public function __construct()
{
parent::__construct();
// log the user out here
$_SESSION['LoggedIn'] = false;
unset($_SESSION['LoggedIn']);
}
public function __construct()
{
parent::__construct();
if (Site::$Url == 'caedo.com') {
$this->__SelectAlternateView('Default');
} elseif (Site::$Url == 'nukq.com') {
$this->__SelectAlternateView('nukq');
} else {
$this->__SelectAlternateView('Default');
}
}
public function __construct()
{
parent::__construct();
}
public function __construct()
{
parent::__construct();
$this->__JavaScript("js/showdown.js", false, false);
}
public function __construct()
{
parent::__construct();
$this->__PageTitle = "Login";
//
//
//
// this code here is for example only, allow users to disable Recaptcha with a URL param is crazy.
// Choose if you want to use Recaptcha and set true or false here, or above in the variable deceleration.
if (isset($_GET['WithoutRecaptcha'])) {
$this->UseRecaptcha = false;
} else {
$this->UseRecaptcha = true;
}
//
//
//
if (isset($_POST['posted'])) {
if ($this->UseRecaptcha) {
$captcha = $_POST['g-recaptcha-response'];
//
//
//
//
// This is a private key, as google says "Use this for communication between your site and Google. Be sure to keep it a secret."
// I am leaving this public so this example will work on localhost. PLEASE register for your own here: https://www.google.com/recaptcha/
// This key will not work on any other domains. It only works on: localhost, getcaedo.com and nukq.com.
// !!! PLEASE register for your own here: https://www.google.com/recaptcha/ !!!
$myprivatekey = '6Ld1WhYTAAAAAFqa0k6B9hmfHIxNfNEvUVxK8Qk3';
//
//
//
//
$ValidateLocation = "https://www.google.com/recaptcha/api/siteverify?secret={$myprivatekey}&response=" . $captcha . "&remoteip=" . $_SERVER['REMOTE_ADDR'];
if ($captcha) {
$response = file_get_contents($ValidateLocation);
$json = json_decode($response);
} else {
$response = false;
}
if (!$response || !$json->success) {
$this->__Qtips[] = new Qtip('recaptcha', 'Recaptcha Incorrect', 'red');
$this->__Qtips[] = new Qtip('submit', 'Recaptcha Incorrect', 'red');
}
}
if (!$this->UseRecaptcha || $response && $json->success) {
$EmailFound = false;
$LoggedIn = false;
//
//
//
//
// I don't pretent to know your individual security requirements.
// You may laugh at the array method as not a "best practice", and say "Never hard code your login information"
// I would ask yourself if your developers have admin database access. If they do... then you're making your life complicated for no added security
// How often are passwords changed? If this is a small site, they may never be changed. Do you really need to allow users to change their own password? Are you the user?
// What about salting and hashing? "How could you <u>POSSIBLY</u> not salt and hash your passwords?!?!?!" Calm it down scooter. How many people are logging in here? 1 or 1 million?
// Saying that there is a one size fits all methodology for security is ludicrous. Is this a cat forum or a banking site. Are you really saying the security plan should be the same for both?
//
// So, need more?
// You can salt and hash all your passwords... even if you keep them hardcoded
// You can connect this to a database to remove login details from the source
// You can check cookies and IP address against prior logins
// You can check prior login fails, and black list IP addresses, or lock account
// You can connect to a key store such as AWS IAM.
// You can impliment two-factor authenication here. Email based is easy to roll your own, use twilio to send a text
// It's all up to you, think about what you really need.
//
// I suggest checking forks of this project and check back for future versions. My guess is we will be building out many of these security options.
$arrValidLoginPairs = array('*****@*****.**' => 'CaedoRocks!');
if ($_POST['email'] != '' && trim($_POST['password']) != '') {
foreach ($arrValidLoginPairs as $Email => $Password) {
if ($_POST['email'] === $Email && trim($_POST['password']) === $Password) {
$_SESSION['LoggedIn'] = 'admin';
// this is the "Class" of logged in user. You can use this as a broad stroke to filter what that user should be able to see and do.
$_SESSION['email'] = $_POST['email'];
$LoggedIn = true;
Redirect('Account/');
}
}
}
if (!$LoggedIn) {
$this->__Qtips[] = new Qtip('email', 'login not found, please try again', 'red');
}
}
}
}
