/** * Attempt to login and generate a session * * @return array Session ID for user, error message if applicable */ function try_login() { $login_error = ""; $new_sid = ""; $userID = null; if (!isset($_REQUEST['user']) && !isset($_REQUEST['passwd'])) { return array('SID' => '', 'error' => null); } if (is_ipbanned()) { $login_error = __('The login form is currently disabled ' . 'for your IP address, probably due ' . 'to sustained spam attacks. Sorry for the ' . 'inconvenience.'); return array('SID' => '', 'error' => $login_error); } $dbh = DB::connect(); $userID = uid_from_loginname($_REQUEST['user']); if (user_suspended($userID)) { $login_error = __('Account suspended'); return array('SID' => '', 'error' => $login_error); } elseif (passwd_is_empty($userID)) { $login_error = __('Your password has been reset. ' . 'If you just created a new account, please ' . 'use the link from the confirmation email ' . 'to set an initial password. Otherwise, ' . 'please request a reset key on the %s' . 'Password Reset%s page.', '<a href="' . htmlspecialchars(get_uri('/passreset')) . '">', '</a>'); return array('SID' => '', 'error' => $login_error); } elseif (!valid_passwd($userID, $_REQUEST['passwd'])) { $login_error = __("Bad username or password."); return array('SID' => '', 'error' => $login_error); } $logged_in = 0; $num_tries = 0; /* Generate a session ID and store it. */ while (!$logged_in && $num_tries < 5) { $session_limit = config_get_int('options', 'max_sessions_per_user'); if ($session_limit) { /* * Delete all user sessions except the * last ($session_limit - 1). */ $q = "DELETE s.* FROM Sessions s "; $q .= "LEFT JOIN (SELECT SessionID FROM Sessions "; $q .= "WHERE UsersId = " . $userID . " "; $q .= "ORDER BY LastUpdateTS DESC "; $q .= "LIMIT " . ($session_limit - 1) . ") q "; $q .= "ON s.SessionID = q.SessionID "; $q .= "WHERE s.UsersId = " . $userID . " "; $q .= "AND q.SessionID IS NULL;"; $dbh->query($q); } $new_sid = new_sid(); $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)" . " VALUES (" . $userID . ", '" . $new_sid . "', UNIX_TIMESTAMP())"; $result = $dbh->exec($q); /* Query will fail if $new_sid is not unique. */ if ($result) { $logged_in = 1; break; } $num_tries++; } if (!$logged_in) { $login_error = __('An error occurred trying to generate a user session.'); return array('SID' => $new_sid, 'error' => $login_error); } $q = "UPDATE Users SET LastLogin = UNIX_TIMESTAMP(), "; $q .= "LastLoginIPAddress = " . $dbh->quote(ip2long($_SERVER['REMOTE_ADDR'])) . " "; $q .= "WHERE ID = '{$userID}'"; $dbh->exec($q); /* Set the SID cookie. */ if (isset($_POST['remember_me']) && $_POST['remember_me'] == "on") { /* Set cookies for 30 days. */ $timeout = config_get_int('options', 'persistent_cookie_timeout'); $cookie_time = time() + $timeout; /* Set session for 30 days. */ $q = "UPDATE Sessions SET LastUpdateTS = {$cookie_time} "; $q .= "WHERE SessionID = '{$new_sid}'"; $dbh->exec($q); } else { $cookie_time = 0; } setcookie("AURSID", $new_sid, $cookie_time, "/", null, !empty($_SERVER['HTTPS']), true); $referer = in_request('referer'); if (strpos($referer, aur_location()) !== 0) { $referer = '/'; } header("Location: " . get_uri($referer)); $login_error = ""; }
<?php set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); include_once 'aur.inc.php'; # access AUR common functions include_once 'acctfuncs.inc.php'; # access Account specific functions set_lang(); # this sets up the visitor's language check_sid(); # see if they're still logged in if (isset($_COOKIE["AURSID"])) { header('Location: /'); exit; } html_header(__('Register')); echo '<div class="box">'; echo '<h2>' . __('Register') . '</h2>'; if (in_request("Action") == "NewAccount") { list($success, $message) = process_account_form("new", "NewAccount", in_request("U"), 1, 0, in_request("E"), in_request("H"), '', '', in_request("R"), in_request("L"), in_request("I"), in_request("K"), in_request("PK")); print $message; if (!$success) { display_account_form("NewAccount", in_request("U"), 1, 0, in_request("E"), in_request("H"), '', '', in_request("R"), in_request("L"), in_request("I"), in_request("K"), in_request("PK")); } } else { print '<p>' . __("Use this form to create an account.") . '</p>'; display_account_form("NewAccount", "", "", "", "", "", "", "", "", $LANG); } echo '</div>'; html_footer(AURWEB_VERSION);
<input type="submit" class="button" value="<?php print __("Login"); ?> " /> <a href="<?php echo get_uri('/passreset/'); ?> ">[<?php echo __('Forgot Password'); ?> ]</a> <?php if (in_request('referer') !== "") { ?> <input id="id_referer" type="hidden" name="referer" value="<?php echo in_request('referer'); ?> " /> <?php } elseif (isset($_SERVER['HTTP_REFERER'])) { ?> <input id="id_referer" type="hidden" name="referer" value="<?php echo htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES); ?> " /> <?php } ?> </p> </fieldset> </form>
} } else { print __("You do not have permission to edit this account."); } } elseif ($action == "AccountInfo") { # no editing, just looking up user info # if (empty($row)) { print __("Could not retrieve information for the specified user."); } else { include "account_details.php"; } } elseif ($action == "UpdateAccount") { print $update_account_message; if (!$success) { display_account_form("UpdateAccount", in_request("U"), in_request("T"), in_request("S"), in_request("E"), in_request("H"), in_request("P"), in_request("C"), in_request("R"), in_request("L"), in_request("I"), in_request("K"), in_request("PK"), in_request("J"), in_request("ID"), $row["Username"]); } } else { if (has_credential(CRED_ACCOUNT_SEARCH)) { # display the search page if they're a TU/dev # print __("Use this form to search existing accounts.") . "<br />\n"; include 'search_accounts_form.php'; } else { print __("You are not allowed to access this area."); } } } else { # visitor is not logged in # print __("You must log in to view user information.");