function adminLoginMenu()
{
global $CURRENT_USER;
// login menu actions
$action = @$_REQUEST['action'];
if ($action == 'logoff') {
user_logoff();
exit;
}
if ($action == 'loginSubmit') {
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
foreach (array('username', 'password') as $field) {
// v2.52 remove leading and trailing whitespace (for usability, users accidentally add whitespace)
$_REQUEST[$field] = preg_replace("/^\\s+|\\s+\$/s", '', @$_REQUEST[$field]);
}
loginCookie_set(@$_REQUEST['username'], getPasswordDigest(@$_REQUEST['password']));
}
// load current user
$CURRENT_USER = getCurrentUser($loginExpired);
// report any errors
$errors = '';
if ($loginExpired) {
$errors .= t("You've been logged out due to inactivity, please login again to continue.");
} else {
if (!$CURRENT_USER && $action == 'loginSubmit') {
$errors .= t("Invalid username or password");
} else {
if (@$CURRENT_USER['disabled']) {
$errors .= t("Your account has been disabled.");
} else {
if (@$CURRENT_USER['isExpired']) {
$errors .= t("Your account has expired.");
}
}
}
}
if ($errors) {
alert($errors);
loginCookie_remove();
// if data in login cookie is invalid, remove login cookie so we don't keep checking it
$CURRENT_USER = false;
// if login is invalid, clear user variable
usleep(mt_rand(1000000, 3000000));
// sleep somewhere between 1-3 seconds to delay brute force attacks (random sleep time makes it so attacker can't assume slow response is failed password)
}
// if no logged in user
if (!$CURRENT_USER) {
// perform login screen maintenance actions - useful place to run common operations
if (!$action) {
createMissingSchemaTablesAndFields();
// create/update missing schemas, etc
// show helpful messages
if (!mysql_count('accounts')) {
alert(t("There are no user accounts in the database."));
}
}
// show login screen if user not logged in
showInterface('login.php', false);
exit;
}
// if user logged in
if ($CURRENT_USER) {
// reset login cookie (to update lastAccess time used to track session expiry)
loginCookie_set(@$CURRENT_USER['username'], getPasswordDigest(@$CURRENT_USER['password']));
// redirect to last url - on valid login
$redirectUrl = @$_REQUEST['redirectUrl'];
if ($redirectUrl) {
redirectBrowserToURL($redirectUrl, true);
exit;
}
}
}
function loginCookie_get()
{
// get login data
$loginData = array();
$cookieLoginDataEncoded = getPrefixedCookie(loginCookie_name());
// Flash Cookie Bug Fix - Flash sometimes sends no cookies (or cookies from IE when you're using Firefox).
// ... So we fake it by passing the loginCookie via a POST request. Security: Use POST instead of GET so
// ... sessions can't be force-created or hijacked with GET urls (and so login data won't get stored in server logs)
$loginDataEncoded = isFlashUploader() ? @$_POST['_FLASH_COOKIE_BUG_FIX_'] : $cookieLoginDataEncoded;
if ($loginDataEncoded) {
$loginData = json_decode(base64_decode(strrev($loginDataEncoded)), true);
}
// check if session has expired
$sessionExpired = false;
if ($loginData) {
// get session expiry in seconds
$maxSeconds = loginExpirySeconds();
// clear login username and passwordHash if login_expiry_limit exceeded, and set $hasExpired
$secondsAgo = time() - $loginData['lastAccess'];
if ($loginData['lastAccess'] && $secondsAgo > $maxSeconds) {
$loginData['username'] = '';
$loginData['passwordHash'] = '';
$sessionExpired = true;
loginCookie_remove();
}
}
//
$username = $sessionExpired ? '' : (isset($loginData['username']) ? $loginData['username'] : '');
$passwordHash = $sessionExpired ? '' : (isset($loginData['passwordHash']) ? $loginData['passwordHash'] : '');
return array($sessionExpired, $username, $passwordHash);
}
function user_eraseLoginSession()
{
loginCookie_remove();
$GLOBALS['CURRENT_USER'] = false;
}