1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 347: 348: 349: 350: 351: 352: 353: 354: 355: 356: 357: 358: 359: 360: 361: 362: 363: 364: 365: 366: 367: 368: 369: 370: 371: 372: 373: 374: 375: 376: 377: 378: 379: 380: 381: 382: 383: 384: 385: 386: 387: 388: 389: 390: 391: 392: 393: 394: 395: 396: 397: 398: 399: 400: 401: 402: 403: 404: 405: 406: 407: 408: 409: 410: 411: 412: 413: 414: 415: 416: 417: 418: 419: 420: 421: 422: 423: 424: 425: 426: 427: 428: 429: 430: 431: 432: 433: 434: 435: 436: 437: 438: 439: 440: 441: 442: 443: 444: 445: 446: 447: 448: 449: 450: 451: 452: 453: 454: 455: 456: 457: 458: 459: 460: 461: 462: 463: 464: 465: 466: 467: 468: 469: 470: 471: 472: 473: 474: 475: 476: 477: 478: 479: 480: 481: 482: 483: 484: 485: 486: 487: 488: 489: 490: 491: 492: 493: 494: 495: 496: 497: 498: 499: 500: 501: 502: 503: 504: 505: 506: 507: 508: 509: 510: 511: 512: 513: 514: 515: 516: 517: 518: 519: 520: 521: 522: 523: 524: 525: 526: 527: 528: 529: 530: 531: 532: 533: 534: 535: 536: 537: 538: 539: 540: 541: 542: 543: 544: 545: 546: 547: 548: 549: 550: 551: 552: 553: 554: 555: 556: 557: 558: 559: 560: 561: 562: 563: 564: 565: 566: 567: 568: 569: 570: 571: 572: 573: 574: 575: 576: 577: 578: 579: 580: 581: 582: 583: 584: 585: 586: 587: 588: 589: 590: 591: 592: 593: 594: 595: 596: 597: 598: 599: 600: 601: 602: 603: 604: 605: 606: 607: 608: 609: 610: 611: 612: 613: 614: 615: 616: 617: 618: 619: 620: 621: 622: 623: 624: 625: 626: 627: 628: 629: 630: 631: 632: 633: 634: 635: 636: 637: 638: 639: 640: 641: 642: 643: 644: 645: 646: 647: 648: 649: 650: 651: 652: 653: 654: 655: 656: 657: 658: 659: 660: 661: 662: 663: 664: 665: 666: 667: 668: 669: 670: 671: 672: 673: 674: 675: 676: 677: 678: 679: 680: 681: 682: 683: 684: 685: 686: 687: 688: 689: 690: 691: 692: 693: 694: 695: 696: 697: 698: 699: 700: 701: 702: 703: 704: 705: 706: 707: 708: 709: 710: 711: 712: 713: 714: 715: 716: 717: 718: 719: 720: 721: 722: 723: 724: 725: 726: 727: 728: 729: 730: 731: 732: 733: 734: 735: 736: 737: 738: 739: 740: 741: 742: 743: 744: 745: 746: 747: 748: 749: 750: 751: 752: 753: 754: 755: 756: 757: 758: 759: 760: 761: 762: 763: 764: 765: 766: 767: 768: 769: 770: 771: 772: 773: 774: 775: 776: 777: 778: 779: 780: 781: 782: 783: 784: 785: 786: 787: 788: 789: 790: 791: 792: 793: 794: 795: 796: 797: 798: 799: 800: 801: 802: 803: 804: 805: 806: 807: 808: 809: 810: 811: 812: 813: 814: 815: 816: 817: 818: 819: 820: 821: 822: 823: 824: 825: 826: 827: 828: 829: 830: 831: 832: 833: 834: 835: 836: 837: 838: 839: 840: 841: 842: 843: 844: 845: 846: 847: 848: 849: 850: 851: 852:
<?php
if (!defined('SMF'))
die('No direct access...');
function Login()
{
global $txt, $context, $scripturl, $user_info;
if (!empty($user_info['id']))
redirectexit();
loadLanguage('Login');
loadTemplate('Login');
$context['sub_template'] = 'login';
if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
{
$context['from_ajax'] = true;
$context['template_layers'] = array();
}
$context['page_title'] = $txt['login'];
$context['default_username'] = &$_REQUEST['u'];
$context['default_password'] = '';
$context['never_expire'] = false;
$context['linktree'][] = array(
'url' => $scripturl . '?action=login',
'name' => $txt['login'],
);
if (isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'dlattach') === false && preg_match('~(board|topic)[=,]~', $_SESSION['old_url']) != 0)
$_SESSION['login_url'] = $_SESSION['old_url'];
elseif (isset($_SESSION['login_url']) && strpos($_SESSION['login_url'], 'dlattach') !== false)
unset($_SESSION['login_url']);
createToken('login');
}
function Login2()
{
global $txt, $scripturl, $user_info, $user_settings, $smcFunc;
global $cookiename, $modSettings, $context, $sourcedir, $maintenance;
if (!empty($modSettings['force_ssl']) && empty($maintenance) && !httpsOn())
fatal_lang_error('login_ssl_required', false);
require_once($sourcedir . '/Subs-Auth.php');
if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
{
$context['from_ajax'] = true;
$context['template_layers'] = array();
}
if (isset($_GET['sa']) && $_GET['sa'] == 'salt' && !$user_info['is_guest'])
{
if (isset($_COOKIE[$cookiename]) && preg_match('~^{"0":\d+,"1":"[0-9a-f]*","2":\d+~', $_COOKIE[$cookiename]) === 1)
list (,, $timeout) = $smcFunc['json_decode']($_COOKIE[$cookiename], true);
elseif (isset($_SESSION['login_' . $cookiename]) && preg_match('~^{"0":\d+,"1":"[0-9a-f]*","2":\d+~', $_SESSION['login_' . $cookiename]) === 1)
list (,, $timeout) = $smcFunc['json_decode']($_SESSION['login_' . $cookiename]);
elseif (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\{i:0;i:\d+;i:1;s:(0|128):"([a-fA-F0-9]{128})?";i:2;[id]:\d+;~', $_COOKIE[$cookiename]) === 1)
list (,, $timeout) = safe_unserialize($_COOKIE[$cookiename]);
elseif (isset($_SESSION['login_' . $cookiename]) && preg_match('~^a:[34]:\{i:0;i:\d+;i:1;s:(0|128):"([a-fA-F0-9]{128})?";i:2;[id]:\d+;~', $_SESSION['login_' . $cookiename]) === 1)
list (,, $timeout) = safe_unserialize($_SESSION['login_' . $cookiename]);
else
trigger_error('Login2(): Cannot be logged in without a session or cookie', E_USER_ERROR);
$user_settings['password_salt'] = substr(md5($smcFunc['random_int']()), 0, 4);
updateMemberData($user_info['id'], array('password_salt' => $user_settings['password_salt']));
if (!empty($modSettings['tfa_mode']) && !empty($_COOKIE[$cookiename . '_tfa']))
{
list (,, $exp) = $smcFunc['json_decode']($_COOKIE[$cookiename . '_tfa'], true);
setTFACookie((int) $exp - time(), $user_info['password_salt'], hash_salt($user_settings['tfa_backup'], $user_settings['password_salt']));
}
setLoginCookie((int) $timeout - time(), $user_info['id'], hash_salt($user_settings['passwd'], $user_settings['password_salt']));
redirectexit('action=login2;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']);
}
elseif (isset($_GET['sa']) && $_GET['sa'] == 'check')
{
if ($_GET['member'] != $user_info['id'])
fatal_lang_error('login_cookie_error', false);
$user_info['can_mod'] = allowedTo('access_mod_center') || (!$user_info['is_guest'] && ($user_info['mod_cache']['gq'] != '0=1' || $user_info['mod_cache']['bq'] != '0=1' || ($modSettings['postmod_active'] && !empty($user_info['mod_cache']['ap']))));
if (empty($_SESSION['login_url']))
redirectexit(empty($user_settings['tfa_secret']) ? '' : 'action=logintfa');
elseif (!empty($_SESSION['login_url']) && (strpos($_SESSION['login_url'], 'http://') === false && strpos($_SESSION['login_url'], 'https://') === false))
{
unset ($_SESSION['login_url']);
redirectexit(empty($user_settings['tfa_secret']) ? '' : 'action=logintfa');
}
elseif (!empty($user_settings['tfa_secret']))
{
redirectexit('action=logintfa');
}
else
{
$temp = $_SESSION['login_url'];
unset($_SESSION['login_url']);
redirectexit($temp);
}
}
if (!$user_info['is_guest'])
redirectexit();
checkSession();
validateToken('login');
spamProtection('login');
if ((empty($_SESSION['login_url']) && isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'dlattach') === false && preg_match('~(board|topic)[=,]~', $_SESSION['old_url']) != 0) || (isset($_GET['quicklogin']) && isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'login') === false))
$_SESSION['login_url'] = $_SESSION['old_url'];
if (isset($_SESSION['failed_login']) && $_SESSION['failed_login'] >= $modSettings['failed_login_threshold'] * 3)
fatal_lang_error('login_threshold_fail', 'login');
if (isset($_POST['cookieneverexp']) || (!empty($_POST['cookielength']) && $_POST['cookielength'] == -1))
$modSettings['cookieTime'] = 3153600;
elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 && $_POST['cookielength'] <= 3153600))
$modSettings['cookieTime'] = (int) $_POST['cookielength'];
loadLanguage('Login');
loadTemplate('Login');
$context['sub_template'] = 'login';
$context['default_username'] = isset($_POST['user']) ? preg_replace('~&#(\\d{1,7}|x[0-9a-fA-F]{1,6});~', '&#\\1;', $smcFunc['htmlspecialchars']($_POST['user'])) : '';
$context['default_password'] = '';
$context['never_expire'] = $modSettings['cookieTime'] <= 525600;
$context['login_errors'] = array($txt['error_occured']);
$context['page_title'] = $txt['login'];
$context['linktree'][] = array(
'url' => $scripturl . '?action=login',
'name' => $txt['login'],
);
if (!isset($_POST['user']) || $_POST['user'] == '')
{
$context['login_errors'] = array($txt['need_username']);
return;
}
if (!isset($_POST['passwrd']) || $_POST['passwrd'] == '')
{
$context['login_errors'] = array($txt['no_password']);
return;
}
if (preg_match('~[<>&"\'=\\\]~', preg_replace('~(&#(\\d{1,7}|x[0-9a-fA-F]{1,6});)~', '', $_POST['user'])) != 0)
{
$context['login_errors'] = array($txt['error_invalid_characters_username']);
return;
}
if ($smcFunc['strlen']($_POST['user']) > 80)
{
$_POST['user'] = $smcFunc['substr']($_POST['user'], 0, 79);
$context['default_username'] = preg_replace('~&#(\\d{1,7}|x[0-9a-fA-F]{1,6});~', '&#\\1;', $smcFunc['htmlspecialchars']($_POST['user']));
}
if (in_array('retry', call_integration_hook('integrate_validate_login', array($_POST['user'], isset($_POST['passwrd']) ? $_POST['passwrd'] : null, $modSettings['cookieTime'])), true))
{
$context['login_errors'] = array($txt['incorrect_password']);
return;
}
$request = $smcFunc['db_query']('', '
SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt,
passwd_flood, tfa_secret
FROM {db_prefix}members
WHERE ' . ($smcFunc['db_case_sensitive'] ? 'LOWER(member_name) = LOWER({string:user_name})' : 'member_name = {string:user_name}') . '
LIMIT 1',
array(
'user_name' => $smcFunc['db_case_sensitive'] ? strtolower($_POST['user']) : $_POST['user'],
)
);
if ($smcFunc['db_num_rows']($request) == 0 && strpos($_POST['user'], '@') !== false)
{
$smcFunc['db_free_result']($request);
$request = $smcFunc['db_query']('', '
SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt,
passwd_flood, tfa_secret
FROM {db_prefix}members
WHERE email_address = {string:user_name}
LIMIT 1',
array(
'user_name' => $_POST['user'],
)
);
}
if ($smcFunc['db_num_rows']($request) == 0)
{
$context['login_errors'] = array($txt['username_no_exist']);
return;
}
$user_settings = $smcFunc['db_fetch_assoc']($request);
$smcFunc['db_free_result']($request);
if (!hash_verify_password($user_settings['member_name'], un_htmlspecialchars($_POST['passwrd']), $user_settings['passwd']))
{
validatePasswordFlood($user_settings['id_member'], $user_settings['member_name'], $user_settings['passwd_flood']);
$other_passwords = array();
if (!empty($modSettings['enable_password_conversion']) && $user_settings['password_salt'] == '')
{
$other_passwords[] = crypt($_POST['passwrd'], substr($_POST['passwrd'], 0, 2));
$other_passwords[] = crypt($_POST['passwrd'], substr($user_settings['passwd'], 0, 2));
$other_passwords[] = md5($_POST['passwrd']);
$other_passwords[] = sha1($_POST['passwrd']);
$other_passwords[] = md5_hmac($_POST['passwrd'], strtolower($user_settings['member_name']));
$other_passwords[] = md5($_POST['passwrd'] . strtolower($user_settings['member_name']));
$other_passwords[] = md5(md5($_POST['passwrd']));
$other_passwords[] = $_POST['passwrd'];
$other_passwords[] = crypt(md5($_POST['passwrd']), md5($_POST['passwrd']));
if (strlen($user_settings['passwd']) == 64 && function_exists('mhash') && defined('MHASH_SHA256'))
$other_passwords[] = bin2hex(mhash(MHASH_SHA256, $_POST['passwrd']));
$other_passwords[] = phpBB3_password_check($_POST['passwrd'], $user_settings['passwd']);
$other_passwords[] = md5(crypt($_POST['passwrd'], 'CRYPT_MD5'));
}
elseif (!empty($modSettings['enable_password_conversion']) && strlen($user_settings['passwd']) == 32)
{
$other_passwords[] = md5(md5($_POST['passwrd']) . stripslashes($user_settings['password_salt']));
$other_passwords[] = md5(md5($user_settings['password_salt']) . md5($_POST['passwrd']));
$other_passwords[] = md5($user_settings['password_salt'] . $_POST['passwrd']);
$other_passwords[] = md5($_POST['passwrd'] . $user_settings['password_salt']);
}
elseif (strlen($user_settings['passwd']) == 40)
{
$other_passwords[] = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
if (!empty($modSettings['enable_password_conversion']))
$other_passwords[] = sha1($user_settings['password_salt'] . sha1($user_settings['password_salt'] . sha1($_POST['passwrd'])));
if ($context['character_set'] == 'UTF-8' && !empty($modSettings['previousCharacterSet']) && $modSettings['previousCharacterSet'] != 'utf8')
{
if (function_exists('iconv'))
$other_passwords['iconv'] = sha1(strtolower(iconv('UTF-8', $modSettings['previousCharacterSet'], $user_settings['member_name'])) . un_htmlspecialchars(iconv('UTF-8', $modSettings['previousCharacterSet'], $_POST['passwrd'])));
if (empty($other_passwords['iconv']) && function_exists('mb_convert_encoding'))
$other_passwords[] = sha1(strtolower(mb_convert_encoding($user_settings['member_name'], 'UTF-8', $modSettings['previousCharacterSet'])) . un_htmlspecialchars(mb_convert_encoding($_POST['passwrd'], 'UTF-8', $modSettings['previousCharacterSet'])));
}
}
if (stripos(PHP_OS, 'win') !== 0 && strlen($user_settings['passwd']) < hash_length())
{
require_once($sourcedir . '/Subs-Compat.php');
$other_passwords[] = sha1_smf(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
}
call_integration_hook('integrate_other_passwords', array(&$other_passwords));
if (in_array($user_settings['passwd'], $other_passwords))
{
$user_settings['passwd'] = hash_password($user_settings['member_name'], un_htmlspecialchars($_POST['passwrd']));
$user_settings['password_salt'] = substr(md5($smcFunc['random_int']()), 0, 4);
updateMemberData($user_settings['id_member'], array('passwd' => $user_settings['passwd'], 'password_salt' => $user_settings['password_salt'], 'passwd_flood' => ''));
}
else
{
$_SESSION['failed_login'] = isset($_SESSION['failed_login']) ? ($_SESSION['failed_login'] + 1) : 1;
if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold'])
redirectexit('action=reminder');
else
{
log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
$context['login_errors'] = array($txt['incorrect_password']);
return;
}
}
}
elseif (!empty($user_settings['passwd_flood']))
{
validatePasswordFlood($user_settings['id_member'], $user_settings['member_name'], $user_settings['passwd_flood'], true);
updateMemberData($user_settings['id_member'], array('passwd_flood' => ''));
}
if ($user_settings['password_salt'] == '')
{
$user_settings['password_salt'] = substr(md5($smcFunc['random_int']()), 0, 4);
updateMemberData($user_settings['id_member'], array('password_salt' => $user_settings['password_salt']));
}
if (!checkActivation())
return;
DoLogin();
}
function LoginTFA()
{
global $sourcedir, $txt, $context, $user_info, $modSettings, $scripturl;
if (!$user_info['is_guest'] || empty($context['tfa_member']) || empty($modSettings['tfa_mode']))
fatal_lang_error('no_access', false);
loadLanguage('Profile');
require_once($sourcedir . '/Class-TOTP.php');
$member = $context['tfa_member'];
if (time() - $member['last_login'] < 120)
fatal_lang_error('tfa_wait', false);
$totp = new \TOTP\Auth($member['tfa_secret']);
$totp->setRange(1);
if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
{
$context['from_ajax'] = true;
$context['template_layers'] = array();
}
if (!empty($_POST['tfa_code']) && empty($_POST['tfa_backup']))
{
if (!empty($modSettings['force_ssl']) && empty($maintenance) && !httpsOn())
fatal_lang_error('login_ssl_required', false);
$code = $_POST['tfa_code'];
if (strlen($code) == $totp->getCodeLength() && $totp->validateCode($code))
{
updateMemberData($member['id_member'], array('last_login' => time()));
setTFACookie(3153600, $member['id_member'], hash_salt($member['tfa_backup'], $member['password_salt']));
redirectexit();
}
else
{
validatePasswordFlood($member['id_member'], $member['member_name'], $member['passwd_flood'], false, true);
$context['tfa_error'] = true;
$context['tfa_value'] = $_POST['tfa_code'];
}
}
elseif (!empty($_POST['tfa_backup']))
{
if (!empty($modSettings['force_ssl']) && empty($maintenance) && !httpsOn())
fatal_lang_error('login_ssl_required', false);
$backup = $_POST['tfa_backup'];
if (hash_verify_password($member['member_name'], $backup, $member['tfa_backup']))
{
updateMemberData($member['id_member'], array(
'tfa_secret' => '',
'tfa_backup' => '',
'last_login' => time(),
));
setTFACookie(3153600, $member['id_member'], hash_salt($member['tfa_backup'], $member['password_salt']));
redirectexit('action=profile;area=tfasetup;backup');
}
else
{
validatePasswordFlood($member['id_member'], $member['member_name'], $member['passwd_flood'], false, true);
$context['tfa_backup_error'] = true;
$context['tfa_value'] = $_POST['tfa_code'];
$context['tfa_backup_value'] = $_POST['tfa_backup'];
}
}
loadTemplate('Login');
$context['sub_template'] = 'login_tfa';
$context['page_title'] = $txt['login'];
$context['tfa_url'] = $scripturl . '?action=logintfa';
}
function checkActivation()
{
global $context, $txt, $scripturl, $user_settings, $modSettings;
if (!isset($context['login_errors']))
$context['login_errors'] = array();
$activation_status = $user_settings['is_activated'] > 10 ? $user_settings['is_activated'] - 10 : $user_settings['is_activated'];
if ($activation_status == 5)
{
$context['login_errors'][] = $txt['coppa_no_concent'] . ' <a href="' . $scripturl . '?action=coppa;member=' . $user_settings['id_member'] . '">' . $txt['coppa_need_more_details'] . '</a>';
return false;
}
elseif ($activation_status == 3)
fatal_lang_error('still_awaiting_approval', 'user');
elseif ($activation_status == 4)
{
if (isset($_REQUEST['undelete']))
{
updateMemberData($user_settings['id_member'], array('is_activated' => 1));
updateSettings(array('unapprovedMembers' => ($modSettings['unapprovedMembers'] > 0 ? $modSettings['unapprovedMembers'] - 1 : 0)));
}
else
{
$context['disable_login_hashing'] = true;
$context['login_errors'][] = $txt['awaiting_delete_account'];
$context['login_show_undelete'] = true;
return false;
}
}
elseif ($activation_status != 1)
{
log_error($txt['activate_not_completed1'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', false);
$context['login_errors'][] = $txt['activate_not_completed1'] . ' <a href="' . $scripturl . '?action=activate;sa=resend;u=' . $user_settings['id_member'] . '">' . $txt['activate_not_completed2'] . '</a>';
return false;
}
return true;
}
function DoLogin()
{
global $user_info, $user_settings, $smcFunc;
global $maintenance, $modSettings, $context, $sourcedir;
require_once($sourcedir . '/Subs-Auth.php');
call_integration_hook('integrate_login', array($user_settings['member_name'], null, $modSettings['cookieTime']));
$user_info['id'] = $user_settings['id_member'];
setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['id_member'], hash_salt($user_settings['passwd'], $user_settings['password_salt']));
if (isset($_SESSION['failed_login']))
unset($_SESSION['failed_login']);
$user_info['is_guest'] = false;
$user_settings['additional_groups'] = explode(',', $user_settings['additional_groups']);
$user_info['is_admin'] = $user_settings['id_group'] == 1 || in_array(1, $user_settings['additional_groups']);
is_not_banned(true);
unset($_SESSION['language'], $_SESSION['id_theme']);
$request = $smcFunc['db_query']('', '
SELECT last_login
FROM {db_prefix}members
WHERE id_member = {int:id_member}
AND last_login = 0',
array(
'id_member' => $user_info['id'],
)
);
if ($smcFunc['db_num_rows']($request) == 1)
$_SESSION['first_login'] = true;
else
unset($_SESSION['first_login']);
$smcFunc['db_free_result']($request);
$update = array('member_ip' => $user_info['ip'], 'member_ip2' => $_SERVER['BAN_CHECK_IP']);
if (empty($user_settings['tfa_secret']))
$update['last_login'] = time();
updateMemberData($user_info['id'], $update);
$smcFunc['db_query']('', '
DELETE FROM {db_prefix}log_online
WHERE session = {string:session}',
array(
'session' => 'ip' . $user_info['ip'],
)
);
$_SESSION['log_time'] = 0;
if (!empty($modSettings['loginHistoryDays']))
$smcFunc['db_insert']('insert',
'{db_prefix}member_logins',
array(
'id_member' => 'int', 'time' => 'int', 'ip' => 'inet', 'ip2' => 'inet',
),
array(
$user_info['id'], time(), $user_info['ip'], $user_info['ip2']
),
array(
'id_member', 'time'
)
);
if (empty($maintenance) || allowedTo('admin_forum'))
redirectexit('action=login2;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']);
else
redirectexit('action=logout;' . $context['session_var'] . '=' . $context['session_id'], $context['server']['needs_login_fix']);
}
function Logout($internal = false, $redirect = true)
{
global $sourcedir, $user_info, $user_settings, $context, $smcFunc, $cookiename, $modSettings;
if (!$internal)
checkSession('get');
require_once($sourcedir . '/Subs-Auth.php');
if (isset($_SESSION['pack_ftp']))
$_SESSION['pack_ftp'] = null;
unset($_SESSION['first_login']);
if (!$user_info['is_guest'])
{
call_integration_hook('integrate_logout', array($user_settings['member_name']));
$smcFunc['db_query']('', '
DELETE FROM {db_prefix}log_online
WHERE id_member = {int:current_member}',
array(
'current_member' => $user_info['id'],
)
);
}
$_SESSION['log_time'] = 0;
setLoginCookie(-3600, 0);
$salt = substr(md5($smcFunc['random_int']()), 0, 4);
if (!empty($user_info['id']))
updateMemberData($user_info['id'], array('password_salt' => $salt));
if (!empty($modSettings['tfa_mode']) && !empty($user_info['id']) && !empty($_COOKIE[$cookiename . '_tfa']))
{
list (,, $exp) = $smcFunc['json_decode']($_COOKIE[$cookiename . '_tfa'], true);
setTFACookie((int) $exp - time(), $salt, hash_salt($user_settings['tfa_backup'], $salt));
}
session_destroy();
if ($redirect)
{
if (empty($_SESSION['logout_url']))
redirectexit('', $context['server']['needs_login_fix']);
elseif (!empty($_SESSION['logout_url']) && (strpos($_SESSION['logout_url'], 'http://') === false && strpos($_SESSION['logout_url'], 'https://') === false))
{
unset ($_SESSION['logout_url']);
redirectexit();
}
else
{
$temp = $_SESSION['logout_url'];
unset($_SESSION['logout_url']);
redirectexit($temp, $context['server']['needs_login_fix']);
}
}
}
function md5_hmac($data, $key)
{
$key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00));
return md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)) . $data)));
}
function phpBB3_password_check($passwd, $passwd_hash)
{
if (strlen($passwd_hash) != 34)
return;
$range = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
$strpos = strpos($range, $passwd_hash[3]);
$count = 1 << $strpos;
$salt = substr($passwd_hash, 4, 8);
$hash = md5($salt . $passwd, true);
for (; $count != 0; --$count)
$hash = md5($hash . $passwd, true);
$output = substr($passwd_hash, 0, 12);
$i = 0;
while ($i < 16)
{
$value = ord($hash[$i++]);
$output .= $range[$value & 0x3f];
if ($i < 16)
$value |= ord($hash[$i]) << 8;
$output .= $range[($value >> 6) & 0x3f];
if ($i++ >= 16)
break;
if ($i < 16)
$value |= ord($hash[$i]) << 16;
$output .= $range[($value >> 12) & 0x3f];
if ($i++ >= 16)
break;
$output .= $range[($value >> 18) & 0x3f];
}
return $output;
}
function validatePasswordFlood($id_member, $member_name, $password_flood_value = false, $was_correct = false, $tfa = false)
{
global $cookiename, $sourcedir;
if (!$tfa)
{
require_once($sourcedir . '/Subs-Auth.php');
setLoginCookie(-3600, 0);
if (isset($_SESSION['login_' . $cookiename]))
unset($_SESSION['login_' . $cookiename]);
}
if (!$id_member)
{
redirectexit();
fatal_lang_error('no_access', false);
}
if ($password_flood_value !== false)
@list ($time_stamp, $number_tries) = explode('|', $password_flood_value);
if (empty($number_tries) || empty($time_stamp))
{
$number_tries = 0;
$time_stamp = time();
}
if (!empty($number_tries))
{
$number_tries = $time_stamp < time() - 20 ? 2 : $number_tries;
if ($time_stamp < time() - 10)
$time_stamp = time();
}
$number_tries++;
if ($number_tries > 5)
fatal_lang_error('login_threshold_brute_fail', 'login', [$member_name]);
updateMemberData($id_member, array('passwd_flood' => $was_correct && $number_tries == 1 ? '' : $time_stamp . '|' . $number_tries));
}
?>