//Forced upgrade? Version mismatch. if (defined('THIS_VERSION') && strcasecmp($cfg->getVersion(), substr(THIS_VERSION, 0, strripos(THIS_VERSION, '.')))) { die(_('System is offline for an upgrade.')); exit; } // include what is needed on user stuff require_once INCLUDE_DIR . 'class.ticket.php'; // clear some vars $errors = array(); $msg = ''; $thisuser = null; // Has got the user a session? Then make sure the user is valid...before doing anything else. if ($_SESSION['_user']['userID'] && $_SESSION['_user']['key']) { if (!$cfg->getUserLogRequired()) { $thisuser = new UserSession($_SESSION['_user']['userID'], $_SESSION['_user']['key']); } else { $thisuser = new ClientSession($_SESSION['_user']['userID'], $_SESSION['_user']['key']); // Block blocked client if (!$thisuser->isactive()) { $errors['err'] = _('Access Disabled. Contact Admin'); $_SESSION['_user'] = array(); session_unset(); session_destroy(); } } } // print_r($_SESSION); // Is the user logged in? if ($thisuser && $thisuser->getId() && $thisuser->isValid()) { $thisuser->refreshSession(); }
} /*Some more include defines specific to client only */ define('CLIENTINC_DIR', INCLUDE_DIR . 'client/'); define('OSTCLIENTINC', TRUE); //Check the status of the HelpDesk. if (!is_object($cfg) || !$cfg->getId() || $cfg->isHelpDeskOffline()) { include './offline.php'; exit; } //Forced upgrade? Version mismatch. if (defined('THIS_VERSION') && strcasecmp($cfg->getVersion(), THIS_VERSION)) { die('System is offline for an upgrade.'); exit; } /* include what is needed on client stuff */ require_once INCLUDE_DIR . 'class.client.php'; require_once INCLUDE_DIR . 'class.ticket.php'; require_once INCLUDE_DIR . 'class.dept.php'; //clear some vars $errors = array(); $msg = ''; $thisclient = null; //Make sure the user is valid..before doing anything else. if ($_SESSION['_client']['userID'] && $_SESSION['_client']['key']) { $thisclient = new ClientSession($_SESSION['_client']['userID'], $_SESSION['_client']['key']); } //print_r($_SESSION); //is the user logged in? if ($thisclient && $thisclient->getId() && $thisclient->isValid()) { $thisclient->refreshSession(); }
function login($ticketID, $email, $auth = null, &$errors = array()) { global $ost; $cfg = $ost->getConfig(); $auth = trim($auth); $email = trim($email); $ticketID = trim($ticketID); # Only consider auth token for GET requests, and for GET requests, # REQUIRE the auth token $auto_login = $_SERVER['REQUEST_METHOD'] == 'GET'; //Check time for last max failed login attempt strike. if ($_SESSION['_client']['laststrike']) { if (time() - $_SESSION['_client']['laststrike'] < $cfg->getClientLoginTimeout()) { $errors['login'] = '******'; $errors['err'] = 'You\'ve reached maximum failed login attempts allowed. Try again later or <a href="open.php">open a new ticket</a>'; $_SESSION['_client']['laststrike'] = time(); //renew the strike. } else { //Timeout is over. //Reset the counter for next round of attempts after the timeout. $_SESSION['_client']['laststrike'] = null; $_SESSION['_client']['strikes'] = 0; } } if ($auto_login && !$auth) { $errors['login'] = '******'; } elseif (!$ticketID || !Validator::is_email($email)) { $errors['login'] = '******'; } //Bail out on error. if ($errors) { return false; } //See if we can fetch local ticket id associated with the ID given if (($ticket = Ticket::lookupByExtId($ticketID, $email)) && $ticket->getId()) { //At this point we know the ticket ID is valid. //TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets?? //Check the email given. # Require auth token for automatic logins (GET METHOD). if (!strcasecmp($ticket->getEmail(), $email) && (!$auto_login || $auth === $ticket->getAuthToken())) { //valid match...create session goodies for the client. $user = new ClientSession($email, $ticket->getExtId()); $_SESSION['_client'] = array(); //clear. $_SESSION['_client']['userID'] = $ticket->getEmail(); //Email $_SESSION['_client']['key'] = $ticket->getExtId(); //Ticket ID --acts as password when used with email. See above. $_SESSION['_client']['token'] = $user->getSessionToken(); $_SESSION['TZ_OFFSET'] = $cfg->getTZoffset(); $_SESSION['TZ_DST'] = $cfg->observeDaylightSaving(); $user->refreshSession(); //set the hash. //Log login info... $msg = sprintf('%s/%s logged in [%s]', $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']); $ost->logDebug('User login', $msg); //Regenerate session ID. $sid = session_id(); //Current session id. session_regenerate_id(TRUE); //get new ID. if (($session = $ost->getSession()) && is_object($session) && $sid != session_id()) { $session->destroy($sid); } return $user; } } //If we get to this point we know the login failed. $errors['login'] = '******'; $_SESSION['_client']['strikes'] += 1; if (!$errors && $_SESSION['_client']['strikes'] > $cfg->getClientMaxLogins()) { $errors['login'] = '******'; $errors['err'] = 'Forgot your login info? Please <a href="open.php">open a new ticket</a>.'; $_SESSION['_client']['laststrike'] = time(); $alert = 'Excessive login attempts by a user.' . "\n" . 'Email: ' . $email . "\n" . 'Ticket#: ' . $ticketID . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'Time:' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes']; $ost->logError('Excessive login attempts (user)', $alert, $cfg->alertONLoginError()); } elseif ($_SESSION['_client']['strikes'] % 2 == 0) { //Log every other failed login attempt as a warning. $alert = 'Email: ' . $email . "\n" . 'Ticket #: ' . $ticketID . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_client']['strikes']; $ost->logWarning('Failed login attempt (user)', $alert); } return false; }