| Textpattern | PHP Cross Reference | Content Management Systems |
1 <?php 2 3 /* 4 This is Textpattern 5 6 Copyright 2005 by Dean Allen 7 www.textpattern.com 8 All rights reserved 9 10 Use of this software indicates acceptance of the Textpattern license agreement 11 12 $HeadURL: https://textpattern.googlecode.com/svn/releases/4.5.4/source/textpattern/include/txp_auth.php $ 13 $LastChangedRevision: 3964 $ 14 15 */ 16 17 if (!defined('txpinterface')) die('txpinterface is undefined.'); 18 19 include_once txpath.'/lib/PasswordHash.php'; 20 21 function doAuth() 22 { 23 global $txp_user; 24 25 $txp_user = NULL; 26 27 $message = doTxpValidate(); 28 29 if(!$txp_user) 30 { 31 doLoginForm($message); 32 } 33 34 ob_start(); 35 } 36 37 // ------------------------------------------------------------- 38 function txp_validate($user,$password,$log=TRUE) 39 { 40 $safe_user = doSlash($user); 41 $name = FALSE; 42 43 $hash = safe_field('pass', 'txp_users', "name = '$safe_user'"); 44 $phpass = new PasswordHash(PASSWORD_COMPLEXITY, PASSWORD_PORTABILITY); 45 46 // check post-4.3-style passwords 47 if ($phpass->CheckPassword($password, $hash)) { 48 if ($log) { 49 $name = safe_field("name", "txp_users", "name = '$safe_user' and privs > 0"); 50 } else { 51 $name = $user; 52 } 53 } else { 54 // no good password: check 4.3-style passwords 55 $passwords = array(); 56 57 $passwords[] = "password(lower('".doSlash($password)."'))"; 58 $passwords[] = "password('".doSlash($password)."')"; 59 60 if (version_compare(mysql_get_server_info(), '4.1.0', '>=')) 61 { 62 $passwords[] = "old_password(lower('".doSlash($password)."'))"; 63 $passwords[] = "old_password('".doSlash($password)."')"; 64 } 65 66 $name = safe_field("name", "txp_users", 67 "name = '$safe_user' and (pass = ".join(' or pass = ', $passwords).") and privs > 0"); 68 69 // old password is good: migrate password to phpass 70 if ($name !== FALSE) { 71 safe_update("txp_users", "pass = '".doSlash($phpass->HashPassword($password))."'", "name = '$safe_user'"); 72 } 73 } 74 75 if ($name !== FALSE && $log) 76 { 77 // update the last access time 78 safe_update("txp_users", "last_access = now()", "name = '$safe_user'"); 79 } 80 return $name; 81 } 82 83 // ------------------------------------------------------------- 84 function txp_hash_password($password) 85 { 86 static $phpass = NULL; 87 if (!$phpass) { 88 $phpass = new PasswordHash(PASSWORD_COMPLEXITY, PASSWORD_PORTABILITY); 89 } 90 return $phpass->HashPassword($password); 91 } 92 93 // ------------------------------------------------------------- 94 95 function doLoginForm($message) 96 { 97 include txpath.'/lib/txplib_head.php'; 98 99 pagetop(gTxt('login'), $message); 100 101 $stay = (cs('txp_login') and !gps('logout') ? 1 : 0); 102 $reset = gps('reset'); 103 104 $name = join(',', array_slice(explode(',', cs('txp_login')), 0, -1)); 105 106 echo n.'<div id="login_container" class="txp-container">'; 107 echo form( 108 '<div class="txp-login">'. 109 n.hed(gTxt($reset ? 'password_reset' : 'login_to_textpattern'), 2). 110 111 n.graf( 112 '<span class="login-label"><label for="login_name">'.gTxt('name').'</label></span>'. 113 n.'<span class="login-value">'.fInput('text', 'p_userid', $name, '', '', '', INPUT_REGULAR, '', 'login_name').'</span>' 114 , ' class="login-name"'). 115 116 ($reset 117 ? '' 118 : n.graf( 119 '<span class="login-label"><label for="login_password">'.gTxt('password').'</label></span>'. 120 n.'<span class="login-value">'.fInput('password', 'p_password', '', '', '', '', INPUT_REGULAR, '', 'login_password').'</span>' 121 , ' class="login-password"') 122 ). 123 124 ($reset 125 ? '' 126 : graf( 127 checkbox('stay', 1, $stay, '', 'login_stay').n.'<label for="login_stay">'.gTxt('stay_logged_in').'</label>'.sp.popHelp('remember_login') 128 , ' class="login-stay"') 129 ). 130 131 ($reset ? n.hInput('p_reset', 1) : ''). 132 133 n.graf( 134 fInput('submit', '', gTxt($reset ? 'password_reset_button' : 'log_in_button'), 'publish') 135 ). 136 n.( 137 ($reset 138 ? graf('<a href="index.php">'.gTxt('back_to_login').'</a>', ' class="login-return"') 139 : graf('<a href="?reset=1">'.gTxt('password_forgotten').'</a>', ' class="login-forgot"') 140 ) 141 ). 142 (gps('event') ? eInput(gps('event')) : ''). 143 '</div>' 144 , '', '', 'post', '', '', 'login_form').'</div>'. 145 146 147 n.script_js(<<<EOSCR 148 // Focus on either username or password when empty 149 $(document).ready( 150 function() { 151 var has_name = $("#login_name").val().length; 152 var password_box = $("#login_password").val(); 153 var has_password = (password_box) ? password_box.length : 0; 154 if (!has_name) { 155 $("#login_name").focus(); 156 } else if (!has_password) { 157 $("#login_password").focus(); 158 } 159 } 160 ); 161 EOSCR 162 ). 163 n.'</div><!-- /txp-body -->'.n.'</body>'.n.'</html>'; 164 165 exit(0); 166 } 167 168 // ------------------------------------------------------------- 169 function doTxpValidate() 170 { 171 global $logout, $txp_user; 172 $p_userid = ps('p_userid'); 173 $p_password = ps('p_password'); 174 $p_reset = ps('p_reset'); 175 $stay = ps('stay'); 176 $logout = gps('logout'); 177 $message = ''; 178 $pub_path = preg_replace('|//$|','/', rhu.'/'); 179 180 if (cs('txp_login') and strpos(cs('txp_login'), ',')) 181 { 182 $txp_login = explode(',', cs('txp_login')); 183 $c_hash = end($txp_login); 184 $c_userid = join(',', array_slice($txp_login, 0, -1)); 185 } 186 else 187 { 188 $c_hash = ''; 189 $c_userid = ''; 190 } 191 192 if ($logout) 193 { 194 setcookie('txp_login', '', time()-3600); 195 setcookie('txp_login_public', '', time()-3600, $pub_path); 196 } 197 198 if ($c_userid and strlen($c_hash) == 32) // cookie exists 199 { 200 $nonce = safe_field('nonce', 'txp_users', "name='".doSlash($c_userid)."' AND last_access > DATE_SUB(NOW(), INTERVAL 30 DAY)"); 201 202 if ($nonce and $nonce === md5($c_userid.pack('H*', $c_hash))) 203 { 204 // cookie is good 205 206 if ($logout) 207 { 208 // destroy nonce 209 safe_update( 210 'txp_users', 211 "nonce = '".doSlash(md5(uniqid(mt_rand(), TRUE)))."'", 212 "name = '".doSlash($c_userid)."'" 213 ); 214 } 215 else 216 { 217 // create $txp_user 218 $txp_user = $c_userid; 219 } 220 return $message; 221 } 222 else 223 { 224 setcookie('txp_login', $c_userid, time()+3600*24*365); 225 setcookie('txp_login_public', '', time()-3600, $pub_path); 226 $message = array(gTxt('bad_cookie'), E_ERROR); 227 } 228 229 } 230 elseif ($p_userid and $p_password) // incoming login vars 231 { 232 $name = txp_validate($p_userid,$p_password); 233 234 if ($name !== FALSE) 235 { 236 $c_hash = md5(uniqid(mt_rand(), TRUE)); 237 $nonce = md5($name.pack('H*',$c_hash)); 238 239 safe_update( 240 'txp_users', 241 "nonce = '".doSlash($nonce)."'", 242 "name = '".doSlash($name)."'" 243 ); 244 245 setcookie( 246 'txp_login', 247 $name.','.$c_hash, 248 ($stay ? time()+3600*24*365 : 0), 249 null, 250 null, 251 null, 252 LOGIN_COOKIE_HTTP_ONLY 253 ); 254 255 setcookie( 256 'txp_login_public', 257 substr(md5($nonce), -10).$name, 258 ($stay ? time()+3600*24*30 : 0), 259 $pub_path 260 ); 261 262 // login is good, create $txp_user 263 $txp_user = $name; 264 return ''; 265 } 266 else 267 { 268 sleep(3); 269 $message = array(gTxt('could_not_log_in'), E_ERROR); 270 } 271 } 272 elseif ($p_reset) // reset request 273 { 274 sleep(3); 275 276 include_once txpath.'/lib/txplib_admin.php'; 277 278 $message = ($p_userid) ? send_reset_confirmation_request($p_userid) : ''; 279 } 280 elseif (gps('reset')) 281 { 282 $message = ''; 283 } 284 elseif (gps('confirm')) 285 { 286 sleep(3); 287 288 $confirm = pack('H*', gps('confirm')); 289 $name = substr($confirm, 5); 290 $nonce = safe_field('nonce', 'txp_users', "name = '".doSlash($name)."'"); 291 292 if ($nonce and $confirm === pack('H*', substr(md5($nonce), 0, 10)).$name) 293 { 294 include_once txpath.'/lib/txplib_admin.php'; 295 296 $message = reset_author_pass($name); 297 } 298 } 299 300 $txp_user = ''; 301 return $message; 302 } 303 ?>
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
title