function cobalt_password_hash($mode, $password, $username, &$salt = '', &$iteration = '', &$method = '')
{
require_once 'subclasses/system_settings.php';
$obj_settings = new system_settings();
if ($mode == 'RECREATE') {
$dbh = new data_abstraction();
$mysqli = $dbh->connect_db()->mysqli;
$clean_username = $mysqli->real_escape_string($username);
$dbh->set_table('user');
$dbh->set_fields('`salt`,`iteration`,`method`');
$dbh->set_where("`username`='{$clean_username}'");
$dbh->exec_fetch('single');
if ($dbh->num_rows == 1) {
extract($dbh->dump);
} else {
//No result found. We should produce fake data, so that the hashing process still takes place,
//mitigating probing / timing attacks
$salt = generate_token();
$method = cobalt_password_set_method();
if ($method == 'blowfish') {
$iteration = AUTH_BLOWFISH_COST_FACTOR;
} else {
$min = constant('AUTH_' . strtoupper($method) . '_MIN_ROUNDS');
$max = constant('AUTH_' . strtoupper($method) . '_MAX_ROUNDS');
if ($max < $min) {
$max = $min;
}
$iteration = mt_rand($min, $max);
echo $iteration . ' ' . $method . ' ' . $salt;
}
}
$dbh->close_db();
} elseif ($mode == 'NEW') {
$salt = generate_token();
$method = cobalt_password_set_method();
if ($method == 'blowfish') {
$iteration = AUTH_BLOWFISH_COST_FACTOR;
} else {
$min = constant('AUTH_' . strtoupper($method) . '_MIN_ROUNDS');
$max = constant('AUTH_' . strtoupper($method) . '_MAX_ROUNDS');
if ($max < $min) {
$max = $min;
}
$iteration = mt_rand($min, $max);
}
} else {
error_handler("Cobalt encountered an error during password processing.", "Cobalt Password Hash Error: Invalid mode specified.");
}
if ($method == 'blowfish') {
$digest = cobalt_password_hash_bcrypt($password, $salt, $iteration);
} elseif (in_array($method, cobalt_password_methods())) {
$digest = cobalt_password_hash_process($password, $salt, $iteration, $method);
} else {
error_handler("Cobalt encountered an error during password processing.", "Cobalt Password Hash Error: Invalid hash method specified.");
}
return $digest;
}
$error_message = 'You have been logged out because your IP address has changed. Please log in again.';
}
}
if (xsrf_guard()) {
init_var($_POST['btnSubmit']);
if ($_POST['btnSubmit']) {
require 'password_crypto.php';
$error_message = '';
extract($_POST);
//Deal with passwords longer than MAX_PASSWORD_LENGTH (possible DoS vulnerability)
if (strlen($password) > MAX_PASSWORD_LENGTH) {
//Reset password to an arbitrarily small string, thwarting any DoS attempt
$password = '******';
}
$data_con = new data_abstraction();
$mysqli = $data_con->connect_db()->mysqli;
$clean_username = $mysqli->real_escape_string($username);
$clean_password = cobalt_password_hash('RECREATE', $password, $username);
//FIXME: remember to update this ancient code to use prepared statement
$mysqli->real_query("SELECT `username`, `skin_id`, `first_name`, `middle_name`, `last_name` FROM `user`, `person` WHERE `username`='{$clean_username}' AND `password`='{$clean_password}' AND `user`.`person_id` = `person`.`person_id`");
if ($result = $mysqli->use_result()) {
if ($data = $result->fetch_assoc()) {
$result->close();
extract($data);
$_SESSION['logged'] = 'Logged';
$_SESSION['user'] = $username;
$_SESSION['first_name'] = $first_name;
$_SESSION['middle_name'] = $middle_name;
$_SESSION['last_name'] = $last_name;
$_SESSION['ip_address'] = get_ip();
$data_con = new data_abstraction();
?>
</SELECT> <input type=submit name="passportButton" value="GO" class=button1>
</td>
</tr>
</TABLE>
<table class="input_form" width="800">
<tr><td><br><hr></td></tr>
</table>
<?php
if ($SHOW_MODULES) {
if ($passportGroup != 'All Groups') {
$data_con = new data_abstraction();
$data_con->connect_db();
$data_con->set_fields('passport_group AS `Group_Title`');
$data_con->set_table('user_passport_groups');
$data_con->set_where("passport_group_id = '" . quote_smart($passportGroup) . "'");
$result = $data_con->make_query()->result;
$data_con->close_db();
$info = $result->fetch_assoc();
extract($info);
} else {
$Group_Title = "All Groups";
}
?>
<br><br>
<table width="800" class="listView" align="center">
<tr class="listRowHead"><td colspan=2> <?php
echo "{$Group_Title} passport for {$Name}";
function init_cobalt($required_passport = null, $log = TRUE)
{
//Start the performance timer
$start = microtime(TRUE);
define('PROCESS_START_TIME', $start);
//Load the global config file and any other class or library files you want to be autoloaded at every page.
require 'global_config.php';
require 'data_abstraction_class.php';
require 'html_class.php';
if (DEBUG_MODE) {
require_once 'core_debug.php';
}
//Set timezone as specified in global_config
date_default_timezone_set(TIMEZONE_SETTING);
//Start session. Prevent simple session fixation attacks by regenerating session ID when it is first set.
session_name(GLOBAL_SESSION_NAME);
session_start();
if (!isset($_SESSION['initiated'])) {
//To mitigate session prediction attacks, ensure entropy length is at leats 16 bytes (128 bits)
//and the hash function is SHA256 if supported, else SHA1.
$sess_entropy_length = ini_get('session.entropy_length');
if ($sess_entropy_length < 16) {
ini_set('session.entropy_length', 16);
}
if (in_array('sha256', hash_algos())) {
ini_set('session.hash_function', 'sha256');
} else {
ini_set('session.hash_function', 1);
}
session_regenerate_id(TRUE);
$_SESSION['initiated'] = TRUE;
}
//Default database link - for use with quote_smart()
//and any other functions that rely on MySQL functions
//which rely on a valid database link being opened at one point.
global $default_db_link;
$dbh = new data_abstraction();
$default_db_link = $dbh->connect_db()->mysqli;
if ($required_passport != null) {
//Check if logged; if not, redirect to login page defined by global_config.php.
if (!isset($_SESSION['logged']) || $_SESSION['logged'] != "Logged") {
redirect(LOGIN_PAGE);
} elseif ($_SESSION['ip_address'] != get_ip()) {
if (IP_CHANGE_DETECTION) {
//If IP changes, log user out to prevent potential session hijacks.
log_action('Logged out due to IP address change, from ' . $_SESSION['ip_address'] . ' to ' . get_ip());
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), "", time() - 86400);
}
session_destroy();
redirect(LOGIN_PAGE . '?reason=ipchange');
}
}
if ($required_passport != 'ALLOW_ALL') {
check_passport($required_passport);
}
}
//If magic_quotes_gpc is enabled in the server, we have to "clean" the POST data so
//we always make use of 'virgin' input. This way, all other methods can rely on the fact
//that all input data will be unescaped when they receive it.
//OPTIMIZATION TIP: If you can set magic qoutes off in php.ini, do so. This will save processing time.
if (get_magic_quotes_gpc()) {
reverse_magic_quotes($_POST);
}
mb_internal_encoding(MULTI_BYTE_ENCODING);
//Initialize these two variables, they're practically in every page
global $message;
global $message_type;
$message = '';
$message_type = '';
if ($log && LOG_MODULE_ACCESS) {
if (empty($_POST['form_key'])) {
log_action('Module Access');
}
}
}
