public function check($access, $cache = false, $validate_sign = false, $disable_counter = false) { global $cfg; if ($cache == false && headers_sent() == false) { header('Expires: Mon, 9 Oct 2000 18:00:00 GMT'); header('Cache-Control: no-store, no-cache, must-revalidate'); } $sid = $this->app->getCookie('netjukebox_sid'); $authenticate = $this->app->request->params('authenticate'); $result = $this->app->db->query(' SELECT logged_in, user_id, idle_time, ip, user_agent, sign, seed, skin, random_blacklist, thumbnail, thumbnail_size, stream_id, download_id, player_id FROM session WHERE sid = BINARY "' . $this->app->db->real_escape_string($sid) . '"'); $session = $result->fetch_assoc(); //setSkin($session['skin']); // Validate login if ($authenticate == 'validate') { $username = $this->app->request->post('username'); $hash1 = $this->app->request->post('hash1'); $hash2 = $this->app->request->post('hash2'); $sign = $this->app->request->post('sign'); if ($session['ip'] == '') { message(__FILE__, __LINE__, 'error', '[b]Login failed[/b][br]netjukebox requires cookies to login.[br]Enable cookies in your browser and try again.[br][url=index.php][img]small_login.png[/img]login[/url]'); } if ($session['ip'] != $_SERVER['REMOTE_ADDR']) { message(__FILE__, __LINE__, 'error', '[b]Login failed[/b][br]Unexpected IP address[br][url=index.php][img]small_login.png[/img]login[/url]'); } $query = mysql_query('SELECT ' . (string) round(microtime(true) * 1000) . ' - pre_login_time AS login_delay FROM session WHERE ip = "' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '" ORDER BY pre_login_time DESC LIMIT 1'); $ip = mysql_fetch_assoc($query); $query = mysql_query('SELECT password, seed, version, user_id FROM user WHERE username = "******"'); $user = mysql_fetch_assoc($query); $user_id = $user['user_id']; if (($user['version'] == 0 && $user['password'] == sha1($hash1) || $user['version'] == 1 && $user['password'] == hmacsha1($hash1, $user['seed'])) && preg_match('#^[0-9a-f]{40}$#', $hash1) && preg_match('#^[0-9a-f]{40}$#', $hash2) && ($username == $cfg['anonymous_user'] && $hash2 == hmacsha1(hmacsha1($cfg['anonymous_user'], $session['seed']), $session['seed']) || $username != $cfg['anonymous_user'] && $hash2 != hmacsha1(hmacsha1('', $session['seed']), $session['seed'])) && $ip['login_delay'] > $cfg['login_delay'] && $session['user_agent'] == substr($_SERVER['HTTP_USER_AGENT'], 0, 255) && $session['sign'] == $sign) { mysql_query('UPDATE user SET password = "******", seed = "' . mysql_real_escape_string($session['seed']) . '", version = 1 WHERE username = "******"'); $sign = randomKey(); $sid = randomKey(); mysql_query('UPDATE session SET logged_in = 1, user_id = ' . (int) $user_id . ', login_time = ' . (int) time() . ', idle_time = ' . (int) time() . ', sid = "' . mysql_real_escape_string($sid) . '", sign = "' . mysql_real_escape_string($sign) . '", hit_counter = hit_counter + ' . ($disable_counter ? 0 : 1) . ', visit_counter = visit_counter + ' . (time() > $session['idle_time'] + 3600 ? 1 : 0) . ' WHERE sid = BINARY "' . mysql_real_escape_string(cookie('netjukebox_sid')) . '"'); setcookie('netjukebox_sid', $sid, time() + 31536000, null, null, NJB_HTTPS, true); @ob_flush(); flush(); } else { logoutSession(); } } else { // Validate current session $user_id = $session['user_id']; if ($session['logged_in'] && $session['ip'] == $_SERVER['REMOTE_ADDR'] && $session['user_agent'] == substr($_SERVER['HTTP_USER_AGENT'], 0, 255) && $session['idle_time'] + $cfg['session_lifetime'] > time()) { mysql_query('UPDATE session SET idle_time = ' . (int) time() . ', hit_counter = hit_counter + ' . ($disable_counter ? 0 : 1) . ', visit_counter = visit_counter + ' . (time() > $session['idle_time'] + 3600 ? 1 : 0) . ' WHERE sid = BINARY "' . mysql_real_escape_string($sid) . '"'); } elseif ($access == 'access_always') { $cfg['access_media'] = false; $cfg['access_popular'] = false; $cfg['access_favorite'] = false; $cfg['access_cover'] = false; $cfg['access_stream'] = false; $cfg['access_download'] = false; $cfg['access_playlist'] = false; $cfg['access_play'] = false; $cfg['access_add'] = false; $cfg['access_record'] = false; $cfg['access_statistics'] = false; $cfg['access_admin'] = false; return true; } else { $app->ll->str('böla'); logoutSession(); } } // Username & user privalages unset($cfg['username']); $query = mysql_query('SELECT username, access_media, access_popular, access_favorite, access_cover, access_stream, access_download, access_playlist, access_play, access_add, access_record, access_statistics, access_admin FROM user WHERE user_id = ' . (int) $user_id); $cfg += mysql_fetch_assoc($query); // Validate privilege $access_validated = false; if (is_array($access)) { foreach ($access as $value) { if (isset($cfg[$value]) && $cfg[$value]) { $access_validated = true; } } } elseif (isset($cfg[$access]) && $cfg[$access]) { $access_validated = true; } elseif ($access == 'access_logged_in') { $access_validated = true; } elseif ($access == 'access_always') { $access_validated = true; } if ($access_validated == false) { message(__FILE__, __LINE__, 'warning', '[b]You have no privilege to access this page[/b][br][url=index.php?authenticate=logout][img]small_login.png[/img]Login as another user[/url]'); } // Validate signature if ($cfg['sign_validated'] == false && ($validate_sign || $authenticate == 'logoutAllSessions' || $authenticate == 'logoutSession')) { $cfg['sign'] = randomKey(); mysql_query('UPDATE session SET sign = "' . mysql_real_escape_string($cfg['sign']) . '" WHERE sid = BINARY "' . mysql_real_escape_string($sid) . '"'); if ($session['sign'] == getpost('sign')) { $cfg['sign_validated'] = true; } else { message(__FILE__, __LINE__, 'error', '[b]Signature expired[/b]'); } } else { $cfg['sign'] = $session['sign']; } // Logout if ($authenticate == 'logout' && $cfg['username'] != $cfg['anonymous_user']) { $query = mysql_query('SELECT user_id FROM session WHERE logged_in AND user_id = ' . (int) $user_id . ' AND idle_time > ' . (int) (time() - $cfg['session_lifetime'])); if (mysql_affected_rows($db) > 1) { logoutMenu(); } else { logoutSession(); } } elseif ($authenticate == 'logoutAllSessions' && $cfg['username'] != $cfg['anonymous_user']) { mysql_query('UPDATE session SET logged_in = 0 WHERE user_id = ' . (int) $user_id); logoutSession(); } elseif ($authenticate == 'logoutSession' || $authenticate == 'logout') { logoutSession(); } $cfg['user_id'] = $user_id; $cfg['sid'] = $sid; $cfg['session_seed'] = $session['seed']; $cfg['random_blacklist'] = $session['random_blacklist']; //$cfg['thumbnail'] = $session['thumbnail']; $cfg['thumbnail'] = 1; //$cfg['thumbnail_size'] = $session['thumbnail_size']; $cfg['thumbnail_size'] = 100; $cfg['stream_id'] = isset($cfg['encode_extension'][$session['stream_id']]) ? $session['stream_id'] : -1; $cfg['download_id'] = isset($cfg['encode_extension'][$session['download_id']]) ? $session['download_id'] : -1; $cfg['player_id'] = $session['player_id']; }
<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title></title> </head> <body> <?php include_once 'functions/login-function.php'; logoutSession(); header('Location: index.php'); exit; ?> </body> </html>