} /*Some more include defines specific to client only */ define('CLIENTINC_DIR', INCLUDE_DIR . 'client/'); define('OSTCLIENTINC', TRUE); //Check the status of the HelpDesk. if (!is_object($cfg) || !$cfg->getId() || $cfg->isHelpDeskOffline()) { include './offline.php'; exit; } //Forced upgrade? Version mismatch. if (defined('THIS_VERSION') && strcasecmp($cfg->getVersion(), THIS_VERSION)) { die('System is offline for an upgrade.'); exit; } /* include what is needed on client stuff */ require_once INCLUDE_DIR . 'class.client.php'; require_once INCLUDE_DIR . 'class.ticket.php'; require_once INCLUDE_DIR . 'class.dept.php'; //clear some vars $errors = array(); $msg = ''; $thisclient = null; //Make sure the user is valid..before doing anything else. if ($_SESSION['_client']['userID'] && $_SESSION['_client']['key']) { $thisclient = new ClientSession($_SESSION['_client']['userID'], $_SESSION['_client']['key']); } //print_r($_SESSION); //is the user logged in? if ($thisclient && $thisclient->getId() && $thisclient->isValid()) { $thisclient->refreshSession(); }
//$_SESSION['_user']=array(); #Uncomment to disable login strikes. //Check time for last max failed login attempt strike. $loginmsg = _('Invalid login'); if ($_SESSION['_user']['laststrike']) { if (time() - $_SESSION['_user']['laststrike'] < $cfg->getClientLoginTimeout()) { $loginmsg = _('Excessive failed login attempts'); $errors['err'] = _('You\'ve reached maximum failed login attempts allowed. Try again later.'); } else { //Timeout is over. //Reset the counter for next round of attempts after the timeout. $_SESSION['_user']['laststrike'] = null; $_SESSION['_user']['strikes'] = 0; } } // Check password if (!$errors && ($thisuser = new ClientSession($_POST['username'])) && $thisuser->check_passwd($_POST['passwd'])) { $_SESSION['_user'] = array(); //clear. $_SESSION['_user']['userID'] = $thisuser->getEmail(); //Email $_SESSION['_user']['key'] = $thisuser->getId(); //Ticket ID --acts as password when used with email. See above. $_SESSION['_user']['token'] = $thisuser->getSessionToken(); $_SESSION['TZ_OFFSET'] = $cfg->getTZoffset(); $_SESSION['daylight'] = $cfg->observeDaylightSaving(); // Update last login $thisuser->update_lastlogin($thisuser->getId()); //Log login info... $msg = sprintf("%s/%s " . _("logged in"), $thisuser->getEmail(), $thisuser->getId()); Sys::log(LOG_DEBUG, 'Client login', $msg, $thisuser->getEmail()); //Redirect tickets.php
} else { //Timeout is over. //Reset the counter for next round of attempts after the timeout. $_SESSION['_client']['laststrike'] = null; $_SESSION['_client']['strikes'] = 0; } } //See if we can fetch local ticket id associated with the ID given if (!$errors && is_numeric($ticketID) && Validator::is_email($email) && ($tid = Ticket::getIdByExtId($ticketID))) { //At this point we know the ticket is valid. $ticket = new Ticket($tid); //TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets?? //Check the email given. if ($ticket->getId() && strcasecmp($ticket->getEMail(), $email) == 0) { //valid match...create session goodies for the client. $user = new ClientSession($email, $ticket->getId()); $_SESSION['_client'] = array(); //clear. $_SESSION['_client']['userID'] = $ticket->getEmail(); //Email $_SESSION['_client']['key'] = $ticket->getExtId(); //Ticket ID --acts as password when used with email. See above. $_SESSION['_client']['token'] = $user->getSessionToken(); $_SESSION['TZ_OFFSET'] = $cfg->getTZoffset(); $_SESSION['daylight'] = $cfg->observeDaylightSaving(); //Log login info... $msg = sprintf("%s/%s logged in [%s]", $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']); Sys::log(LOG_DEBUG, 'User login', $msg); //Redirect tickets.php session_write_close(); session_regenerate_id();
Client Login Peter Rotich <*****@*****.**> Copyright (c) 2006-2012 osTicket http://www.osticket.com Released under the GNU General Public License WITHOUT ANY WARRANTY. See LICENSE.TXT for details. vim: expandtab sw=4 ts=4 sts=4: **********************************************************************/ require_once 'client.inc.php'; if (!defined('INCLUDE_DIR')) { die('Fatal Error'); } define('CLIENTINC_DIR', INCLUDE_DIR . 'client/'); define('OSTCLIENTINC', TRUE); //make includes happy require_once INCLUDE_DIR . 'class.client.php'; require_once INCLUDE_DIR . 'class.ticket.php'; if ($_POST) { ClientSession::tryLogin($_POST['lticket'], $_POST['lemail']); } else { ClientSession::tryLogin($_GET['t'], $_GET['e'], $_GET['a']); } $nav = new UserNav(); $nav->setActiveNav('status'); require CLIENTINC_DIR . 'header.inc.php'; require CLIENTINC_DIR . 'login.inc.php'; require CLIENTINC_DIR . 'footer.inc.php';
function signOn($errors = array()) { global $ost; if (!isset($_POST['userid']) || !isset($_POST['token'])) { return false; } elseif (!($_config = new Config('pwreset'))) { return false; } elseif (!($acct = ClientAccount::lookupByUsername($_POST['userid'])) || !$acct->getId() || !($client = new ClientSession(new EndUser($acct->getUser())))) { $errors['msg'] = __('Invalid user-id given'); } elseif (!($id = $_config->get($_POST['token'])) || $id != $client->getId()) { $errors['msg'] = __('Invalid reset token'); } elseif (!($ts = $_config->lastModified($_POST['token'])) && $ost->getConfig()->getPwResetWindow() < time() - strtotime($ts)) { $errors['msg'] = __('Invalid reset token'); } elseif (!$acct->forcePasswdReset()) { $errors['msg'] = __('Unable to reset password'); } else { return $client; } }
function tryLogin($ticketID, $email, $auth = null) { global $ost; $cfg = $ost->getConfig(); # Only consider auth token for GET requests, and for GET requests, # REQUIRE the auth token $auto_login = $_SERVER['REQUEST_METHOD'] == 'GET'; //Check time for last max failed login attempt strike. $loginmsg = 'Invalid login'; # XXX: SECURITY: Max attempts is enforced client-side via the PHP # session cookie. if ($_SESSION['_client']['laststrike']) { if (time() - $_SESSION['_client']['laststrike'] < $cfg->getClientLoginTimeout()) { $loginmsg = 'Excessive failed login attempts'; $errors['err'] = 'You\'ve reached maximum failed login attempts allowed. Try again later or <a href="open.php">open a new ticket</a>'; } else { //Timeout is over. //Reset the counter for next round of attempts after the timeout. $_SESSION['_client']['laststrike'] = null; $_SESSION['_client']['strikes'] = 0; } } //See if we can fetch local ticket id associated with the ID given if (!$errors && is_numeric($ticketID) && Validator::is_email($email) && ($ticket = Ticket::lookupByExtId($ticketID))) { //At this point we know the ticket is valid. //TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets?? //Check the email given. # Require auth token for automatic logins if (!$auto_login || $auth === $ticket->getAuthToken()) { if ($ticket->getId() && strcasecmp($ticket->getEmail(), $email) == 0) { //valid match...create session goodies for the client. $user = new ClientSession($email, $ticket->getId()); $_SESSION['_client'] = array(); //clear. $_SESSION['_client']['userID'] = $ticket->getEmail(); //Email $_SESSION['_client']['key'] = $ticket->getExtId(); //Ticket ID --acts as password when used with email. See above. $_SESSION['_client']['token'] = $user->getSessionToken(); $_SESSION['TZ_OFFSET'] = $cfg->getTZoffset(); $_SESSION['TZ_DST'] = $cfg->observeDaylightSaving(); //Log login info... $msg = sprintf("%s/%s logged in [%s]", $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']); $ost->logDebug('User login', $msg); //Redirect tickets.php session_write_close(); session_regenerate_id(); @header("Location: tickets.php?id=" . $ticket->getExtId()); require_once 'tickets.php'; //Just incase. of header already sent error. exit; } } } //If we get to this point we know the login failed. $_SESSION['_client']['strikes'] += 1; if (!$errors && $_SESSION['_client']['strikes'] > $cfg->getClientMaxLogins()) { $loginmsg = 'Access Denied'; $errors['err'] = 'Forgot your login info? Please <a href="open.php">open a new ticket</a>.'; $_SESSION['_client']['laststrike'] = time(); $alert = 'Excessive login attempts by a client?' . "\n" . 'Email: ' . $_POST['lemail'] . "\n" . 'Ticket#: ' . $_POST['lticket'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'Time:' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes']; $ost->logError('Excessive login attempts (client)', $alert, $cfg->alertONLoginError()); } elseif ($_SESSION['_client']['strikes'] % 2 == 0) { //Log every other failed login attempt as a warning. $alert = 'Email: ' . $_POST['lemail'] . "\n" . 'Ticket #: ' . $_POST['lticket'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes']; $ost->logWarning('Failed login attempt (client)', $alert); } }
//Forced upgrade? Version mismatch. if (defined('THIS_VERSION') && strcasecmp($cfg->getVersion(), substr(THIS_VERSION, 0, strripos(THIS_VERSION, '.')))) { die(_('System is offline for an upgrade.')); exit; } // include what is needed on user stuff require_once INCLUDE_DIR . 'class.ticket.php'; // clear some vars $errors = array(); $msg = ''; $thisuser = null; // Has got the user a session? Then make sure the user is valid...before doing anything else. if ($_SESSION['_user']['userID'] && $_SESSION['_user']['key']) { if (!$cfg->getUserLogRequired()) { $thisuser = new UserSession($_SESSION['_user']['userID'], $_SESSION['_user']['key']); } else { $thisuser = new ClientSession($_SESSION['_user']['userID'], $_SESSION['_user']['key']); // Block blocked client if (!$thisuser->isactive()) { $errors['err'] = _('Access Disabled. Contact Admin'); $_SESSION['_user'] = array(); session_unset(); session_destroy(); } } } // print_r($_SESSION); // Is the user logged in? if ($thisuser && $thisuser->getId() && $thisuser->isValid()) { $thisuser->refreshSession(); }
function login($ticketID, $email, $auth = null, &$errors = array()) { global $ost; $cfg = $ost->getConfig(); $auth = trim($auth); $email = trim($email); $ticketID = trim($ticketID); # Only consider auth token for GET requests, and for GET requests, # REQUIRE the auth token $auto_login = $_SERVER['REQUEST_METHOD'] == 'GET'; //Check time for last max failed login attempt strike. if ($_SESSION['_client']['laststrike']) { if (time() - $_SESSION['_client']['laststrike'] < $cfg->getClientLoginTimeout()) { $errors['login'] = '******'; $errors['err'] = 'You\'ve reached maximum failed login attempts allowed. Try again later or <a href="open.php">open a new ticket</a>'; $_SESSION['_client']['laststrike'] = time(); //renew the strike. } else { //Timeout is over. //Reset the counter for next round of attempts after the timeout. $_SESSION['_client']['laststrike'] = null; $_SESSION['_client']['strikes'] = 0; } } if ($auto_login && !$auth) { $errors['login'] = '******'; } elseif (!$ticketID || !Validator::is_email($email)) { $errors['login'] = '******'; } //Bail out on error. if ($errors) { return false; } //See if we can fetch local ticket id associated with the ID given if (($ticket = Ticket::lookupByExtId($ticketID, $email)) && $ticket->getId()) { //At this point we know the ticket ID is valid. //TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets?? //Check the email given. # Require auth token for automatic logins (GET METHOD). if (!strcasecmp($ticket->getEmail(), $email) && (!$auto_login || $auth === $ticket->getAuthToken())) { //valid match...create session goodies for the client. $user = new ClientSession($email, $ticket->getExtId()); $_SESSION['_client'] = array(); //clear. $_SESSION['_client']['userID'] = $ticket->getEmail(); //Email $_SESSION['_client']['key'] = $ticket->getExtId(); //Ticket ID --acts as password when used with email. See above. $_SESSION['_client']['token'] = $user->getSessionToken(); $_SESSION['TZ_OFFSET'] = $cfg->getTZoffset(); $_SESSION['TZ_DST'] = $cfg->observeDaylightSaving(); $user->refreshSession(); //set the hash. //Log login info... $msg = sprintf('%s/%s logged in [%s]', $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']); $ost->logDebug('User login', $msg); //Regenerate session ID. $sid = session_id(); //Current session id. session_regenerate_id(TRUE); //get new ID. if (($session = $ost->getSession()) && is_object($session) && $sid != session_id()) { $session->destroy($sid); } return $user; } } //If we get to this point we know the login failed. $errors['login'] = '******'; $_SESSION['_client']['strikes'] += 1; if (!$errors && $_SESSION['_client']['strikes'] > $cfg->getClientMaxLogins()) { $errors['login'] = '******'; $errors['err'] = 'Forgot your login info? Please <a href="open.php">open a new ticket</a>.'; $_SESSION['_client']['laststrike'] = time(); $alert = 'Excessive login attempts by a user.' . "\n" . 'Email: ' . $email . "\n" . 'Ticket#: ' . $ticketID . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'Time:' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes']; $ost->logError('Excessive login attempts (user)', $alert, $cfg->alertONLoginError()); } elseif ($_SESSION['_client']['strikes'] % 2 == 0) { //Log every other failed login attempt as a warning. $alert = 'Email: ' . $email . "\n" . 'Ticket #: ' . $ticketID . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes']; $ost->logWarning('Failed login attempt (user)', $alert); } return false; }