$action = isset($HTTP_GET_VARS['action']) ? $HTTP_GET_VARS['action'] : '';
// prepare to logout an active administrator if the login page is accessed again
if (tep_session_is_registered('admin')) {
$action = 'logoff';
}
if (tep_not_null($action)) {
switch ($action) {
case 'process':
if (tep_session_is_registered('redirect_origin') && isset($redirect_origin['auth_user'])) {
$username = tep_db_prepare_input($redirect_origin['auth_user']);
$password = tep_db_prepare_input($redirect_origin['auth_pw']);
} else {
$username = tep_db_prepare_input($HTTP_POST_VARS['username']);
$password = tep_db_prepare_input($HTTP_POST_VARS['password']);
}
$actionRecorder = new actionRecorderAdmin('ar_admin_login', null, $username);
if ($actionRecorder->canPerform()) {
$check_query = tep_db_query("select id, user_name, user_password from " . TABLE_ADMINISTRATORS . " where user_name = '" . tep_db_input($username) . "'");
if (tep_db_num_rows($check_query) == 1) {
$check = tep_db_fetch_array($check_query);
if (tep_validate_password($password, $check['user_password'])) {
// migrate old hashed password to new phpass password
if (tep_password_type($check['user_password']) != 'phpass') {
tep_db_query("update " . TABLE_ADMINISTRATORS . " set user_password = '******' where id = '" . (int) $check['id'] . "'");
}
tep_session_register('admin');
$admin = array('id' => $check['id'], 'username' => $check['user_name']);
$actionRecorder->_user_id = $admin['id'];
$actionRecorder->record();
if (tep_session_is_registered('redirect_origin')) {
$page = $redirect_origin['page'];
<?php
if (isset($_GET['action']) && $_GET['action'] == 'process' && (SESSION_FORCE_COOKIE_USE == 'true' && isset($_COOKIE[session_name()]) || SESSION_FORCE_COOKIE_USE == 'false')) {
$email_address = xos_db_prepare_input($_POST['email_address']);
$password = xos_db_prepare_input($_POST['password']);
// action recorder
require DIR_WS_CLASSES . 'action_recorder.php';
$actionRecorder = new actionRecorderAdmin('ar_admin_login', null, $email_address);
if ($actionRecorder->canPerform() || !$actionRecorder->check()) {
// Check if email exists
$check_admin_query = xos_db_query("select admin_id as login_id, admin_groups_id as login_groups_id, admin_firstname as login_firstname, admin_email_address as login_email_address, admin_password as login_password, admin_modified as login_modified, admin_logdate as login_logdate, admin_lognum as login_lognum from " . TABLE_ADMIN . " where admin_email_address = '" . xos_db_input($email_address) . "'");
if (!xos_db_num_rows($check_admin_query)) {
$login_error = 'incorrect_values';
$actionRecorder->record(false);
} else {
$check_admin = xos_db_fetch_array($check_admin_query);
// Check that password is good
if (!xos_validate_password($password, $check_admin['login_password'])) {
$login_error = 'incorrect_values';
$actionRecorder->record(false);
} else {
// migrate old hashed password to new phpass password
if (xos_password_type($check_admin['login_password']) != 'phpass') {
xos_db_query("update " . TABLE_ADMIN . " set admin_password = '******' where admin_id = '" . (int) $check_admin['login_id'] . "'");
}
if (isset($_SESSION['password_forgotten'])) {
unset($_SESSION['password_forgotten']);
}
$login_email_address = $check_admin['login_email_address'];
$login_logdate = $check_admin['login_logdate'];
$login_lognum = $check_admin['login_lognum'];
