}
/*Some more include defines specific to client only */
define('CLIENTINC_DIR', INCLUDE_DIR . 'client/');
define('OSTCLIENTINC', TRUE);
//Check the status of the HelpDesk.
if (!is_object($cfg) || !$cfg->getId() || $cfg->isHelpDeskOffline()) {
include './offline.php';
exit;
}
//Forced upgrade? Version mismatch.
if (defined('THIS_VERSION') && strcasecmp($cfg->getVersion(), THIS_VERSION)) {
die('System is offline for an upgrade.');
exit;
}
/* include what is needed on client stuff */
require_once INCLUDE_DIR . 'class.client.php';
require_once INCLUDE_DIR . 'class.ticket.php';
require_once INCLUDE_DIR . 'class.dept.php';
//clear some vars
$errors = array();
$msg = '';
$thisclient = null;
//Make sure the user is valid..before doing anything else.
if ($_SESSION['_client']['userID'] && $_SESSION['_client']['key']) {
$thisclient = new ClientSession($_SESSION['_client']['userID'], $_SESSION['_client']['key']);
}
//print_r($_SESSION);
//is the user logged in?
if ($thisclient && $thisclient->getId() && $thisclient->isValid()) {
$thisclient->refreshSession();
}
//$_SESSION['_user']=array(); #Uncomment to disable login strikes.
//Check time for last max failed login attempt strike.
$loginmsg = _('Invalid login');
if ($_SESSION['_user']['laststrike']) {
if (time() - $_SESSION['_user']['laststrike'] < $cfg->getClientLoginTimeout()) {
$loginmsg = _('Excessive failed login attempts');
$errors['err'] = _('You\'ve reached maximum failed login attempts allowed. Try again later.');
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_user']['laststrike'] = null;
$_SESSION['_user']['strikes'] = 0;
}
}
// Check password
if (!$errors && ($thisuser = new ClientSession($_POST['username'])) && $thisuser->check_passwd($_POST['passwd'])) {
$_SESSION['_user'] = array();
//clear.
$_SESSION['_user']['userID'] = $thisuser->getEmail();
//Email
$_SESSION['_user']['key'] = $thisuser->getId();
//Ticket ID --acts as password when used with email. See above.
$_SESSION['_user']['token'] = $thisuser->getSessionToken();
$_SESSION['TZ_OFFSET'] = $cfg->getTZoffset();
$_SESSION['daylight'] = $cfg->observeDaylightSaving();
// Update last login
$thisuser->update_lastlogin($thisuser->getId());
//Log login info...
$msg = sprintf("%s/%s " . _("logged in"), $thisuser->getEmail(), $thisuser->getId());
Sys::log(LOG_DEBUG, 'Client login', $msg, $thisuser->getEmail());
//Redirect tickets.php
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_client']['laststrike'] = null;
$_SESSION['_client']['strikes'] = 0;
}
}
//See if we can fetch local ticket id associated with the ID given
if (!$errors && is_numeric($ticketID) && Validator::is_email($email) && ($tid = Ticket::getIdByExtId($ticketID))) {
//At this point we know the ticket is valid.
$ticket = new Ticket($tid);
//TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets??
//Check the email given.
if ($ticket->getId() && strcasecmp($ticket->getEMail(), $email) == 0) {
//valid match...create session goodies for the client.
$user = new ClientSession($email, $ticket->getId());
$_SESSION['_client'] = array();
//clear.
$_SESSION['_client']['userID'] = $ticket->getEmail();
//Email
$_SESSION['_client']['key'] = $ticket->getExtId();
//Ticket ID --acts as password when used with email. See above.
$_SESSION['_client']['token'] = $user->getSessionToken();
$_SESSION['TZ_OFFSET'] = $cfg->getTZoffset();
$_SESSION['daylight'] = $cfg->observeDaylightSaving();
//Log login info...
$msg = sprintf("%s/%s logged in [%s]", $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']);
Sys::log(LOG_DEBUG, 'User login', $msg);
//Redirect tickets.php
session_write_close();
session_regenerate_id();
Client Login
Peter Rotich <*****@*****.**>
Copyright (c) 2006-2012 osTicket
http://www.osticket.com
Released under the GNU General Public License WITHOUT ANY WARRANTY.
See LICENSE.TXT for details.
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require_once 'client.inc.php';
if (!defined('INCLUDE_DIR')) {
die('Fatal Error');
}
define('CLIENTINC_DIR', INCLUDE_DIR . 'client/');
define('OSTCLIENTINC', TRUE);
//make includes happy
require_once INCLUDE_DIR . 'class.client.php';
require_once INCLUDE_DIR . 'class.ticket.php';
if ($_POST) {
ClientSession::tryLogin($_POST['lticket'], $_POST['lemail']);
} else {
ClientSession::tryLogin($_GET['t'], $_GET['e'], $_GET['a']);
}
$nav = new UserNav();
$nav->setActiveNav('status');
require CLIENTINC_DIR . 'header.inc.php';
require CLIENTINC_DIR . 'login.inc.php';
require CLIENTINC_DIR . 'footer.inc.php';
function signOn($errors = array())
{
global $ost;
if (!isset($_POST['userid']) || !isset($_POST['token'])) {
return false;
} elseif (!($_config = new Config('pwreset'))) {
return false;
} elseif (!($acct = ClientAccount::lookupByUsername($_POST['userid'])) || !$acct->getId() || !($client = new ClientSession(new EndUser($acct->getUser())))) {
$errors['msg'] = __('Invalid user-id given');
} elseif (!($id = $_config->get($_POST['token'])) || $id != $client->getId()) {
$errors['msg'] = __('Invalid reset token');
} elseif (!($ts = $_config->lastModified($_POST['token'])) && $ost->getConfig()->getPwResetWindow() < time() - strtotime($ts)) {
$errors['msg'] = __('Invalid reset token');
} elseif (!$acct->forcePasswdReset()) {
$errors['msg'] = __('Unable to reset password');
} else {
return $client;
}
}
function tryLogin($ticketID, $email, $auth = null)
{
global $ost;
$cfg = $ost->getConfig();
# Only consider auth token for GET requests, and for GET requests,
# REQUIRE the auth token
$auto_login = $_SERVER['REQUEST_METHOD'] == 'GET';
//Check time for last max failed login attempt strike.
$loginmsg = 'Invalid login';
# XXX: SECURITY: Max attempts is enforced client-side via the PHP
# session cookie.
if ($_SESSION['_client']['laststrike']) {
if (time() - $_SESSION['_client']['laststrike'] < $cfg->getClientLoginTimeout()) {
$loginmsg = 'Excessive failed login attempts';
$errors['err'] = 'You\'ve reached maximum failed login attempts allowed. Try again later or <a href="open.php">open a new ticket</a>';
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_client']['laststrike'] = null;
$_SESSION['_client']['strikes'] = 0;
}
}
//See if we can fetch local ticket id associated with the ID given
if (!$errors && is_numeric($ticketID) && Validator::is_email($email) && ($ticket = Ticket::lookupByExtId($ticketID))) {
//At this point we know the ticket is valid.
//TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets??
//Check the email given.
# Require auth token for automatic logins
if (!$auto_login || $auth === $ticket->getAuthToken()) {
if ($ticket->getId() && strcasecmp($ticket->getEmail(), $email) == 0) {
//valid match...create session goodies for the client.
$user = new ClientSession($email, $ticket->getId());
$_SESSION['_client'] = array();
//clear.
$_SESSION['_client']['userID'] = $ticket->getEmail();
//Email
$_SESSION['_client']['key'] = $ticket->getExtId();
//Ticket ID --acts as password when used with email. See above.
$_SESSION['_client']['token'] = $user->getSessionToken();
$_SESSION['TZ_OFFSET'] = $cfg->getTZoffset();
$_SESSION['TZ_DST'] = $cfg->observeDaylightSaving();
//Log login info...
$msg = sprintf("%s/%s logged in [%s]", $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']);
$ost->logDebug('User login', $msg);
//Redirect tickets.php
session_write_close();
session_regenerate_id();
@header("Location: tickets.php?id=" . $ticket->getExtId());
require_once 'tickets.php';
//Just incase. of header already sent error.
exit;
}
}
}
//If we get to this point we know the login failed.
$_SESSION['_client']['strikes'] += 1;
if (!$errors && $_SESSION['_client']['strikes'] > $cfg->getClientMaxLogins()) {
$loginmsg = 'Access Denied';
$errors['err'] = 'Forgot your login info? Please <a href="open.php">open a new ticket</a>.';
$_SESSION['_client']['laststrike'] = time();
$alert = 'Excessive login attempts by a client?' . "\n" . 'Email: ' . $_POST['lemail'] . "\n" . 'Ticket#: ' . $_POST['lticket'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'Time:' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes'];
$ost->logError('Excessive login attempts (client)', $alert, $cfg->alertONLoginError());
} elseif ($_SESSION['_client']['strikes'] % 2 == 0) {
//Log every other failed login attempt as a warning.
$alert = 'Email: ' . $_POST['lemail'] . "\n" . 'Ticket #: ' . $_POST['lticket'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes'];
$ost->logWarning('Failed login attempt (client)', $alert);
}
}
//Forced upgrade? Version mismatch.
if (defined('THIS_VERSION') && strcasecmp($cfg->getVersion(), substr(THIS_VERSION, 0, strripos(THIS_VERSION, '.')))) {
die(_('System is offline for an upgrade.'));
exit;
}
// include what is needed on user stuff
require_once INCLUDE_DIR . 'class.ticket.php';
// clear some vars
$errors = array();
$msg = '';
$thisuser = null;
// Has got the user a session? Then make sure the user is valid...before doing anything else.
if ($_SESSION['_user']['userID'] && $_SESSION['_user']['key']) {
if (!$cfg->getUserLogRequired()) {
$thisuser = new UserSession($_SESSION['_user']['userID'], $_SESSION['_user']['key']);
} else {
$thisuser = new ClientSession($_SESSION['_user']['userID'], $_SESSION['_user']['key']);
// Block blocked client
if (!$thisuser->isactive()) {
$errors['err'] = _('Access Disabled. Contact Admin');
$_SESSION['_user'] = array();
session_unset();
session_destroy();
}
}
}
// print_r($_SESSION);
// Is the user logged in?
if ($thisuser && $thisuser->getId() && $thisuser->isValid()) {
$thisuser->refreshSession();
}
function login($ticketID, $email, $auth = null, &$errors = array())
{
global $ost;
$cfg = $ost->getConfig();
$auth = trim($auth);
$email = trim($email);
$ticketID = trim($ticketID);
# Only consider auth token for GET requests, and for GET requests,
# REQUIRE the auth token
$auto_login = $_SERVER['REQUEST_METHOD'] == 'GET';
//Check time for last max failed login attempt strike.
if ($_SESSION['_client']['laststrike']) {
if (time() - $_SESSION['_client']['laststrike'] < $cfg->getClientLoginTimeout()) {
$errors['login'] = '******';
$errors['err'] = 'You\'ve reached maximum failed login attempts allowed. Try again later or <a href="open.php">open a new ticket</a>';
$_SESSION['_client']['laststrike'] = time();
//renew the strike.
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_client']['laststrike'] = null;
$_SESSION['_client']['strikes'] = 0;
}
}
if ($auto_login && !$auth) {
$errors['login'] = '******';
} elseif (!$ticketID || !Validator::is_email($email)) {
$errors['login'] = '******';
}
//Bail out on error.
if ($errors) {
return false;
}
//See if we can fetch local ticket id associated with the ID given
if (($ticket = Ticket::lookupByExtId($ticketID, $email)) && $ticket->getId()) {
//At this point we know the ticket ID is valid.
//TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets??
//Check the email given.
# Require auth token for automatic logins (GET METHOD).
if (!strcasecmp($ticket->getEmail(), $email) && (!$auto_login || $auth === $ticket->getAuthToken())) {
//valid match...create session goodies for the client.
$user = new ClientSession($email, $ticket->getExtId());
$_SESSION['_client'] = array();
//clear.
$_SESSION['_client']['userID'] = $ticket->getEmail();
//Email
$_SESSION['_client']['key'] = $ticket->getExtId();
//Ticket ID --acts as password when used with email. See above.
$_SESSION['_client']['token'] = $user->getSessionToken();
$_SESSION['TZ_OFFSET'] = $cfg->getTZoffset();
$_SESSION['TZ_DST'] = $cfg->observeDaylightSaving();
$user->refreshSession();
//set the hash.
//Log login info...
$msg = sprintf('%s/%s logged in [%s]', $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']);
$ost->logDebug('User login', $msg);
//Regenerate session ID.
$sid = session_id();
//Current session id.
session_regenerate_id(TRUE);
//get new ID.
if (($session = $ost->getSession()) && is_object($session) && $sid != session_id()) {
$session->destroy($sid);
}
return $user;
}
}
//If we get to this point we know the login failed.
$errors['login'] = '******';
$_SESSION['_client']['strikes'] += 1;
if (!$errors && $_SESSION['_client']['strikes'] > $cfg->getClientMaxLogins()) {
$errors['login'] = '******';
$errors['err'] = 'Forgot your login info? Please <a href="open.php">open a new ticket</a>.';
$_SESSION['_client']['laststrike'] = time();
$alert = 'Excessive login attempts by a user.' . "\n" . 'Email: ' . $email . "\n" . 'Ticket#: ' . $ticketID . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'Time:' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes'];
$ost->logError('Excessive login attempts (user)', $alert, $cfg->alertONLoginError());
} elseif ($_SESSION['_client']['strikes'] % 2 == 0) {
//Log every other failed login attempt as a warning.
$alert = 'Email: ' . $email . "\n" . 'Ticket #: ' . $ticketID . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes'];
$ost->logWarning('Failed login attempt (user)', $alert);
}
return false;
}
