2010-07-04 23:45:56 -04:00
< ? php
2012-01-12 18:46:39 -05:00
require_once ( 'include/security.php' );
2012-11-08 19:00:37 -05:00
require_once ( 'include/datetime.php' );
2012-01-12 18:46:39 -05:00
2010-11-30 02:16:14 -05:00
function nuke_session () {
2015-12-22 16:11:08 -05:00
2016-04-25 14:43:40 -04:00
new_cookie ( - 3600 ); // make sure cookie is deleted on browser close, as a security measure
2016-04-05 17:28:33 -04:00
session_unset ();
2016-04-25 14:43:40 -04:00
session_destroy ();
2010-11-30 02:16:14 -05:00
}
2016-04-24 18:02:43 -04:00
// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
if ( isset ( $_COOKIE [ " Friendica " ])) {
$data = json_decode ( $_COOKIE [ " Friendica " ]);
if ( isset ( $data -> uid )) {
$r = q ( " SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
FROM `user` WHERE `uid` = % d AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1 " ,
intval ( $data -> uid )
);
if ( $r ) {
2016-04-25 05:19:42 -04:00
if ( $data -> hash != cookie_hash ( $r [ 0 ])) {
logger ( " Hash for user " . $data -> uid . " doesn't fit. " );
nuke_session ();
goaway ( z_root ());
}
2016-04-24 18:02:43 -04:00
// Renew the cookie
2016-04-25 05:19:42 -04:00
new_cookie ( 604800 , $r [ 0 ]);
2016-04-24 18:02:43 -04:00
// Do the authentification if not done by now
if ( ! isset ( $_SESSION ) OR ! isset ( $_SESSION [ 'authenticated' ])) {
2016-04-25 01:10:40 -04:00
authenticate_success ( $r [ 0 ]);
2016-04-24 18:02:43 -04:00
2016-04-25 01:10:40 -04:00
if ( get_config ( 'system' , 'paranoia' ))
$_SESSION [ 'addr' ] = $data -> ip ;
2016-04-24 18:02:43 -04:00
}
}
}
}
2010-11-30 02:16:14 -05:00
2016-04-25 01:10:40 -04:00
2015-12-22 05:25:37 -05:00
// login/logout
2010-07-04 23:45:56 -04:00
2010-10-31 19:38:22 -04:00
if (( isset ( $_SESSION )) && ( x ( $_SESSION , 'authenticated' )) && (( ! ( x ( $_POST , 'auth-params' ))) || ( $_POST [ 'auth-params' ] !== 'login' ))) {
2010-10-10 19:16:29 -04:00
2010-10-31 19:38:22 -04:00
if ((( x ( $_POST , 'auth-params' )) && ( $_POST [ 'auth-params' ] === 'logout' )) || ( $a -> module === 'logout' )) {
2015-12-22 05:25:37 -05:00
2010-10-10 19:16:29 -04:00
// process logout request
2012-03-12 10:58:59 -04:00
call_hooks ( " logging_out " );
2010-11-30 02:16:14 -05:00
nuke_session ();
2016-04-25 01:10:40 -04:00
info ( t ( 'Logged out.' ) . EOL );
2011-08-02 00:02:25 -04:00
goaway ( z_root ());
2010-07-04 23:45:56 -04:00
}
2010-10-10 19:16:29 -04:00
2011-05-15 19:36:49 -04:00
if ( x ( $_SESSION , 'visitor_id' ) && ( ! x ( $_SESSION , 'uid' ))) {
2011-05-10 01:15:19 -04:00
$r = q ( " SELECT * FROM `contact` WHERE `id` = %d LIMIT 1 " ,
intval ( $_SESSION [ 'visitor_id' ])
);
if ( count ( $r )) {
$a -> contact = $r [ 0 ];
}
}
2010-07-04 23:45:56 -04:00
if ( x ( $_SESSION , 'uid' )) {
2010-10-10 19:16:29 -04:00
// already logged in user returning
2010-11-30 02:16:14 -05:00
$check = get_config ( 'system' , 'paranoia' );
// extra paranoia - if the IP changed, log them out
if ( $check && ( $_SESSION [ 'addr' ] != $_SERVER [ 'REMOTE_ADDR' ])) {
2015-12-22 16:11:08 -05:00
logger ( 'Session address changed. Paranoid setting in effect, blocking session. '
2016-04-25 01:10:40 -04:00
. $_SESSION [ 'addr' ] . ' != ' . $_SERVER [ 'REMOTE_ADDR' ]);
2010-11-30 02:16:14 -05:00
nuke_session ();
2011-08-02 00:02:25 -04:00
goaway ( z_root ());
2010-11-30 02:16:14 -05:00
}
2015-12-22 16:11:08 -05:00
$r = q ( " SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
2012-11-02 16:43:47 -04:00
FROM `user` WHERE `uid` = % d AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1 " ,
2010-10-10 19:16:29 -04:00
intval ( $_SESSION [ 'uid' ])
);
if ( ! count ( $r )) {
2010-11-30 02:16:14 -05:00
nuke_session ();
2011-08-02 00:02:25 -04:00
goaway ( z_root ());
2010-07-04 23:45:56 -04:00
}
2010-10-10 19:16:29 -04:00
2012-11-08 19:00:37 -05:00
// Make sure to refresh the last login time for the user if the user
// stays logged in for a long time, e.g. with "Remember Me"
$login_refresh = false ;
if ( ! x ( $_SESSION [ 'last_login_date' ])) {
$_SESSION [ 'last_login_date' ] = datetime_convert ( 'UTC' , 'UTC' );
}
2016-04-25 01:10:40 -04:00
if ( strcmp ( datetime_convert ( 'UTC' , 'UTC' , 'now - 12 hours' ), $_SESSION [ 'last_login_date' ]) > 0 ) {
2012-11-08 19:00:37 -05:00
$_SESSION [ 'last_login_date' ] = datetime_convert ( 'UTC' , 'UTC' );
$login_refresh = true ;
}
authenticate_success ( $r [ 0 ], false , false , $login_refresh );
2010-07-04 23:45:56 -04:00
}
2016-04-05 17:28:33 -04:00
} else {
2010-10-10 19:16:29 -04:00
2016-04-25 01:10:40 -04:00
session_unset ();
2010-09-19 00:11:18 -04:00
2010-11-17 20:03:27 -05:00
if (( x ( $_POST , 'password' )) && strlen ( $_POST [ 'password' ]))
2010-10-30 16:25:37 -04:00
$encrypted = hash ( 'whirlpool' , trim ( $_POST [ 'password' ]));
2010-11-17 02:26:14 -05:00
else {
2011-10-17 10:53:59 -04:00
if (( x ( $_POST , 'openid_url' )) && strlen ( $_POST [ 'openid_url' ]) ||
( x ( $_POST , 'username' )) && strlen ( $_POST [ 'username' ])) {
2010-11-18 18:06:33 -05:00
2010-11-28 23:58:23 -05:00
$noid = get_config ( 'system' , 'no_openid' );
2016-04-25 01:10:40 -04:00
$openid_url = trim (( strlen ( $_POST [ 'openid_url' ]) ? $_POST [ 'openid_url' ] : $_POST [ 'username' ]));
2010-11-18 18:06:33 -05:00
// validate_url alters the calling parameter
$temp_string = $openid_url ;
// if it's an email address or doesn't resolve to a URL, fail.
2010-11-28 23:58:23 -05:00
if (( $noid ) || ( strpos ( $temp_string , '@' )) || ( ! validate_url ( $temp_string ))) {
2010-11-18 18:06:33 -05:00
$a = get_app ();
2016-04-25 01:10:40 -04:00
notice ( t ( 'Login failed.' ) . EOL );
2011-08-02 00:02:25 -04:00
goaway ( z_root ());
2010-11-18 18:06:33 -05:00
// NOTREACHED
}
// Otherwise it's probably an openid.
2016-04-25 01:10:40 -04:00
try {
require_once ( 'library/openid.php' );
$openid = new LightOpenID ;
$openid -> identity = $openid_url ;
$_SESSION [ 'openid' ] = $openid_url ;
$a = get_app ();
$openid -> returnUrl = $a -> get_baseurl ( true ) . '/openid' ;
goaway ( $openid -> authUrl ());
} catch ( Exception $e ) {
notice ( t ( 'We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.' ) . '<br /><br >' . t ( 'The error message was:' ) . ' ' . $e -> getMessage ());
}
2012-03-19 18:03:09 -04:00
// NOTREACHED
2010-11-17 02:26:14 -05:00
}
}
2012-03-20 00:58:21 -04:00
2010-09-26 20:24:20 -04:00
if (( x ( $_POST , 'auth-params' )) && $_POST [ 'auth-params' ] === 'login' ) {
2010-10-10 19:16:29 -04:00
2010-12-27 17:59:26 -05:00
$record = null ;
2010-12-24 18:59:12 -05:00
$addon_auth = array (
2016-04-24 18:02:43 -04:00
'username' => trim ( $_POST [ 'username' ]),
2010-12-24 18:59:12 -05:00
'password' => trim ( $_POST [ 'password' ]),
2010-12-27 17:59:26 -05:00
'authenticated' => 0 ,
'user_record' => null
2010-12-24 18:59:12 -05:00
);
/**
*
2010-12-27 17:59:26 -05:00
* A plugin indicates successful login by setting 'authenticated' to non - zero value and returning a user record
2010-12-24 18:59:12 -05:00
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
* and later plugins should not interfere with an earlier one that succeeded .
*
*/
call_hooks ( 'authenticate' , $addon_auth );
2010-12-27 17:59:26 -05:00
if (( $addon_auth [ 'authenticated' ]) && ( count ( $addon_auth [ 'user_record' ]))) {
$record = $addon_auth [ 'user_record' ];
2016-04-25 01:10:40 -04:00
} else {
2010-12-27 17:59:26 -05:00
// process normal login request
2010-12-24 18:59:12 -05:00
2015-12-22 16:11:08 -05:00
$r = q ( " SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
2016-04-25 01:10:40 -04:00
FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' )
2012-11-02 16:43:47 -04:00
AND `password` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1 " ,
2011-10-17 10:53:59 -04:00
dbesc ( trim ( $_POST [ 'username' ])),
dbesc ( trim ( $_POST [ 'username' ])),
2010-12-24 18:59:12 -05:00
dbesc ( $encrypted )
);
2010-12-27 17:59:26 -05:00
if ( count ( $r ))
$record = $r [ 0 ];
2010-12-24 18:59:12 -05:00
}
2016-04-24 18:02:43 -04:00
if ( ! $record || ! count ( $record )) {
2016-04-25 01:10:40 -04:00
logger ( 'authenticate: failed login attempt: ' . notags ( trim ( $_POST [ 'username' ])) . ' from IP ' . $_SERVER [ 'REMOTE_ADDR' ]);
notice ( t ( 'Login failed.' ) . EOL );
2011-08-02 00:02:25 -04:00
goaway ( z_root ());
2016-04-25 01:10:40 -04:00
}
2010-12-27 17:59:26 -05:00
2016-04-24 18:02:43 -04:00
// If the user specified to remember the authentication, then set a cookie
// that expires after one week (the default is when the browser is closed).
// The cookie will be renewed automatically.
// The week ensures that sessions will expire after some inactivity.
if ( $_POST [ 'remember' ])
2016-04-25 05:19:42 -04:00
new_cookie ( 604800 , $r [ 0 ]);
2016-04-24 18:02:43 -04:00
else
2012-12-24 14:52:49 -05:00
new_cookie ( 0 ); // 0 means delete on browser exit
2012-11-07 20:59:30 -05:00
2012-01-12 18:46:39 -05:00
// if we haven't failed up this point, log them in.
2010-12-24 18:59:12 -05:00
2012-11-08 19:00:37 -05:00
$_SESSION [ 'last_login_date' ] = datetime_convert ( 'UTC' , 'UTC' );
2012-01-12 18:46:39 -05:00
authenticate_success ( $record , true , true );
2010-07-04 23:45:56 -04:00
}
}
2016-04-25 05:19:42 -04:00
function cookie_hash ( $user ) {
return ( hash ( " sha256 " , get_config ( " system " , " site_prvkey " ) .
$user [ " uprvkey " ] .
$user [ " password " ]));
}
function new_cookie ( $time , $user = array ()) {
2015-12-22 05:25:37 -05:00
2016-04-05 17:28:33 -04:00
if ( $time != 0 )
$time = $time + time ();
2010-07-04 23:45:56 -04:00
2016-04-25 05:19:42 -04:00
if ( $user )
$value = json_encode ( array ( " uid " => $user [ " uid " ],
" hash " => cookie_hash ( $user ),
" ip " => $_SERVER [ 'REMOTE_ADDR' ]));
else
$value = " " ;
2016-04-25 01:10:40 -04:00
setcookie ( " Friendica " , $value , $time , " / " , " " ,
( get_config ( 'system' , 'ssl_policy' ) == SSL_POLICY_FULL ), true );
2016-04-24 18:02:43 -04:00
2016-04-05 17:28:33 -04:00
return ;
2012-12-24 14:52:49 -05:00
}