Windows News 2010 Summer

home *** CD-ROM | disk | FTP | other *** search

/ Windows News 2010 Summer - Disc 1 / WN_Ete2010_CD1.iso / Onglet5 / Weezo / Weezo setup.exe / {code_appDir} / www / login.php < prev next >

Wrap

PHP Script | 2010-05-19 | 53KB | 1,321 lines

<?php /** * LOGIN * * login controls : verify password, log user * DOESN'T DISPLAY LOGIN FORM: * theme login form is included by login.php * * * List of parameters sent to loginForm.php script * - $_ENV['users'][] : arrays of user accounts to be displayed (array key is user id) * user data : * ['authenticationMethod'] : user authentication method : 'noAuthentication' or 'password' * ['name'] (optional) : user name. Set to false if both name and user Id must be entered * ['icon'] : user icon file basename (add /gfx/icons/ to have full path) * ['hint'] (optional) : password hint, to be displayed * - $userToDisplay () optional : id of selected user (set if an user name has been passed in get args or if a wrong password has been typed), * (set to 0 (zero) if login+password) input must be selected) * - $userAndPasswordMethod : true if login+password form has been used * - $wrongPasswordSent : true if a wrong password has been entered * - $wrongUserSent : true if a non-existing user name has been entered * - $hiddenUsers : true if at least one hidden user account exists => user name+password form must be displayed * * * PHP version 5 * * LICENSE: This source file is subject to version 3.0 of the PHP license * that is available through the world-wide-web at the following URI: * http://www.php.net/license/3_0.txt. If you did not receive a copy of * the PHP License and are unable to obtain it through the web, please * send a note to license@php.net so we can mail you a copy immediately. * * @category NA * @package NA * @author Nicolas Bruley / Peer 2 World <contact@weezo.net> * @copyright 2005-2009 Nicolas Bruley / Peer 2 World * @license http://www.php.net/license/3_0.txt PHP License 3.0 * @version CVS: $Id:$ * @link http://www.weezo.net * @since File available since Release 1.0.0 */ require_once(INCLUDE_DIR.'initFunctions.php'); require_once(INCLUDE_DIR.'outputFunctions.php'); define('CONNECTION_ATTEMPTS_CLEANUP_TIME', 10); // connectionAttempts.txt entries cleanup time (in days) define('LOGIN_TOKEN_LIFETIME', 60); // Login token lifetime, in seconds define('LOGIN_TOKEN_CHECK_IP', false); // Set to true to check client connects with same IP that the IP used for connection to central authentication server (disabled) $nbWrongPasswordTyped=0; // Global var, number of wrong password typed by an IP adress in passwordCheckBanPeriod time interval $userToDisplaySeqNumber=0; // Sequential user number on login page /** * @desc function called on successful user login: load parameters and display left panel and 1st resource * if $userConfigFileName is provided, load user from filename * @param string $userId: user id * @param string $userConfigFileName (optional): user configuration file * @return void */ function userLoad($userId,$userConfigFileName=false){ if(!$userId && !$userConfigFileName) die('User ID not found'); // Temp store session data as $_SESSION will be erased by wSession_start, and some usefull data may already have been stored into (cfGSetVar) if(@$_SESSION) $tmp=$_SESSION; // Destroy previous session if existing (might have been started by /index.php) if(isset($_ENV['wSession'])) { wSession_write_close(); unset($_ENV['wSession']); } if(isset($_COOKIE['WSESSID'])) unset($_COOKIE['WSESSID']); // Start session wSession_start(); if(isset($tmp)) $_SESSION=$tmp; // Get configuration (to ensure user exists and retreive actual id) $uc=new WUserConfig(($userId)?$userId:$userConfigFileName); if(!$uc->isValid()) die('User ID not found'); // Set logged user id // If user id not passed, find user from filename $_SESSION['user']=$uc->getData(); $userId=$_SESSION['userId']=$_SESSION['user']['id']=$uc->id(); /** * Last security check: check referer (XSRF protection) */ $headers=getallheaders(); if(cfIPFilterIsset($_SESSION['user']) && isset($headers['Referer'])) { $refererURL=parse_url($headers['Referer']); if(isset($refererURL['host'])){ // Allow redirection from "DNS" server if('http://'.$refererURL['host']!=DNS_SITE){ // Else, get IP from host name if($refererURL['host']=='localhost') $refererURL['host']='127.0.0.1'; if(!cfIsIP($refererURL['host'])) $refererURL['host']=gethostbyname($refererURL['host']); // If referer IP could not be retreived from referer hostname or referer IP is not allowed to connect this account, abort if(!cfIsIP($refererURL['host']) || !cfIPFilterCheck($_SESSION['user'],$refererURL['host'])){ wSession_destroy(); die('unauthorized redirection'); } } } } // Mobile login if(@$_POST['mobile']) cfGSetVar('forceMobile',1); // Server port (override general.ini value as alternatePort may have been used) if(@$_SERVER['SERVER_PORT']){ cfGSetVar('serverPort',$_SERVER['SERVER_PORT']); cfGSetVar('protocol',($_SERVER['SERVER_PORT']==443)?'https':'http'); } // Standalone resource: integrate publishToken if($userId==='standalone') { $_SESSION['user']['publishToken']=$_GET['publishToken']; // Also set in a cookie so if (weezo) session ends, user automatically re-logs setcookie('weezoPublishToken',$_GET['publishToken'],(time()+3600)); } // Load user resource info $nbResourcesLoaded=ifLoadUserResources(); $_SESSION['accountIP'] = $_SERVER['REMOTE_ADDR']; $_SESSION['activeResourceId']=0; // If user has requested a specific theme, replace user theme if(isset($_POST['userSelectedTheme']) && $_POST['userSelectedTheme']!='' && cfGGetVar('allowUserThemeChange')) cfUSetVar('theme',cfUTF8Decode($_POST['userSelectedTheme'])); // Get user screen size if (isset($_POST['userScreenWidth'])) cfGSetVar('userScreenWidth',$_POST['userScreenWidth']); if (isset($_POST['userScreenHeight'])) cfGSetVar('userScreenHeight',$_POST['userScreenHeight']); // If a resource is requested as 1st page startup if(isset($_GET['res'])){ foreach (cfResourcesGetUser() as $k=>$v) if(isset($v['name']) && $v['name']==urldecode($_GET['res'])){ cfGSetVar('resourceDisplayAtStartup',$k); break; } } // If browser has a dedicated theme, apply it and forbid further changes if(cfBGetVar('theme')) {cfGSetVar('theme',cfBGetVar('theme'));cfGSetVar('allowUserThemeChange',false);} // else if mobile device, use mobile theme elseif (cfIsMobile()) {cfGSetVar('theme','mobile');cfGSetVar('allowUserThemeChange',false);} if(!cfBGetVar('frames')) cfGSetVar('noPopup',true); // Get server (this) host name if (isset($_POST['serverExternalHost'])) cfGSetVar('hostName',((isset($_SERVER['HTTPS']))?'https':'http').'://'.$_POST['serverExternalHost']); // Get visitor's host name if(cfGGetVar('getVisitorHostName')){if($host=@gethostbyaddr($_SERVER['REMOTE_ADDR'])==$_SERVER['REMOTE_ADDR']) $host='';} else $host=''; cfUSetVar('host',$host); // If single user account type, verify that this user is not already logged $nbConnected=0; $maxConnected=cfUGetVar('maxSimultaneousUsers'); if(cfUGetVar('accountType')=='singleUser') $maxConnected=1; if($maxConnected){ $sessionFiles=glob(cfAppDataDir().'/sessiondata/sess_*'); // Browse sessions foreach ($sessionFiles as $filename) if(substr($filename,5)!=wSession_id()){ if(cfGGetVar('sessionHandler')=='memory') $sessData=cfUnserializeSession(@cfMGetVar('weezoS'.substr(basename($filename),1),true)); else $sessData=cfUnserializeSession(file_get_contents($filename)); if(isset($sessData['user']['id']) && $sessData['user']['id']==cfUGetVar('id')) { $nbConnected++; // If single user and loginDisconnectPreviousUser, destroy previous connection if(cfUGetVar('accountType')=='singleUser' && cfGGetVar('loginDisconnectPreviousOnConflict')){ if(cfGGetVar('sessionHandler')=='memory') @cfMUnsetVar('weezoS'.substr(basename($filename),1)); else @unlink($filename); break; } // If more than max connected users, abort if($nbConnected>=$maxConnected){ cfAsyncHeader(); if($maxConnected==1) echo cfAsyncXMLJSaction('alert("'.cfCaption('loginAlreadyConnected',cfUTF8Encode(cfUGetVar('name'))).'")'); else echo cfAsyncXMLJSaction('alert("'.cfCaptionJS('loginMaxUsersReached').'")'); echo cfAsyncXMLJSaction('W.location.reload()'); echo cfAsyncFooter(); wSession_destroy(); exit; } } } } // Set user language // First use preference's language from single users if(cfUGetVar('accountType')=='singleUser' && cfMIssetVar('weezoLng'.cfUGetVar('language'))) cfGSetVar('language',cfUGetVar('language')); // Check if user name/pseudo must be requested if(cfUGetVar('accountType')=='named'){ // If pseudo passed as POST var if(isset($_POST['userPseudo']) && $_POST['userPseudo']){ cfUSetVar('pseudo',cfUTF8Decode($_POST['userPseudo'])); } // If pseudo passed as GET var elseif(isset($_GET['userPseudo']) && $_GET['userPseudo']){ cfUSetVar('pseudo',cfUTF8Decode($_GET['userPseudo'])); } else{ cfGSetVar('requestUserPseudo',true); // Redirect to login page if(cfIsAsync()){ echo cfAsyncHeader(); echo cfAsyncXMLJSaction('maskHide()'); echo cfAsyncXMLJSaction('loginPseudoGet("'.addslashes(cfUTF8Encode(cfUGetVar('name'))).'")'); echo cfAsyncFooter(); } else { ?> <body onload="document.connectForm.submit()"> <form name="connectForm" action="/index.php" method="GET" enctype="multipart/form-data" style="display:none"></form> </body> <?php } exit; } } // Set user as logged $_SESSION['userLogged']=true; // send info to application and display main page loginFinish(); } /** * @desc finish login process * - Send info to application * - Log connection to database * - Load main page * */ function loginFinish(){ // Set user as logged $_SESSION['userLogged']=true; $_SESSION['connectionTime']=time(); cfGSetVar('connectionTime',time()); // Write connection in log and activity panel cfLog(cfUTF8Decode(cfCaption('loginNewConnection',cfUTF8Encode(cfUGetVar('name').((cfUGetVar('pseudo'))?' - '.cfUGetVar('pseudo'):'')),false,false,true)),LOG_INF); // If direct resource access, set resource name as user name, for display in activity panel if(cfUGetVar('id')=='standalone' && !cfUGetVar('name')){ $res=new WResConfig(@$_SESSION['res'][0]['id']); cfUSetVar('name',@$res->name()); cfUSetVar('icon','blankIcon.gif'); } // inform application that a new user logged in $logString='log newLogged="'.wSession_id(). '" name="'.str_replace('"','',cfUGetVar('name')). '" id="'.cfUGetVar('id'). '" pseudo="'.str_replace('"','',cfUGetVar('pseudo')). '" icon="'.cfUGetVar('icon'). '" IP="'.$_SESSION['accountIP']. '" filename="'.basename(cfUGetVar('configFilename')). '" host="'.cfUGetVar('host'). '" audioProfile="'.cfUGetVar('audioProfile'). '" browser="'.cfBGetVar('name').'"'; // List user's chat resources, and check if user has webcam $chat=''; $webcam=false; foreach (WEnv::user()->getResources() as $rid=>$rfilename){ if($res=cfMGetVar('weezoResData'.$rid)){ if($res['type']=='webcam' && $res['subType']=='chat') $chat.=(($chat)?',':'').$rid.'/'. $rfilename; if($res['type']=='webcam' && $res['subType']=='std') $webcam=true; } } if($chat) $logString.=' chatResourceFilenames="'.$chat.'"'; if($webcam) $logString.=' needWebcam="true"'; // Timeout detection margin // Increase for mobiles if(cfIsMobile('iPhone')) $logString.=' inactivityTimeBeforeDisconnect="'.(5*cfGGetVar('inactivityTimeBeforeDisconnect')).'"'; elseif(cfUGetVar('id')=='standalone') { $res=@$_SESSION['res'][0]; // Increase timeout detection margin for non-server-pinging external resources if(@$res['type']=='misc' || (@$res['type']=='website' && @$res['subType']=='html')) $logString.=' inactivityTimeBeforeDisconnect="'.floor(3*cfGGetVar('inactivityTimeBeforeDisconnect')).'"'; // and decrease it for other published resources else $logString.=' inactivityTimeBeforeDisconnect="'.floor(0.5*cfGGetVar('inactivityTimeBeforeDisconnect')).'"'; } cfServerSendCommand($logString); // Log information in statistics database require_once(INCLUDE_DIR.'databaseFunctions.php'); if(!cfUGetVar('invisible')) dbLogNewConnection(); // Monitor event if(!cfUGetVar('invisible')) cfLogEvent(cfCaption('loginNewConnection',cfUTF8Encode(cfUGetVar('name')),false,false,true),EVENT_CONNECTION,S_EVENT_LOGIN,cfUGetVar('id')); // Redirect to login page if(cfIsAsync()){ cfAsyncHeader(); echo cfAsyncXMLJSaction('maskHide()'); // Send login cookie to Wii if(cfIsWII()){ echo cfAsyncXMLJSaction('var exp=new Date();exp.setTime(exp.getTime() + (365*24*3600000));document.cookie="weezoUser='.cfUGetVar('id').'; expires="+exp.toGMTString();'); if(cfUGetVar('authenticationMethod')=='password') echo cfAsyncXMLJSaction('var exp=new Date();exp.setTime(exp.getTime() + (365*24*3600000));document.cookie="weezoAuth='.sha1(cfUGetVar('password')).'; expires="+exp.toGMTString();'); } // Do connect echo cfAsyncXMLJSaction('loginConnect()'); echo cfAsyncFooter(); } else { // Set URL where user will be redirected $connectedURL='/index.php'; // If user is re-login to a published which session has terminated, redirect to page he was if(isset($_ENV['publishTokenBeforeLogoutURI'])) $connectedURL=$_ENV['publishTokenBeforeLogoutURI']; ?> <head> <script type="text/javascript"> function doLog(){ <?php // Manually set cookie (IE Workaround on token identification) if(!cfGGetVar('userScreenWidth')) {?> document.getElementsByName("userScreenWidth")[0].value=screen.width; document.getElementsByName("userScreenHeight")[0].value=screen.height; <?php } if(!cfGGetVar('hostName')) {?> document.getElementsByName("serverExternalHost")[0].value=document.location.host; <?php } ?> document.connectForm.submit(); } </script> </head><body onload="doLog()"> <form name="connectForm" action="<?php echo $connectedURL; ?>" method="GET" enctype="multipart/form-data" style="display:none"> <?php // IE Workaround: cookie sometimes cannot be set at this step (when using login token) // => pass session id in GET so cookie is set at next page display (by security.php) if(!isset($_COOKIE) || !count($_COOKIE)) echo '<input name="WSESSID" value="'.wSession_id().'">'; if(!cfIsWII()) echo '<input name="loginOK" value="true">'; if(!cfGGetVar('userScreenWidth')) echo '<input type="text" name="userScreenWidth" value=""><input type="text" name="userScreenHeight" value="">'; if(!cfGGetVar('hostName')) echo '<input type="text" name="serverExternalHost" value="">'; echo '</form></body>'; } cfDebugSingle(@$_ENV['wSession']['state']); cfDebugSingle(@$_ENV['wSession']['id']); wSession_write_close(); cfDebugSingle(cfMIssetVar('wSessionLocked_'.@$_ENV['wSession']['id'])); cfDebugSingle('log finished'); exit; } /** * @desc finish loggin users who need name/pseudo * */ function userLoadNamedUser(){ // User canceled if($_POST['userPseudo']=='*weezoCancel*'||$_POST['userPseudo']=='undefined') { wSession_destroy(); if(isset($_POST['asyncRequest'])){ echo cfAsyncHeader(); echo cfAsyncXMLJSaction('D.connectForm.method="POST";loginConnect()'); echo cfAsyncFooter(); exit; } unset($_POST); return; } cfUSetVar('pseudo',cfUTF8Decode($_POST['userPseudo'])); cfGSetVar('requestUserPseudo',false); // send info to application and display main page loginFinish(); } /** * @return string ID or false if not found * @param string $name : user name * @desc Return user id (number) from user name. Return -1 if not found */ function userIdFromName($name){ foreach ($_ENV['users'] as $key=>$value) if($value['name']==$name) return $key; return false; } /** * @return bool : true if OK * @param string $userId : user id * @param string $password : password * @desc verify $userId and $password. Return true if OK, false if not OK (in this case, wait for a few seconds) */ function verifyPassword($userId, $password){ global $wrongPasswordSent; global $securityEvent; //if user's authentication method is password if($_ENV['users'][$userId]['authenticationMethod']=='password'){ // Decrypt RSA crypted password $decrypted=cfRSADecrypt($password,$wasCiphered); // Parse return string // Return string (decrypt) format : ip=XXX/password/ts=YYY/ // where XXX is iptolong ip adress and YYY is timestamp if($wasCiphered){ $timestamp=substr($decrypted,strrpos($decrypted,'/ts=')+4);$timestamp=substr($timestamp,0,strpos($timestamp,'/')); $longip=substr($decrypted,strpos($decrypted,'ip=')+3);$longip=substr($longip,0,strpos($longip,'/')); $password=substr($decrypted,strpos($decrypted,'/',strpos($decrypted,'ip='))+1);$password=substr($password,0,strrpos($password,'/ts=')); } // Check client ip adress if($wasCiphered && $_SERVER['REMOTE_ADDR']!=long2ip($longip) && !cfGGetVar('disableClientSessionIPControl')){ $securityEvent.='Password check: incorrect client IP adress error'; setWrongPasswordTyped(); return false; } // Check timestamp (allow a 60 seconds difference (default) to cover transmission and ciphering time if($wasCiphered && abs(((int)microtime(true))-$timestamp)>((cfGGetVar('RSAAuthorizedDelay'))?cfGGetVar('RSAAuthorizedDelay'):20)){ $securityEvent.='Password check: excessive time shift error<br>Modify "RSAAuthorizedDelay" value in data/general.ini'; return false; } // If password is sent unencrypted but encryption was required, refuse if (0 /* !$wasCiphered && cfGGetVar('protocol')=='http' && cfGGetVar('encryptPassword') && (!cfGGetVar('disablePasswordCipheringForSlowJSDevices') || !cfBGetVar('slowJS'))*/){ cfLog('login.php: unencrypted password sent. Connection refused',LOG_ER); $securityEvent.='Password check: encrypted password not found'; return false; } // Correct password typed if(md5($password)==$_ENV['users'][$userId]['password']) { setRightPasswordTyped(); return true; } // Wrong password typed else { setWrongPasswordTyped(); sleep(cfGGetVar('waitTimeBetweenLoginAttemtps')); cfLog('login.php: wrong password typed for '.$_ENV['users'][$userId]['name'].' account',LOG_DBG); $wrongPasswordSent=true; return false; } } elseif($_ENV['users'][$userId]['authenticationMethod']=='noAuthentication') return true; // Password typed on a passwordless account cfLog('login.php: unknown authentification method in.usr file, cannot log in'.$userId.' account',LOG_ER); $securityEvent.='Password check: unknown error'; $wrongPasswordSent=true; return false; } /** * @desc Validate an external authentication request, and deliver an authentication token if all OK * * @param string $authenticationToken: encrypted login & pwd * @param string $restrictSource: true to restrict external authentication to weezo.net & weezo.info domains */ function requestLoginToken($authenticationToken, $restrictSource=true){ /* Test / debug $restrictSource=false; $clear=array('user='.base64_encode(cfUTF8Encode('test')),'password='.base64_encode(''),'ip='.'127.0.0.1'); $clear[]='rnd='.substr(md5(rand()),5,30); shuffle($clear); if(!($regInfo=cfIsRegistered())) die(); $key=base64_decode($regInfo['regKey']); $iv='';for($i=0;$i<8;$i++) $iv.=chr(rand(0,255)); $authenticationToken=mcrypt_encrypt(MCRYPT_TRIPLEDES,$key,implode('&',$clear),MCRYPT_MODE_CBC,$iv); $authenticationToken=base64_encode($authenticationToken.$iv); */ ignore_user_abort(true); // Restrict source to weezo.net/weezo.info servers if($restrictSource && $_SERVER['REMOTE_ADDR']!='87.106.108.74' && $_SERVER['REMOTE_ADDR']!=gethostbyname('weezo.net') && $_SERVER['REMOTE_ADDR']!=gethostbyname('weezo.info')) die(); // Verify user is registered if(!($regInfo=cfIsRegistered())) die(); $key=base64_decode($regInfo['regKey']); // Public key request if($authenticationToken=='getRSAPK') { $RSAKeyPair = cfRSALoadKeyPair(); if(isset($RSAKeyPair['maxDigits']) && isset($RSAKeyPair['modulo']) && isset($RSAKeyPair['publicExponent'])) die('RSAPK/'.$RSAKeyPair['maxDigits'].'/'.$RSAKeyPair['modulo'].'/'.$RSAKeyPair['publicExponent'].'/'.$RSAKeyPair['keyLength']); else die(); } // Decrypt token $token=base64_decode(str_replace(' ','+',$authenticationToken)); $iv=substr($token,-8); $token=substr($token,0,strlen($token)-8); $clear=@mcrypt_decrypt(MCRYPT_TRIPLEDES,$key,$token,MCRYPT_MODE_CBC,$iv); @parse_str($clear,$args); /** * Check decrypted token format */ if((!isset($args['RSAToken']) && (!isset($args['user'])||!isset($args['password'])))||!isset($args['ip'])) die(); // Client browser encrypted password with RSA public key: decrypt if(isset($args['RSAToken'])){ $decrypted=cfRSADecrypt('rsa:'.$args['RSAToken']); @parse_str($decrypted,$args2); // Verify it contains user and password if(!isset($args2['user']) || !isset($args2['password'])) die(); $user=$args2['user']; $password=$args2['password']; } // Check if client's IP is not banned for excessive attempts //if(isBannedIP($args['ip'])) die('maxAttempts'); // Verify user's existence if(!isset($user)) $user=cfUTF8Decode(base64_decode($args['user']),true,false,false); if(!($userId=userIdFromName($user))) die('loginFailed'); // Verify IP is allowed to connect to this user if(!cfIPFilterCheck($_ENV['users'][$userId],$args['ip'])) die('loginFailed'); // Check password if(!isset($password)) $password=(base64_decode($args['password'])); if($_ENV['users'][$userId]['authenticationMethod']=='password' && md5($password)!=$_ENV['users'][$userId]['password']) die('loginFailed'); // Generate login token id $loginToken=''; for($i=0;$i<16;$i++) $loginToken.=chr(rand(0,255)); $loginToken=base64_encode($loginToken); // Save login token to memory $loginTokens=cfMGetVar('loginTokens'); $loginTokens[$loginToken]=$userId.'/'.$args['ip'].'/'.time(); cfMSetVar('loginTokens',$loginTokens); // All OK: generate login token die('loginToken='.$loginToken.(($_ENV['users'][$userId]['accountType']=='named')?'&requestPseudo=1':'')); } /** * @desc Check login token validity, and if OK, log user in * * @param string $loginToken */ function checkLoginToken($loginToken){ $loginToken=str_replace(' ','+',$loginToken); // Check for passed token in valid tokens list $loginTokens=cfMGetVar('loginTokens'); if(!$loginTokens) { //cfVarDump(cfMGetVar('loginTokens',true)); exit; } if(!isset($loginTokens[$loginToken])) die(cfCaption('loginForbiddenAccess').'no token found'); // Extract user id and ip list($userId,$ip,$timestamp)=explode('/',$loginTokens[$loginToken]); // Remove from valid tokens list unset($loginTokens[$loginToken]); cfMSetVar('loginTokens',$loginTokens); // Check token is still valid if(time()>$timestamp+LOGIN_TOKEN_LIFETIME) die(cfCaption('loginForbiddenAccess').' lt'); // Check user id is valid if(!isset($_ENV['users'][$userId])) die(cfCaption('loginForbiddenAccess').' no user'); // Check token IP matches with client IP if(LOGIN_TOKEN_CHECK_IP && $ip!=$_SERVER['REMOTE_ADDR']) { if($ip!='0') die(cfCaption('loginForbiddenAccess').' ip nok:'.$ip.'<>'.$_SERVER['REMOTE_ADDR']); } // Check user pseudo is OK if($_ENV['users'][$userId]['accountType']=='named' && !isset($_GET['userPseudo']) && !isset($_POST['userPseudo'])) die(cfCaption('loginForbiddenAccess').' no pseudo'); // All OK, proceed to login userLoad($userId); } /** * @desc Resource-only login through publishToke * */ function publishTokenLogin(){ require_once(INCLUDE_DIR.'explorerFunctions.php'); $tokenList=efTokensRead(); // If publishToken is retreived from cookie if(!isset($_GET['publishToken'])) { $_GET['publishToken']=$_COOKIE['weezoPublishToken']; } // Check token $found=0; foreach (cfMGetVar('weezoResourcesList') as $id=>$filename){ $res=cfMGetVar('weezoResData'.$id); if(isset($res['publishToken']) && $res['publishToken']==$_GET['publishToken']) { $found=1; break; } } // If no matching resource found, die if(!$found){ // Remove publish token if set (so error page won't return to login) if(isset($_COOKIE['weezoPublishToken'])){ unset($_COOKIE['weezoPublishToken']); @setcookie('weezoPublishToken','',(time()-3600)); } require_once(INCLUDE_DIR.'outputFunctions.php'); outDisplayErrorPage(cfCaption('keyError')); } // Set theme if(isset($_GET['theme'])) $_POST['userSelectedTheme']=$_GET['theme']; userLoad('standalone'); } /** * @desc check if user's IP is within exessive connections attempts list, stored in data/connectionAttempts.txt file * update $nbWrongPasswordTyped global var * @return boolean : true if IP has typed more than passwordCheckMaxAttempts wrong passwords in passwordCheckBanPeriod minutes IPs list, false if not * */ function isBannedIP($checkedIP=false){ global $nbWrongPasswordTyped; static $passwordCheckMaxAttempts; if(!isset($passwordCheckMaxAttempts)) { $passwordCheckMaxAttempts=cfGGetVar('passwordCheckMaxAttempts'); $passwordCheckBanPeriod=cfGGetVar('passwordCheckBanPeriod'); } if(!cfGGetVar('passwordCheckMaxAttempts') || !file_exists(cfAppDataDir().'/connectionAttempts.txt')) return false; if(!$checkedIP) $checkedIP=$_SERVER['REMOTE_ADDR']; $needSave=false; $nbWrongPasswordTyped=0; // Browse history $ipList=parse_ini_file(cfAppDataDir().'/connectionAttempts.txt',false); foreach ($ipList as $time=>$ip){ // Clean old entries{ if(floor($time)+CONNECTION_ATTEMPTS_CLEANUP_TIME*3600*24<time()) { unset($ipList[$time]); $needSave=true; } // Count appliable entries if($passwordCheckMaxAttempts>0 && $ip==$checkedIP && (floor($time)+$passwordCheckBanPeriod*60>time())) $nbWrongPasswordTyped++; // Reset counter on successfull password typed if($ip=='OK'.$checkedIP) $nbWrongPasswordTyped=0; } // Save changes if cleaned items if($needSave) cfWriteIniFile($ipList,cfAppDataDir().'/connectionAttempts.txt',false); if($nbWrongPasswordTyped>=cfGGetVar('passwordCheckMaxAttempts')) return true; return false; } /** * @desc add entry in data/connectionAttempts.txt file * @return void * */ function setWrongPasswordTyped(){ global $nbWrongPasswordTyped; if(!cfGGetVar('passwordCheckMaxAttempts')) return; cfAppendTextToFile(microtime(true).' = '.$_SERVER['REMOTE_ADDR'],cfAppDataDir().'/connectionAttempts.txt',false); $nbWrongPasswordTyped++; if($nbWrongPasswordTyped>=cfGGetVar('passwordCheckMaxAttempts')){ cfAsyncHeader(); echo cfAsyncXMLJSaction('wl.goURL()'); die(cfAsyncFooter()); } } /** * @desc add right password entry in data/connectionAttempts.txt file * @return void * */ function setRightPasswordTyped(){ if(!cfGGetVar('passwordCheckMaxAttempts')) return; cfAppendTextToFile(microtime(true).' = OK'.$_SERVER['REMOTE_ADDR'],cfAppDataDir().'/connectionAttempts.txt',false); } /** * @desc echo hidden login form and javascript function used for RSA password encryption * @param boolean $encryptionAnimation : true if lock icon animation should be played on encryption * @param boolean $waitCursor : true if a wait cursor is displayed while loginForm is being submitted * @return void * * "startEncryption" script must always be called by loginFrom.php scripts * It must be called within <body> node as it includes HTML code (unless $encryptionAnimation is set to false) * JS function encryptPassword must be called on form submit, with password node as parameter * * JS Script description : cipher password, and submit login form and optionnaly play animation * */ function includeloginFormAndScripts($encryptionAnimation=true, $waitCursor=true){ /** * Page reload form */ echo '<form name="connectForm" action="/index.php" method="GET" enctype="multipart/form-data" style="display:none">'; if(!cfIsWII()) echo '<input name="loginOK" value="true">'; echo '</form>'; /** * Login Form */ echo '<form id="loginForm" name="loginForm" action="/login.php" method="post" enctype="multipart/form-data" style="display:none">'; // User Name echo '<input type="text" name="user" id="user" value="">'; // Password echo '<input type="text" name="password" value="" id="password" maxlength="1500">'; // User Id echo '<input type="text" name="userId" id="userId" value="">'; // User pdeudo/name echo '<input type="text" name="userPseudo" id="userPseudo" value="">'; // User screen size echo '<input type="text" name="userScreenWidth" value=""><input type="text" name="userScreenHeight" value="">'; // Server host name echo '<input type="text" name="serverExternalHost" value="">'; // Mobile login echo '<input type="text" name="mobile" value="">'; // Theme echo '<input type="text" name="userSelectedTheme" value="'.(cfGGetVar('userSelectedTheme')?cfUTF8Encode(cfGGetVar('userSelectedTheme')):'').'">'; //echo '<input type="submit" value="s" style="position:absolute; top:-100px;">'; echo "</form>\n"; // User pseudo input box ?> <div id="userPseudoDiv" style="display:none;position:absolute;left:50%;top:50%;z-index:1001"> <div class="popup" style="position:relative;left:-50%;top:-100px;width:30em"> <div class="popupHeader" id="userPseudoHeader"><?php echo cfCaption('userTypeName');?></div> <?php echo outDivFrame('frame2');?><br> <?php echo cfCaption('userTypeName');?><br> <input type="text" size="20" style="width:100%" id="loginPseudoInput"><br><br><center> <?php echo outButton('','javascript:loginPseudoSubmit(dgi(\'loginPseudoInput\').value);',outIcon('ok'),false,false,'style="margin-right:2em"');?> <?php echo outButton('','javascript:loginPseudoSubmit(\'*weezoCancel*\');',outIcon('cancel'));?> </center><br></div></div> </div> <script language="JavaScript" type="text/javascript"> function loginPseudoGet(userName){ if(W.promptUserPseudo) return promptUserPseudo(userName); dgi("userPseudoHeader").innerHTML=userName; if(W.fade){ fade(dgi("userPseudoDiv"),0,1,10,'dgi("loginPseudoInput").focus()'); maskShow(0,1) maskMoveAbove(dgi("userPseudoDiv")) wl.setKeycodeListener(D,loginPseudoKD) } else loginPseudoSubmit(prompt("<?php echo cfCaption('userTypeName')?>","")); } function loginPseudoSubmit(userPseudo){ if(userPseudo=='') return; dgi('userPseudo').value=userPseudo; asyncSubmitForm("loginForm"); fade(dgi("userPseudoDiv"),1,0); maskHide(1) } function loginPseudoKD(kc){ if(kc==13) loginPseudoSubmit(dgi('loginPseudoInput').value); if(kc==27) loginPseudoSubmit('*weezoCancel*'); } <?php if(0) { // Too many problems with caps lock detection ?> function capsLockShowWarning(n){ with(dgi('capsLockDiv').style){ left=(actualOffsetLeft(n)+n.offsetWidth+5)+'px'; top=(actualOffsetTop(n))+'px'; display=''; zIndex=999; } setAlpha(dgi('capsLockDiv'),100) setTimeout("wl.fadeTo(dgi('capsLockDiv'),0)",2000); } <?php } ?> <?php if(!cfIsMobile()) {?> function logUserById(id,pwd){ dgi('userId').value=id; dgi('password').value=(pwd)?pwd:''; startEncryption(); } function logUserByName(name,pwd){ dgi('user').value=name; dgi('password').value=(pwd)?pwd:''; startEncryption(); } function forceMobile(){D.location.href=D.location+((D.location.href.indexOf('?')!=-1)?'&':'?')+'forceMobile=1';} <?php }?> </script> <div id="capsLockDiv" class="helpFrame helpBg" style="margin:0px;text-align:left;vertical-align:top; width:auto; height:auto; min-height:0; padding:0.3em;position:absolute;display:none"><?php echo outImage(outIcon('warning'),false,false,'float:left;margin-top:5px;margin-right:1em').'<b>'.cfCaption('alertWarningTitle').'</b><br>'.cfCaption('passwordCapsLockDown'); ?></div> <?php echo outRSAScripts('auto',$doesCipher); if(!$doesCipher){ /** * Disabled encryption */ ?> <script language="JavaScript" type="text/javascript"> function startEncryption() { <?php if(cfIsMobile()) {?> dgn("userScreenWidth").value=screen.availWidth; dgn("userScreenHeight").value=screen.availHeight; dgn("mobile").value=1; <?php } else { ?> dgn("userScreenWidth").value=screen.width; dgn("userScreenHeight").value=screen.height; <?php } ?> dgn("serverExternalHost").value=document.location.host; maskShow(1); dgi('password').value=dgi('password').value.replace(/\+/,'*weezoPlus*') return asyncSubmitForm("loginForm"); } function loginConnect(){document.connectForm.submit();} </script> <?php return; } /** * Encryption enabled */ ?> <script language="JavaScript" type="text/javascript"> <?php if($encryptionAnimation){ echo 'var li=new Image; li.src="'.outIcon('lockB').'";'; // Preload image echo 'var lsi=new Image; lsi.src="'.outIcon('lockSend').'";'; // Preload image } echo 'var ts='.(int)microtime(true).";\n"; echo 'var ip='.sprintf("%u", ip2long($_SERVER['REMOTE_ADDR'])).";\n"; ?> var loadTs=Date.parse((new Date()).toGMTString()); function startEncryption(){ <?php if(cfIsMobile()) {?> dgn("userScreenWidth").value=screen.availWidth; dgn("userScreenHeight").value=screen.availHeight; dgn("mobile").value=1 <?php } else { ?> dgn("userScreenWidth").value=screen.width; dgn("userScreenHeight").value=screen.height; <?php } ?> dgn("serverExternalHost").value=document.location.host; maskShow(1); if(D.loginForm.elements["password"].value.length==0) { asyncSubmitForm("loginForm"); return false; } <?php if($encryptionAnimation){ echo 'dgi("encryptionLock").style.display="block";'; echo 'setTimeout("proceedEncryption()",10);'; } else echo "if(W.preEncodingMessage) preEncodingMessage();\nproceedEncryption();\n"; ?> return false; } function proceedEncryption(){ var msg=D.loginForm.elements["password"].value var now=new Date(); RSACrypt("ip="+ip+"/"+msg+"/ts="+(ts+(Date.parse(now.toGMTString())-loadTs)/1000+2)+"/",proceedEncryption2,(W.encryptPercNode)?encryptPercNode:dgi("encryptPerc")) } function proceedEncryption2(ciphered){ document.loginForm.elements["password"].value=ciphered; if(dgi("encryptionLock")) dgi("encryptionLock").style.display="none"; if(dgi("encryptionLockSend")) dgi("encryptionLockSend").style.display="block"; if(window.postEncodingMessage) postEncodingMessage(); asyncSubmitForm("loginForm"); } function loginConnect(){document.connectForm.submit();} </script> <?php // encryption indicator if($encryptionAnimation){ echo '<div style="position:absolute; top:45%; left:50%; display:none;z-index:995" id="encryptionLock"><div style="position:relative; left:-50%;"><center>'.outImage(outIcon('lockB'),false,false, 'position:relative').'<br><div style="background:white; border: 1px solid #777; font-size:9px; padding:3px;" class="loginEncrypt">'.cfCaption('passwordCrypt').' <span id="encryptPerc">0%</span></div></center></div></div>'."\n"; echo '<div style="position:absolute; top:45%; left:50%; display:none;z-index:996" id="encryptionLockSend"><div style="position:relative; left:-50%;"><center>'.outImage(outIcon('lockSend'),false,false, 'position:relative').'<br><div style="background:white; border: 1px solid #777; font-size:9px; padding:3px;" class="loginEncrypt">'.cfCaption('loginConnectButton')."</div></center></div></div>\n"; } } /** * Echo page header, including loading screen, body, scripts & other stuff * */ function loginPageHeader($loginThemeForm){ if(cfIsAsync() || cfIsMobile()) return; // Estimate total page size $pageSize=800; // Header $pageSize+=$cssSize=cfFileSize(cfAppDocRoot().'/themes/common.css')+@filesize(cfAppDocRoot().'/themes/'.cfGGetVar('theme').'/theme.css'); // CSS $pageSize+=($commonSize=cfFileSize(cfAppDocRoot().'/js/common.js'));// common.js if(cfGGetVar('loginForm')==='coverflow'){ $pageSize+=($dragdropSize=cfFileSize(cfAppDocRoot().'/js/wz_dragdrop.js')); $pageSize+=($htmlSize=13000); // Estimated HTML size $pageSize+=count($_ENV['users'])*2500; // User icons } else { $pageSize+=($htmlSize=15000); // Estimated HTML size $pageSize+=2000; // Estimated window icons size $dragdropSize=0; } $pageSize+=2200+481; // Icons /* *************************************************************************************************************************** * Insert HTML Head and Javascript *************************************************************************************************************************** */ cfInsertHEAD(true,array('noCommon.js'=>1)); /** * Insert body with delayed background image loading */ list($wallpaperSrc,$wallpaperPosition)=loginGetBackgroundWallpaper(); ?> <body class="mainFrameBody loginBody<?php echo ucfirst(cfGGetVar('loginForm'));?>" style="background-image:none" onload="setTimeout('lPreload()',100)"> <NOSCRIPT><div class="textShadow" style="font-size:200%;margin-top:30%;width:100%;text-align:center"><?php echo outImage(outIcon('alertBig'),false,false,'vertical-align:middle;margin-right:1em').cfCaption('loginErrorNoJavascript');?></div></NOSCRIPT> <table id="lTable" style="height:100%;width:100%"><tr><td style="vertical-align:middle;text-align:center"> <div id="lTxt" class="textShadow" style="font-size:80px;font-family:Times New Roman">...</div> <br><br> <b class="textShadow loginPreCSS"><?php echo str_replace('...',' ('.floor(100*800/$pageSize).'%)',cfCaption('loading'));?></b> <b class="textShadow loginPostCSS" style=";position:relative;overflow:hidden;width:100%;display:block"><div style="margin-left:-9999px"><?php echo str_replace('...','',cfCaption('loading')).' (<span id="lProg">'.floor(100*$cssSize/$pageSize).'</span>%)';?></div></b> </td></tr></table> <script type="text/javascript"> var D=document,lProg=<?php echo floor(100*$cssSize/$pageSize); ?>;lStep=-1,lInt=setInterval(function(){var i=(++lStep)%6;document.getElementById('lTxt').innerHTML=((!i||i>3)?'.':' ')+((i<2||i>4)?'.':' ')+((i<3)?'.':' ')},250); function lFunc(s,p){lProg+=((p)?p/100:1)*((s=='common')?<?php echo floor(100*$commonSize/$pageSize);?>:((s=='wz_dragdrop')?<?php echo floor(100*$dragdropSize/$pageSize);?>:<?php echo floor(100*$htmlSize/$pageSize);?>));if(dgi('lProg')) dgi('lProg').innerHTML=Math.ceil(lProg)} <?php /** * Wallpaper */ // Remove all wallpaper for coverflow login if(basename(cfFileWithoutExtension($loginThemeForm))=='loginFormCoverflow'){ echo 'D.body.style.backgroundImage=""'; } // Tiled wallpaper: set as body background image elseif($wallpaperPosition=='tiled') echo 'D.body.style.backgroundImage="url(\''.$wallpaperSrc.'\')"'; // Stretched wallpaper elseif($wallpaperPosition=='stretched'){ ?> var i=D.createElement('img'),s=i.style;s.width='100%';s.height='100%';s.position='absolute';s.top=s.left='0px';i.id='wpImg';s.visibility='hidden'; i.onload=function(){if(window.fade) fade(this); else this.style.visibility=''}; D.body.appendChild(i); setTimeout(function(){if(!D.getElementById('wpImg')) return; D.getElementById('wpImg').src='<?php echo $wallpaperSrc?>'},10); <?php } // Centered wallpaper elseif($wallpaperPosition=='centered'){ list($width, $height, $t, $a)=@getimagesize(cfAppDocRoot().$wallpaperSrc); echo "var i=D.createElement('img'),s=i.style;s.marginLeft='-".($width/2)."px';s.marginTop='-".($height/2)."px';s.position='absolute';s.top='50%';s.left='50%';i.id='wpImg';setTimeout(\"if(!D.getElementById('wpImg')) return; D.getElementById('wpImg').src=\\'".$wallpaperSrc."\\'\",10);s.visibility='hidden';i.onload=function(){if(window.fade) fade(this); else this.style.visibility=''};D.body.appendChild(i);"; } // Restore CSS background image that was temporary removed for faster loading, except if stretched or tiled (=fullscreen) wallpaper else echo 'document.body.style.backgroundImage=""'; ?> </script> <div id="lContent" style="display:none"> <?php /** * Webkit cookies policy "workaround": if cannot set cookie, reload in top frame */ if(!isset($_POST['cookieReload'])){ ?> <form method="POST" action="<?php echo $_SERVER['PHP_SELF'];?>" name="cookieReloadForm" target="_top" style="display:none"><input name="cookieReload" value="1"></form> <script type="text/javascript"> if(parent){ D.cookie='cookieTest=1'; if(!D.cookie||D.cookie.indexOf('cookieTest')==-1) D.cookieReloadForm.submit(); var cd=new Date();cd.setTime(cd.getTime()-1);D.cookie="cookieTest=; expires="+cd.toGMTString(); } </script> <?php } flush(); // Include scripts echo cfScriptLink('common.js'); } /** * @desc Insert login page footer (finish login animation) * */ function loginPageFooter(){ if(cfIsAsync() || cfIsMobile()) return; ?> </div> <div id="preload"></div> <script type="text/javascript"> function lPreload(){ var i=3,n; for(;i>=0;i--) { n=D.createElement('SCRIPT'); n.type="text/javascript"; n.src='/js/'+['win','treeView','explorer','winClient'][i]+'.js'; D.body.appendChild(n) } } clearInterval(lInt) removeNode(dgi("lTable")); dgi("lContent").style.display=""; if(W.init) init(); </script> </body> <?php } /** * Get background Wallpaper and wallpaper position (centered / tiled / streched) * * @param bool $theme: true to return theme's wallpaper * @return array (path to wallpaper, wallpaper type) */ function loginGetBackgroundWallpaper($theme=false){ // Wallpapers located into theme directory $wps=glob(cfAppThemeDir(false).'/{wallpaperBoth,themeBoth,wallpaperLogin,themeLogin}-{centered,stretched,tiled}.{jpg,gif,png}',GLOB_BRACE); if(count($wps)){ foreach ($wps as $key=>$wp) { list($type,$position)=explode('-',cfFileWithoutExtension(basename($wp))); $wps[$key]=array('cfn'=>$wp,'type'=>$type,'position'=>$position); } // Look for user-set login wallpaper foreach ($wps as $key=>$wp) if($wp['type']=='wallpaperLogin') return array(cfAppThemeDir(true).'/'.basename($wp['cfn']),$wp['position']); // Look for user-set login+desktop wallpaper foreach ($wps as $key=>$wp) if($wp['type']=='wallpaperBoth') return array(cfAppThemeDir(true).'/'.basename($wp['cfn']),$wp['position']); // Look for theme login wallpaper foreach ($wps as $key=>$wp) if($wp['type']=='themeLogin') return array(cfAppThemeDir(true).'/'.basename($wp['cfn']),$wp['position']); // Look for theme login+desktop wallpaper foreach ($wps as $key=>$wp) if($wp['type']=='themeBoth') return array(cfAppThemeDir(true).'/'.basename($wp['cfn']),$wp['position']); } return array(false,false); } /** * Detect browser and set capabilities */ cfSetBrowserCaps(); // If a pseudo is sent, start session (as user is already logged-in, so connection info should be retreived) if(@$_POST['userPseudo']) wSession_start(); // Pseudo received from authenticated user if(cfGGetVar('requestUserPseudo') && cfUGetVar('name') && isset($_POST['userPseudo']) && $_POST['userPseudo']!='') userLoadNamedUser(); /* *************************************************************************************************************************** * AUTHENTICATION *************************************************************************************************************************** */ if(!isset($securityEvent)) $securityEvent=false; // Add a "fake" user with no name to indicate than an input box with both name and password must be set. // This user will be unset if no hidden users are set $_ENV['users'][0]=array('id'=>0, 'name'=>false, 'authenticationMethod'=>'password', 'icon'=>(is_file(cfTGetVar('dir').'/groups2.gif'))?'../..'.cfTGetVar('path').'/groups2.gif':'groups2.gif'); // Load ini, usr and lng files (general parameters, users data, language), except if a login token is requested ifInitializeSession(!isset($_GET['requestLoginToken'])); /** * External authentication */ if(isset($_GET['requestLoginToken'])) requestLoginToken($_GET['requestLoginToken'],true); // Check banned IP if (isBannedIP()) {sleep(cfGGetVar('waitTimeBetweenLoginAttemtps'));outDisplayErrorPage(cfCaption('loginForbiddenAccess').'...','Weezo');} // External authentication login token if(isset($_GET['loginToken'])) checkLoginToken($_GET['loginToken']); // Forbid direct web connections if registered user has set this option allong with externalAuth if(!cfDirectWebConnectionsAllowed()){ if(!cfIsOnLAN()){ if(isset($regData['offlineURL']) && $regData['offlineURL']) {header('Location: http://'.$regData['offlineURL']);exit;} sleep(3600);cfHTTPError(404); } } // Wii autologin if(cfIsWII() && cfIsOnLAN() && isset($_COOKIE['weezoUser'])){ if(isset($_ENV['users'][$_COOKIE['weezoUser']])){ if($_ENV['users'][$_COOKIE['weezoUser']]['authenticationMethod']=='noAuthentication' || (isset($_COOKIE['weezoAuth']) && $_COOKIE['weezoAuth']==sha1($_ENV['users'][$_COOKIE['weezoUser']]['password']))){ userLoad($_COOKIE['weezoUser']); } } } // published resource login if(isset($_GET['publishToken']) || isset($_COOKIE['weezoPublishToken'])) publishTokenLogin(); $userNameSent=false;$wrongPasswordSent=false; $wrongUserSent=false; $password=false; $userId=false; $userName=false; $userAndPasswordMethod=false; /* *************************************************************************************************************************** * Get user to load from GET/POST parameters *************************************************************************************************************************** */ // If "autolog" GET parameter passed (from Weezo site), and site has a single user with no authentication, proceed to log if(isset($_GET['autolog']) && count($_ENV['users'])==1){ foreach($_ENV['users'] as $key=>$value) if($value['authenticationMethod']=='noAuthentication' && $value['hidden']=='false' && cfIPFilterCheck($value)) userLoad($key); } // if user name sent if(@$_GET['user']) { $userNameSent=true; $userName=cfUTF8Decode(urldecode($_GET['user']),true,true,false); $userId=userIdFromName($userName); if($userId){ if(isset($_GET['password'])) { $password=cfUTF8Decode(urldecode($_GET['password']),true,true,false); $password=str_replace('*weezoPlus*','+',$password); } } else { $userName=false; $userNameSent=false; unset($_GET['user']); // Unset user GET so all non-matching groups are not removed } } // if login user name is sent using POST, and no userId sent, get Matching userId (user + password form used) if(!$userId && @$_POST['user'] && !@$_POST['userId']){ $userNameSent=true; $userName=cfUTF8Decode($_POST['user'],true,true,false); $userId=userIdFromName($userName); $userAndPasswordMethod=true; if($userId) { if(isset($_POST['password'])) $password=cfUTF8Decode($_POST['password']); } else{ $userName=false; $wrongUserSent=true; sleep(cfGGetVar('waitTimeBetweenLoginAttemtps')); } } // if userId is sent if(!$userId && isset($_POST['userId']) && $_POST['userId']!='0'){ $userId=$_POST['userId']; if(isset($_POST['password'])) $password=cfUTF8Decode($_POST['password']); $userAndPasswordMethod=false; } if($password=='') $password=false; /* *************************************************************************************************************************** * Check user and password *************************************************************************************************************************** */ // If an user has been found if($userId && isset($_ENV['users'][$userId])){ // No direct login to standalone-resource dedicated user if($_ENV['users'][$userId]['authenticationMethod']=='publishToken') die('Unauthorized login'); // If IP is not banned for this user if(cfIPFilterCheck($_ENV['users'][$userId])){ if($_ENV['users'][$userId]['authenticationMethod']=='noAuthentication' && !$password) userLoad($userId); elseif($_ENV['users'][$userId]['authenticationMethod']=='password' && $password){ //if(strpos($password,'/shn=')) $password=substr($password,0,strpos($password,'/shn=')); if(verifyPassword($userId, $password)) userLoad($userId); } } else $securityEvent.=' Banned IP'; } elseif($userId) $wrongUserSent=true; // If correct user name sent but password sent, set user name as wrong so error message doesn't indicate user name is correct if($userNameSent && $wrongPasswordSent) $wrongUserSent=true; // Set user to display if($userAndPasswordMethod) $userToDisplay=0; elseif ($userId) $userToDisplay=$userId; // Check if user has selected a theme on login page if(isset($_POST['themeUpdate']) && $_POST['themeUpdate']!='' && isset($_POST['themeLevel']) && cfGGetVar('allowUserThemeChange')){ cfGSetVar('userSelectedTheme',cfUTF8Decode($_POST['themeUpdate'])); cfGSetVar('theme',cfUTF8Decode($_POST['themeUpdate'])); } // if POST login parameters include a previously selected theme if(isset($_POST['userSelectedTheme']) && $_POST['userSelectedTheme']!='' && cfGGetVar('allowUserThemeChange')){ cfGSetVar('userSelectedTheme',cfUTF8Decode($_POST['userSelectedTheme'])); cfGSetVar('theme',cfUTF8Decode($_POST['userSelectedTheme'])); } /** * "Clean" users list */ $hiddenUsers=false; foreach ($_ENV['users'] as $key=>$value){ // Remove hint from accounts with no password if(@$value['hint'] && $value['authenticationMethod']!=='password') unset($_ENV['users'][$key]['hint']); // If single account is requested, hide others if(isset($_GET['user']) && !isset($_GET['showOthers'])){ if($_GET['user']!==$value['name']) unset($_ENV['users'][$key]); } // Remove hidden users from user list before sending list to login page script elseif(isset($value['hidden']) && $value['hidden']==true) { unset($_ENV['users'][$key]); $hiddenUsers=true; } } // If no hidden user, unset "fake" login+password user if(!$hiddenUsers) unset($_ENV['users'][0]); // If a specific user account is requested in url, verify this account exists if(isset($_GET['user'])){ $found=false; foreach ($_ENV['users'] as $key=>$value) if($_GET['user']===$value['name']){$found=true;break;} if(!$found) unset($_GET['user']); } /* *************************************************************************************************************************** * Async Response *************************************************************************************************************************** */ if(cfIsAsync() && isset($_POST['user'])){ echo cfAsyncHeader(); // If security issue detected, display error message if($securityEvent)echo cfAsyncXMLJSaction('dgi("securityEvent").innerHTML="'.str_replace('"',"''",($securityEvent)).'";dgi("securityEvent").style.display="";'); echo cfAsyncXMLJSaction('if(W.resetInputs) resetInputs();'); if($wrongPasswordSent || $wrongUserSent){ $errorText=str_replace('"',"''",(($wrongUserSent)?cfCaption('loginBadPasswordOrAccount'):cfCaption('loginBadPassword'))); echo cfAsyncXMLJSaction('loginSetError("'.$errorText.'")'); } echo cfAsyncXMLJSaction('maskHide()'); echo cfAsyncFooter(); exit; } /** * Theme */ // Force browser theme if(cfBGetVar('theme')) cfGSetVar('theme',cfBGetVar('theme')); // If browser detected as mobile or user forced mobile view, use common mobile login form if(cfIsMobile()) {cfGSetVar('theme','mobile');$loginThemeForm=cfGGetVar('theme').'/loginForm.php';} // Else, select classic or coverflow theme elseif(cfGGetVar('loginForm')==='coverflow') $loginThemeForm='common/loginFormCoverflow.php'; // Else use common login form else $loginThemeForm='common/loginFormClassic.php'; /* *************************************************************************************************************************** * Page header (and progress animation) *************************************************************************************************************************** */ loginPageHeader($loginThemeForm); /* *************************************************************************************************************************** * Display Login Form *************************************************************************************************************************** */ require_once(W_THEMES_DIR.$loginThemeForm); /* *************************************************************************************************************************** * Finish login Animation *************************************************************************************************************************** */ loginPageFooter(); cfLog(cfCaption('logIncomingConnection',false,false,false,true),LOG_DET);