/** * Do a cookie login. * * @return MEMBER Logged in member (NULL: no login happened) */ function try_cookie_login() { $member = NULL; // Preprocess if this is a serialized cookie $member_cookie_name = get_member_cookie(); $bar_pos = strpos($member_cookie_name, '|'); $colon_pos = strpos($member_cookie_name, ':'); if ($colon_pos !== false) { $base = substr($member_cookie_name, 0, $colon_pos); if (array_key_exists($base, $_COOKIE) && $_COOKIE[$base] != '') { $real_member_cookie = substr($member_cookie_name, $colon_pos + 1); $real_pass_cookie = substr(get_pass_cookie(), $colon_pos + 1); $the_cookie = $_COOKIE[$base]; if (get_magic_quotes_gpc()) { $the_cookie = stripslashes($_COOKIE[$base]); } secure_serialized_data($the_cookie, array()); $unserialize = @unserialize($the_cookie); if (is_array($unserialize)) { if (array_key_exists($real_member_cookie, $unserialize)) { $the_member = $unserialize[$real_member_cookie]; if (get_magic_quotes_gpc()) { $the_member = addslashes(@strval($the_member)); } $_COOKIE[get_member_cookie()] = $the_member; } if (array_key_exists($real_pass_cookie, $unserialize)) { $the_pass = $unserialize[$real_pass_cookie]; if (get_magic_quotes_gpc()) { $the_pass = addslashes($the_pass); } $_COOKIE[get_pass_cookie()] = $the_pass; } } } } elseif ($bar_pos !== false) { $base = substr($member_cookie_name, 0, $bar_pos); if (array_key_exists($base, $_COOKIE) && $_COOKIE[$base] != '') { $real_member_cookie = substr($member_cookie_name, $bar_pos + 1); $real_pass_cookie = substr(get_pass_cookie(), $bar_pos + 1); $the_cookie = $_COOKIE[$base]; if (get_magic_quotes_gpc()) { $the_cookie = stripslashes($_COOKIE[$base]); } $cookie_contents = explode('||', $the_cookie); $the_member = $cookie_contents[intval($real_member_cookie)]; if (get_magic_quotes_gpc()) { $the_member = addslashes($the_member); } $_COOKIE[get_member_cookie()] = $the_member; $the_pass = $cookie_contents[intval($real_pass_cookie)]; if (get_magic_quotes_gpc()) { $the_pass = addslashes($the_pass); } $_COOKIE[get_pass_cookie()] = $the_pass; } } if (array_key_exists(get_member_cookie(), $_COOKIE) && array_key_exists(get_pass_cookie(), $_COOKIE)) { $store = $_COOKIE[get_member_cookie()]; $pass = $_COOKIE[get_pass_cookie()]; if (get_magic_quotes_gpc()) { $store = stripslashes($store); $pass = stripslashes($pass); } if ($GLOBALS['FORUM_DRIVER']->is_cookie_login_name()) { $username = $store; $store = strval($GLOBALS['FORUM_DRIVER']->get_member_from_username($store)); } else { $username = $GLOBALS['FORUM_DRIVER']->get_username(intval($store)); } $member = intval($store); if (!is_guest($member)) { if ($GLOBALS['FORUM_DRIVER']->is_hashed()) { // Test password hash $login_array = $GLOBALS['FORUM_DRIVER']->forum_authorise_login(NULL, $member, $pass, $pass, true); $member = $login_array['id']; } else { // Test password plain $login_array = $GLOBALS['FORUM_DRIVER']->forum_authorise_login(NULL, $member, apply_forum_driver_md5_variant($pass, $username), $pass, true); $member = $login_array['id']; } if (!is_null($member)) { global $IS_A_COOKIE_LOGIN; $IS_A_COOKIE_LOGIN = true; create_session($member, 0, isset($_COOKIE[get_member_cookie() . '_invisible']) && $_COOKIE[get_member_cookie() . '_invisible'] == '1'); } } } return $member; }
/** * The actualiser for logging in. * * @return tempcode The UI. */ function login_after() { breadcrumb_set_parents(array(array('_SELF:_SELF:misc', do_lang_tempcode('_LOGIN')))); $username = trim(post_param('login_username')); $feedback = $GLOBALS['FORUM_DRIVER']->forum_authorise_login($username, NULL, apply_forum_driver_md5_variant(trim(post_param('password')), $username), trim(post_param('password'))); $id = $feedback['id']; if (!is_null($id)) { $title = get_page_title('LOGGED_IN'); $url = enforce_sessioned_url(either_param('redirect')); //set_session_id(get_session_id()); // Just in case something earlier set it to a pre-logged-in one Not needed if (count($_POST) <= 4) { require_code('site2'); assign_refresh($url, 0.0); $post = new ocp_tempcode(); $refresh = new ocp_tempcode(); } else { $post = build_keep_post_fields(array('redirect', 'redirect_passon')); $redirect_passon = post_param('redirect_passon', NULL); if (!is_null($redirect_passon)) { $post->attach(form_input_hidden('redirect', $redirect_passon)); } $refresh = do_template('JS_REFRESH', array('_GUID' => 'c7d2f9e7a2cc637f3cf9ac4d1cf97eca', 'FORM_NAME' => 'redir_form')); } decache('side_users_online'); return do_template('LOGIN_REDIRECT_SCREEN', array('_GUID' => '82e056de9150bbed185120eac3571f40', 'REFRESH' => $refresh, 'TITLE' => $title, 'TEXT' => do_lang_tempcode('_LOGIN_TEXT'), 'URL' => $url, 'POST' => $post)); } else { get_page_title('USER_LOGIN_ERROR'); $text = $feedback['error']; attach_message($text, 'warn'); if (get_forum_type() == 'ocf') { require_lang('ocf'); $forgotten_link = build_url(array('page' => 'lostpassword'), get_module_zone('lostpassword')); $extra = do_lang_tempcode('IF_FORGOTTEN_PASSWORD', escape_html($forgotten_link->evaluate())); attach_message($extra, 'inform'); } return $this->login_before(); } }
/** * Process a login. * * @param ID_TEXT Username */ function handle_active_login($username) { global $SESSION_CACHE; $result = array(); $member_cookie_name = get_member_cookie(); $colon_pos = strpos($member_cookie_name, ':'); if ($colon_pos !== false) { $base = substr($member_cookie_name, 0, $colon_pos); $real_member_cookie = substr($member_cookie_name, $colon_pos + 1); $real_pass_cookie = substr(get_pass_cookie(), $colon_pos + 1); $serialized = true; } else { $real_member_cookie = get_member_cookie(); $base = $real_member_cookie; $real_pass_cookie = get_pass_cookie(); $serialized = false; } $password = trim(post_param('password')); $login_array = $GLOBALS['FORUM_DRIVER']->forum_authorise_login($username, NULL, apply_forum_driver_md5_variant($password, $username), $password); $member = $login_array['id']; // Run hooks, if any exist $hooks = find_all_hooks('systems', 'upon_login'); foreach (array_keys($hooks) as $hook) { require_code('hooks/systems/upon_login/' . filter_naughty($hook)); $ob = object_factory('upon_login' . filter_naughty($hook), true); if (is_null($ob)) { continue; } $ob->run(true, $username, $member); // true means "a new login attempt" } if (!is_null($member)) { $remember = post_param_integer('remember', 0); // Create invisibility cookie if (array_key_exists(get_member_cookie() . '_invisible', $_COOKIE) || $remember == 1) { $invisible = post_param_integer('login_invisible', 0); ocp_setcookie(get_member_cookie() . '_invisible', strval($invisible)); $_COOKIE[get_member_cookie() . '_invisible'] = strval($invisible); } // Store the cookies if ($remember == 1) { global $IS_A_COOKIE_LOGIN; $IS_A_COOKIE_LOGIN = true; // Create user cookie if (method_exists($GLOBALS['FORUM_DRIVER'], 'forum_create_cookie')) { $GLOBALS['FORUM_DRIVER']->forum_create_cookie($member, NULL, $password); } else { if ($GLOBALS['FORUM_DRIVER']->is_cookie_login_name()) { $name = $GLOBALS['FORUM_DRIVER']->get_username($member); if ($serialized) { $result[$real_member_cookie] = $name; } else { ocp_setcookie(get_member_cookie(), $name, false, true); $_COOKIE[get_member_cookie()] = $name; } } else { if ($serialized) { $result[$real_member_cookie] = $member; } else { ocp_setcookie(get_member_cookie(), strval($member), false, true); $_COOKIE[get_member_cookie()] = strval($member); } } // Create password cookie if (!$serialized) { if ($GLOBALS['FORUM_DRIVER']->is_hashed()) { ocp_setcookie(get_pass_cookie(), apply_forum_driver_md5_variant($password, $username), false, true); } else { ocp_setcookie(get_pass_cookie(), $password, false, true); } } else { if ($GLOBALS['FORUM_DRIVER']->is_hashed()) { $result[$real_pass_cookie] = apply_forum_driver_md5_variant($password, $username); } else { $result[$real_pass_cookie] = $password; } $_result = serialize($result); ocp_setcookie($base, $_result, false, true); } } } // Create session require_code('users_inactive_occasionals'); create_session($member, 1, post_param_integer('login_invisible', 0) == 1); } else { $GLOBALS['SITE_DB']->query_insert('failedlogins', array('failed_account' => substr(trim(post_param('login_username')), 0, 80), 'date_and_time' => time(), 'ip' => get_ip_address())); $count = $GLOBALS['SITE_DB']->query_value_null_ok_full('SELECT COUNT(*) FROM ' . get_table_prefix() . 'failedlogins WHERE date_and_time>' . strval(time() - 60 * 15) . ' AND ' . db_string_equal_to('ip', get_ip_address())); if ($count > 30) { log_hack_attack_and_exit('BRUTEFORCE_LOGIN_HACK'); } } }