 'Esqueceu seu login? Entre em contato com Departamento de TI';
} } if (!$errors && ($user = new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])) { //update last login. $user->update_lastlogin($user->getId()); //Figure out where the user is headed - destination! $dest = $_SESSION['_staff']['auth']['dest']; //Now set session crap and lets roll baby! $_SESSION['_staff'] = array(); //clear. $_SESSION['_staff']['userID'] = $_POST['username']; $user->refreshSession(); //set the hash. $_SESSION['TZ_OFFSET'] = $user->getTZoffset(); $_SESSION['daylight'] = $user->observeDaylight(); Sys::log(LOG_DEBUG, 'Staff login', sprintf('%s ' . _('logged in'), $user->getUserName()), $user->getUserName()); //Debug //Redirect to the original destination. (make sure it is not redirecting to login page.) $dest = $dest && (!strstr($dest, 'login.php') && !strstr($dest, 'ajax.php')) ? $dest : 'index.php'; session_write_close(); session_regenerate_id(); @header("Location: {$dest}"); require_once 'index.php'; //Just incase header is messed up. exit; } //If we get to this point we know the login failed. $_SESSION['_staff']['strikes'] += 1; if (!$errors && $_SESSION['_staff']['strikes'] > $cfg->getStaffMaxLogins()) { $msg = _('Access Denied'); $errors['err'] = _('Forgot your login info? Contact IT Dept.');