/** * Sets the SMF-style login cookie and session based on the id_member and password passed. * - password should be already encrypted with the cookie salt. * - logs the user out if id_member is zero. * - sets the cookie and session to last the number of seconds specified by cookie_length. * - when logging out, if the globalCookies setting is enabled, attempts to clear the subdomain's cookie too. * * @param int $cookie_length, * @param int $id The id of the member * @param string $password = '' */ function setLoginCookie($cookie_length, $id, $password = '') { global $cookiename, $boardurl, $modSettings, $sourcedir; // If changing state force them to re-address some permission caching. $_SESSION['mc']['time'] = 0; // The cookie may already exist, and have been set with different options. $cookie_state = (empty($modSettings['localCookies']) ? 0 : 1) | (empty($modSettings['globalCookies']) ? 0 : 2); if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\\{i:0;(i:\\d{1,6}|s:[1-8]:"\\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\\d{1,14};(i:3;i:\\d;)?\\}$~', $_COOKIE[$cookiename]) === 1) { $array = @unserialize($_COOKIE[$cookiename]); // Out with the old, in with the new! if (isset($array[3]) && $array[3] != $cookie_state) { $cookie_url = url_parts($array[3] & 1 > 0, $array[3] & 2 > 0); smf_setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0]); } } // Get the data and path to set it on. $data = serialize(empty($id) ? array(0, '', 0) : array($id, $password, time() + $cookie_length, $cookie_state)); $cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies'])); // Set the cookie, $_COOKIE, and session variable. smf_setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0]); // If subdomain-independent cookies are on, unset the subdomain-dependent cookie too. if (empty($id) && !empty($modSettings['globalCookies'])) { smf_setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], ''); } // Any alias URLs? This is mainly for use with frames, etc. if (!empty($modSettings['forum_alias_urls'])) { $aliases = explode(',', $modSettings['forum_alias_urls']); $temp = $boardurl; foreach ($aliases as $alias) { // Fake the $boardurl so we can set a different cookie. $alias = strtr(trim($alias), array('http://' => '', 'https://' => '')); $boardurl = 'http://' . $alias; $cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies'])); if ($cookie_url[0] == '') { $cookie_url[0] = strtok($alias, '/'); } smf_setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0]); } $boardurl = $temp; } $_COOKIE[$cookiename] = $data; // Make sure the user logs in with a new session ID. if (!isset($_SESSION['login_' . $cookiename]) || $_SESSION['login_' . $cookiename] !== $data) { // We need to meddle with the session. require_once $sourcedir . '/Session.php'; // Backup and remove the old session. $oldSessionData = $_SESSION; $_SESSION = array(); session_destroy(); // Recreate and restore the new session. loadSession(); // @todo should we use session_regenerate_id(true); now that we are 5.1+ session_regenerate_id(); $_SESSION = $oldSessionData; $_SESSION['login_' . $cookiename] = $data; } }
} else { ob_end_clean(); ob_start('ob_gzhandler'); } } // Emit some headers for some modicum of protection against nasties. if (!headers_sent()) { // Future versions will make some of this configurable. This is primarily a 'safe' configuration for most cases for now. header('X-Frame-Options: SAMEORIGIN'); header('X-XSS-Protection: 1'); header('X-Content-Type-Options: nosniff'); } // Register an error handler. set_error_handler('error_handler'); // Start the session. (assuming it hasn't already been.) loadSession(); // Determine if this is using WAP, WAP2, or imode. Technically, we should check that wap comes before application/xhtml or text/html, but this doesn't work in practice as much as it should. if (isset($_REQUEST['wap']) || isset($_REQUEST['wap2']) || isset($_REQUEST['imode'])) { unset($_SESSION['nowap']); } elseif (isset($_REQUEST['nowap'])) { $_SESSION['nowap'] = true; } elseif (!isset($_SESSION['nowap'])) { if (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'application/vnd.wap.xhtml+xml') !== false) { $_REQUEST['wap2'] = 1; } elseif (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'text/vnd.wap.wml') !== false) { if (strpos($_SERVER['HTTP_USER_AGENT'], 'DoCoMo/') !== false || strpos($_SERVER['HTTP_USER_AGENT'], 'portalmmm/') !== false) { $_REQUEST['imode'] = 1; } else { $_REQUEST['wap'] = 1; } }
if (isset($_SESSION['cal'])) { //active $calID = $_SESSION['cal']; } else { //expired, get cal & user ID $calID = $_SESSION['cal'] = isset($_COOKIE['LCALcid']) ? @unserialize($_COOKIE['LCALcid']) : $dbPfix; $_SESSION['uid'] = isset($_COOKIE['LCALuid']) ? @unserialize($_COOKIE['LCALuid']) : 1; } //get settings from database $set = getSettings(); } //set time zone date_default_timezone_set($set['timeZone']); //load session data from db if ($set['restLastSel']) { loadSession($sessID, $calID); } //echo "sessID: ".$sessID." / calID: ".$calID." / restLastSel: ".$set['restLastSel']." / cP: ".$_SESSION['cP']; //test //after login bake is set (1:bake, -1:eat cookie) if (isset($_REQUEST['bake'])) { setcookie('LCALuid', serialize($_SESSION['uid']), time() + 86400 * $set['cookieExp'] * $_REQUEST['bake']); //set or refresh saveSession($sessID, $calID, $_REQUEST['bake']); } //check for mobile browsers if (!isset($_SESSION['mobile'])) { $_SESSION['mobile'] = isMobile(); } //set header display if (isset($_GET['hdr'])) { $_SESSION['hdr'] = $_GET['hdr'];
public function integrate_pre_load() { global $boardurl; // Check if we came from Wordpress and if so, redirect to the appropriate action if (!isset($_GET['fromWp']) || empty($_GET['url']) || time() - (int) $_GET['fromWp'] > 30 || empty($_SERVER['HTTP_REFERER'])) { return; } $referer = parse_url($_SERVER['HTTP_REFERER']); // We don't want to allow cross domain shit if (empty($referer['host'])) { return; } $boardhost = parse_url($boardurl, PHP_URL_HOST); if ($boardhost !== $referer['host']) { // Compare them, TLD must at least match $boardHostParts = array_reverse(explode('.', $boardhost)); $refererHostParts = array_reverse(explode('.', $referer['host'])); $matches = 0; while (!empty($boardHostParts) && !empty($refererHostParts)) { $matches += array_shift($boardHostParts) === array_shift($refererHostParts) ? 1 : 0; } if ($matches < 2) { return; } } define('WIRELESS', FALSE); $_SERVER['REQUEST_URL'] = !empty($_SERVER['REQUEST_URL']) ? $_SERVER['REQUEST_URL'] : ''; $orgin = parse_url($_GET['url']); // Coming from wp-login.php? if (strpos($orgin['path'], 'wp-login.php') !== FALSE) { if (empty($orgin['query'])) { $orgin['query'] = 'action=login'; } $query = array(); parse_str($orgin['query'], $query); if (empty($query['action'])) { $query['action'] = 'login'; } switch ($query['action']) { case 'register': redirectexit('action=register'); break; case 'logout': // Need to load the session real quick so we can properly logout and redirect loadSession(); $_SESSION['logout_url'] = $_SERVER['HTTP_REFERER']; redirectexit('action=logout&' . $_SESSION['session_var'] . '=' . $_SESSION['session_value']); break; case 'lostpassword': case 'retrievepassword': redirectexit('action=reminder'); break; default: redirectexit('action=login&wp_redirect=' . $this->encodeRedirect($_SERVER['HTTP_REFERER'])); break; } } }
function startLogin($username) { try { if (checkSession($username)) { $con = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $date = new DateTime(); $token = hash("sha256", $date->format('Y-m-d H:i:s')); $sql = "UPDATE userssession SET token = '{$token}' WHERE username = :username"; $stmt = $con->prepare($sql); $stmt->bindValue("username", $username, PDO::PARAM_STR); $stmt->execute(); $session = loadSession($username); echo $session->getJSON(); } else { // create a new token $con = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $date = new DateTime(); $token = hash("sha256", $date->format('Y-m-d H:i:s')); $sql = "INSERT INTO userssession(username,token) VALUES (:username,'{$token}')"; $stmt = $con->prepare($sql); $stmt->bindValue("username", $username, PDO::PARAM_STR); $stmt->execute(); $session = loadSession($username); echo $session->getJSON(); } } catch (PDOException $e) { $e->getMessage(); } }
function setLoginCookie($cookie_length, $id, $password = '') { global $cookiename, $boardurl, $modSettings; // The cookie may already exist, and have been set with different options. $cookie_state = (empty($modSettings['localCookies']) ? 0 : 1) | (empty($modSettings['globalCookies']) ? 0 : 2); if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\\{i:0;(i:\\d{1,6}|s:[1-8]:"\\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\\d{1,14};(i:3;i:\\d;)?\\}$~', $_COOKIE[$cookiename]) === 1) { $array = @unserialize($_COOKIE[$cookiename]); // Out with the old, in with the new! if (isset($array[3]) && $array[3] != $cookie_state) { $cookie_url = url_parts($array[3] & 1 > 0, $array[3] & 2 > 0); setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], 0); } } // Get the data and path to set it on. $data = serialize(empty($id) ? array(0, '', 0) : array($id, $password, time() + $cookie_length, $cookie_state)); $cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies'])); // Set the cookie, $_COOKIE, and session variable. setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], 0); // If subdomain-independent cookies are on, unset the subdomain-dependent cookie too. if (empty($id) && !empty($modSettings['globalCookies'])) { setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], '', 0); } // Any alias URLs? This is mainly for use with frames, etc. if (!empty($modSettings['forum_alias_urls'])) { $aliases = explode(',', $modSettings['forum_alias_urls']); $temp = $boardurl; foreach ($aliases as $alias) { // Fake the $boardurl so we can set a different cookie. $alias = strtr(trim($alias), array('http://' => '', 'https://' => '')); $boardurl = 'http://' . $alias; $cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies'])); if ($cookie_url[0] == '') { $cookie_url[0] = strtok($alias, '/'); } setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], 0); } $boardurl = $temp; } $_COOKIE[$cookiename] = $data; // Make sure the user logs in with a new session ID. if (!isset($_SESSION['login_' . $cookiename]) || $_SESSION['login_' . $cookiename] !== $data) { // Backup and remove the old session. $oldSessionData = $_SESSION; $_SESSION = array(); session_destroy(); // Recreate and restore the new session. loadSession(); session_regenerate_id(); $_SESSION = $oldSessionData; // Version 4.3.2 didn't store the cookie of the new session. if (version_compare(PHP_VERSION, '4.3.2') === 0 || isset($_COOKIE[session_name()]) && $_COOKIE[session_name()] != session_id()) { setcookie(session_name(), session_id(), time() + $cookie_length, $cookie_url[1], '', 0); } $_SESSION['login_' . $cookiename] = $data; } }
} } header("Content-Type: application/json"); header("Connection: close"); initSession(); if (!isset($_POST["action"])) { echo json_encode(array("success" => false, "message" => "Aucune action fournie")); exit; } $action = $_POST["action"]; if ($action === "loadPublicGroups") { loadPublicGroups($db); } if ($action === "loadSessionOrPublicGroups") { if (isset($_SESSION["teamID"]) && !isset($_SESSION["closed"])) { loadSession($db); } else { loadPublicGroups($db); } } else { if ($action === "checkPassword") { if (!isset($_POST["password"])) { echo json_encode(array("success" => false, "message" => "Mot de passe manquant")); } else { $getTeams = $_POST["getTeams"]; $password = strtolower($_POST["password"]); if (!openGroup($db, $password, $getTeams)) { loginTeam($db, $password); } } } else {