LogInOut.php 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794
  1. <?php
  2. /**
  3. * This file is concerned pretty entirely, as you see from its name, with
  4. * logging in and out members, and the validation of that.
  5. *
  6. * Simple Machines Forum (SMF)
  7. *
  8. * @package SMF
  9. * @author Simple Machines http://www.simplemachines.org
  10. * @copyright 2014 Simple Machines and individual contributors
  11. * @license http://www.simplemachines.org/about/smf/license.php BSD
  12. *
  13. * @version 2.1 Alpha 1
  14. */
  15. if (!defined('SMF'))
  16. die('No direct access...');
  17. /**
  18. * Ask them for their login information. (shows a page for the user to type
  19. * in their username and password.)
  20. * It caches the referring URL in $_SESSION['login_url'].
  21. * It is accessed from ?action=login.
  22. * @uses Login template and language file with the login sub-template.
  23. * @uses the protocol_login sub-template in the Wireless template,
  24. * if you are using a wireless device
  25. */
  26. function Login()
  27. {
  28. global $txt, $context, $scripturl, $user_info;
  29. // You are already logged in, go take a tour of the boards
  30. if (!empty($user_info['id']))
  31. redirectexit();
  32. // In wireless? If so, use the correct sub template.
  33. if (WIRELESS)
  34. $context['sub_template'] = WIRELESS_PROTOCOL . '_login';
  35. // Otherwise, we need to load the Login template/language file.
  36. else
  37. {
  38. loadLanguage('Login');
  39. loadTemplate('Login');
  40. $context['sub_template'] = 'login';
  41. if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
  42. {
  43. $context['from_ajax'] = true;
  44. $context['template_layers'] = array();
  45. }
  46. }
  47. // Get the template ready.... not really much else to do.
  48. $context['page_title'] = $txt['login'];
  49. $context['default_username'] = &$_REQUEST['u'];
  50. $context['default_password'] = '';
  51. $context['never_expire'] = false;
  52. // Add the login chain to the link tree.
  53. $context['linktree'][] = array(
  54. 'url' => $scripturl . '?action=login',
  55. 'name' => $txt['login'],
  56. );
  57. // Set the login URL - will be used when the login process is done (but careful not to send us to an attachment).
  58. if (isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'dlattach') === false && preg_match('~(board|topic)[=,]~', $_SESSION['old_url']) != 0)
  59. $_SESSION['login_url'] = $_SESSION['old_url'];
  60. else
  61. unset($_SESSION['login_url']);
  62. // Need some js goodies.
  63. loadJavascriptFile('sha1.js', array('default_theme' => true), 'smf_sha1');
  64. // Create a one time token.
  65. createToken('login');
  66. }
  67. /**
  68. * Actually logs you in.
  69. * What it does:
  70. * - checks credentials and checks that login was successful.
  71. * - it employs protection against a specific IP or user trying to brute force
  72. * a login to an account.
  73. * - upgrades password encryption on login, if necessary.
  74. * - after successful login, redirects you to $_SESSION['login_url'].
  75. * - accessed from ?action=login2, by forms.
  76. * On error, uses the same templates Login() uses.
  77. */
  78. function Login2()
  79. {
  80. global $txt, $scripturl, $user_info, $user_settings, $smcFunc;
  81. global $cookiename, $modSettings, $context, $sc, $sourcedir;
  82. // Load cookie authentication stuff.
  83. require_once($sourcedir . '/Subs-Auth.php');
  84. if (isset($_GET['sa']) && $_GET['sa'] == 'salt' && !$user_info['is_guest'])
  85. {
  86. if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\{i:0;i:\d{1,7};i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\d{1,14};(i:3;i:\d;)?\}$~', $_COOKIE[$cookiename]) === 1)
  87. list (, , $timeout) = @unserialize($_COOKIE[$cookiename]);
  88. elseif (isset($_SESSION['login_' . $cookiename]))
  89. list (, , $timeout) = @unserialize($_SESSION['login_' . $cookiename]);
  90. else
  91. trigger_error('Login2(): Cannot be logged in without a session or cookie', E_USER_ERROR);
  92. $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
  93. updateMemberData($user_info['id'], array('password_salt' => $user_settings['password_salt']));
  94. setLoginCookie($timeout - time(), $user_info['id'], sha1($user_settings['passwd'] . $user_settings['password_salt']));
  95. redirectexit('action=login2;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']);
  96. }
  97. // Double check the cookie...
  98. elseif (isset($_GET['sa']) && $_GET['sa'] == 'check')
  99. {
  100. // Strike! You're outta there!
  101. if ($_GET['member'] != $user_info['id'])
  102. fatal_lang_error('login_cookie_error', false);
  103. $user_info['can_mod'] = allowedTo('access_mod_center') || (!$user_info['is_guest'] && ($user_info['mod_cache']['gq'] != '0=1' || $user_info['mod_cache']['bq'] != '0=1' || ($modSettings['postmod_active'] && !empty($user_info['mod_cache']['ap']))));
  104. if ($user_info['can_mod'] && isset($user_settings['openid_uri']) && empty($user_settings['openid_uri']))
  105. {
  106. $_SESSION['moderate_time'] = time();
  107. unset($_SESSION['just_registered']);
  108. }
  109. // Some whitelisting for login_url...
  110. if (empty($_SESSION['login_url']))
  111. redirectexit();
  112. elseif (!empty($_SESSION['login_url']) && (strpos('http://', $_SESSION['login_url']) === false && strpos('https://', $_SESSION['login_url']) === false))
  113. {
  114. unset ($_SESSION['login_url']);
  115. redirectexit();
  116. }
  117. else
  118. {
  119. // Best not to clutter the session data too much...
  120. $temp = $_SESSION['login_url'];
  121. unset($_SESSION['login_url']);
  122. redirectexit($temp);
  123. }
  124. }
  125. // Beyond this point you are assumed to be a guest trying to login.
  126. if (!$user_info['is_guest'])
  127. redirectexit();
  128. // Are you guessing with a script?
  129. checkSession();
  130. $tk = validateToken('login');
  131. spamProtection('login');
  132. // Set the login_url if it's not already set (but careful not to send us to an attachment).
  133. if ((empty($_SESSION['login_url']) && isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'dlattach') === false && preg_match('~(board|topic)[=,]~', $_SESSION['old_url']) != 0) || (isset($_GET['quicklogin']) && isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'login') === false))
  134. $_SESSION['login_url'] = $_SESSION['old_url'];
  135. // Been guessing a lot, haven't we?
  136. if (isset($_SESSION['failed_login']) && $_SESSION['failed_login'] >= $modSettings['failed_login_threshold'] * 3)
  137. fatal_lang_error('login_threshold_fail', 'critical');
  138. // Set up the cookie length. (if it's invalid, just fall through and use the default.)
  139. if (isset($_POST['cookieneverexp']) || (!empty($_POST['cookielength']) && $_POST['cookielength'] == -1))
  140. $modSettings['cookieTime'] = 3153600;
  141. elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 || $_POST['cookielength'] <= 525600))
  142. $modSettings['cookieTime'] = (int) $_POST['cookielength'];
  143. loadLanguage('Login');
  144. // Load the template stuff - wireless or normal.
  145. if (WIRELESS)
  146. $context['sub_template'] = WIRELESS_PROTOCOL . '_login';
  147. else
  148. {
  149. loadTemplate('Login');
  150. $context['sub_template'] = 'login';
  151. }
  152. // Set up the default/fallback stuff.
  153. $context['default_username'] = isset($_POST['user']) ? preg_replace('~&amp;#(\\d{1,7}|x[0-9a-fA-F]{1,6});~', '&#\\1;', $smcFunc['htmlspecialchars']($_POST['user'])) : '';
  154. $context['default_password'] = '';
  155. $context['never_expire'] = $modSettings['cookieTime'] == 525600 || $modSettings['cookieTime'] == 3153600;
  156. $context['login_errors'] = array($txt['error_occured']);
  157. $context['page_title'] = $txt['login'];
  158. // Add the login chain to the link tree.
  159. $context['linktree'][] = array(
  160. 'url' => $scripturl . '?action=login',
  161. 'name' => $txt['login'],
  162. );
  163. if (!empty($_POST['openid_identifier']) && !empty($modSettings['enableOpenID']))
  164. {
  165. require_once($sourcedir . '/Subs-OpenID.php');
  166. if (($open_id = smf_openID_validate($_POST['openid_identifier'])) !== 'no_data')
  167. return $open_id;
  168. }
  169. // You forgot to type your username, dummy!
  170. if (!isset($_POST['user']) || $_POST['user'] == '')
  171. {
  172. $context['login_errors'] = array($txt['need_username']);
  173. return;
  174. }
  175. // Hmm... maybe 'admin' will login with no password. Uhh... NO!
  176. if ((!isset($_POST['passwrd']) || $_POST['passwrd'] == '') && (!isset($_POST['hash_passwrd']) || strlen($_POST['hash_passwrd']) != 40))
  177. {
  178. $context['login_errors'] = array($txt['no_password']);
  179. return;
  180. }
  181. // No funky symbols either.
  182. if (preg_match('~[<>&"\'=\\\]~', preg_replace('~(&#(\\d{1,7}|x[0-9a-fA-F]{1,6});)~', '', $_POST['user'])) != 0)
  183. {
  184. $context['login_errors'] = array($txt['error_invalid_characters_username']);
  185. return;
  186. }
  187. // And if it's too long, trim it back.
  188. if ($smcFunc['strlen']($_POST['user']) > 80)
  189. {
  190. $_POST['user'] = $smcFunc['substr']($_POST['user'], 0, 79);
  191. $context['default_username'] = preg_replace('~&amp;#(\\d{1,7}|x[0-9a-fA-F]{1,6});~', '&#\\1;', $smcFunc['htmlspecialchars']($_POST['user']));
  192. }
  193. // Are we using any sort of integration to validate the login?
  194. if (in_array('retry', call_integration_hook('integrate_validate_login', array($_POST['user'], isset($_POST['hash_passwrd']) && strlen($_POST['hash_passwrd']) == 40 ? $_POST['hash_passwrd'] : null, $modSettings['cookieTime'])), true))
  195. {
  196. $context['login_errors'] = array($txt['login_hash_error']);
  197. $context['disable_login_hashing'] = true;
  198. return;
  199. }
  200. // Load the data up!
  201. $request = $smcFunc['db_query']('', '
  202. SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt,
  203. openid_uri, passwd_flood
  204. FROM {db_prefix}members
  205. WHERE ' . ($smcFunc['db_case_sensitive'] ? 'LOWER(member_name) = LOWER({string:user_name})' : 'member_name = {string:user_name}') . '
  206. LIMIT 1',
  207. array(
  208. 'user_name' => $smcFunc['db_case_sensitive'] ? strtolower($_POST['user']) : $_POST['user'],
  209. )
  210. );
  211. // Probably mistyped or their email, try it as an email address. (member_name first, though!)
  212. if ($smcFunc['db_num_rows']($request) == 0 && strpos($_POST['user'], '@') !== false)
  213. {
  214. $smcFunc['db_free_result']($request);
  215. $request = $smcFunc['db_query']('', '
  216. SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt, openid_uri,
  217. passwd_flood
  218. FROM {db_prefix}members
  219. WHERE email_address = {string:user_name}
  220. LIMIT 1',
  221. array(
  222. 'user_name' => $_POST['user'],
  223. )
  224. );
  225. }
  226. // Let them try again, it didn't match anything...
  227. if ($smcFunc['db_num_rows']($request) == 0)
  228. {
  229. $context['login_errors'] = array($txt['username_no_exist']);
  230. return;
  231. }
  232. $user_settings = $smcFunc['db_fetch_assoc']($request);
  233. $smcFunc['db_free_result']($request);
  234. // Figure out the password using SMF's encryption - if what they typed is right.
  235. if (isset($_POST['hash_passwrd']) && strlen($_POST['hash_passwrd']) == 40)
  236. {
  237. // Needs upgrading?
  238. if (strlen($user_settings['passwd']) != 40)
  239. {
  240. $context['login_errors'] = array($txt['login_hash_error']);
  241. $context['disable_login_hashing'] = true;
  242. unset($user_settings);
  243. return;
  244. }
  245. // Challenge passed.
  246. elseif ($_POST['hash_passwrd'] == sha1($user_settings['passwd'] . $sc . $tk))
  247. $sha_passwd = $user_settings['passwd'];
  248. else
  249. {
  250. // Don't allow this!
  251. validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood']);
  252. $_SESSION['failed_login'] = isset($_SESSION['failed_login']) ? ($_SESSION['failed_login'] + 1) : 1;
  253. if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold'])
  254. redirectexit('action=reminder');
  255. else
  256. {
  257. log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
  258. $context['disable_login_hashing'] = true;
  259. $context['login_errors'] = array($txt['incorrect_password']);
  260. unset($user_settings);
  261. return;
  262. }
  263. }
  264. }
  265. else
  266. $sha_passwd = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
  267. // Bad password! Thought you could fool the database?!
  268. if ($user_settings['passwd'] != $sha_passwd)
  269. {
  270. // Let's be cautious, no hacking please. thanx.
  271. validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood']);
  272. // Maybe we were too hasty... let's try some other authentication methods.
  273. $other_passwords = array();
  274. // None of the below cases will be used most of the time (because the salt is normally set.)
  275. if (!empty($modSettings['enable_password_conversion']) && $user_settings['password_salt'] == '')
  276. {
  277. // YaBB SE, Discus, MD5 (used a lot), SHA-1 (used some), SMF 1.0.x, IkonBoard, and none at all.
  278. $other_passwords[] = crypt($_POST['passwrd'], substr($_POST['passwrd'], 0, 2));
  279. $other_passwords[] = crypt($_POST['passwrd'], substr($user_settings['passwd'], 0, 2));
  280. $other_passwords[] = md5($_POST['passwrd']);
  281. $other_passwords[] = sha1($_POST['passwrd']);
  282. $other_passwords[] = md5_hmac($_POST['passwrd'], strtolower($user_settings['member_name']));
  283. $other_passwords[] = md5($_POST['passwrd'] . strtolower($user_settings['member_name']));
  284. $other_passwords[] = md5(md5($_POST['passwrd']));
  285. $other_passwords[] = $_POST['passwrd'];
  286. // This one is a strange one... MyPHP, crypt() on the MD5 hash.
  287. $other_passwords[] = crypt(md5($_POST['passwrd']), md5($_POST['passwrd']));
  288. // Snitz style - SHA-256. Technically, this is a downgrade, but most PHP configurations don't support sha256 anyway.
  289. if (strlen($user_settings['passwd']) == 64 && function_exists('mhash') && defined('MHASH_SHA256'))
  290. $other_passwords[] = bin2hex(mhash(MHASH_SHA256, $_POST['passwrd']));
  291. // phpBB3 users new hashing. We now support it as well ;).
  292. $other_passwords[] = phpBB3_password_check($_POST['passwrd'], $user_settings['passwd']);
  293. // APBoard 2 Login Method.
  294. $other_passwords[] = md5(crypt($_POST['passwrd'], 'CRYPT_MD5'));
  295. }
  296. // The hash should be 40 if it's SHA-1, so we're safe with more here too.
  297. elseif (!empty($modSettings['enable_password_conversion']) && strlen($user_settings['passwd']) == 32)
  298. {
  299. // vBulletin 3 style hashing? Let's welcome them with open arms \o/.
  300. $other_passwords[] = md5(md5($_POST['passwrd']) . stripslashes($user_settings['password_salt']));
  301. // Hmm.. p'raps it's Invision 2 style?
  302. $other_passwords[] = md5(md5($user_settings['password_salt']) . md5($_POST['passwrd']));
  303. // Some common md5 ones.
  304. $other_passwords[] = md5($user_settings['password_salt'] . $_POST['passwrd']);
  305. $other_passwords[] = md5($_POST['passwrd'] . $user_settings['password_salt']);
  306. }
  307. elseif (strlen($user_settings['passwd']) == 40)
  308. {
  309. // Maybe they are using a hash from before the password fix.
  310. $other_passwords[] = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
  311. // BurningBoard3 style of hashing.
  312. if (!empty($modSettings['enable_password_conversion']))
  313. $other_passwords[] = sha1($user_settings['password_salt'] . sha1($user_settings['password_salt'] . sha1($_POST['passwrd'])));
  314. // Perhaps we converted to UTF-8 and have a valid password being hashed differently.
  315. if ($context['character_set'] == 'utf8' && !empty($modSettings['previousCharacterSet']) && $modSettings['previousCharacterSet'] != 'utf8')
  316. {
  317. // Try iconv first, for no particular reason.
  318. if (function_exists('iconv'))
  319. $other_passwords['iconv'] = sha1(strtolower(iconv('UTF-8', $modSettings['previousCharacterSet'], $user_settings['member_name'])) . un_htmlspecialchars(iconv('UTF-8', $modSettings['previousCharacterSet'], $_POST['passwrd'])));
  320. // Say it aint so, iconv failed!
  321. if (empty($other_passwords['iconv']) && function_exists('mb_convert_encoding'))
  322. $other_passwords[] = sha1(strtolower(mb_convert_encoding($user_settings['member_name'], 'UTF-8', $modSettings['previousCharacterSet'])) . un_htmlspecialchars(mb_convert_encoding($_POST['passwrd'], 'UTF-8', $modSettings['previousCharacterSet'])));
  323. }
  324. }
  325. // SMF's sha1 function can give a funny result on Linux (Not our fault!). If we've now got the real one let the old one be valid!
  326. if (stripos(PHP_OS, 'win') !== 0)
  327. {
  328. require_once($sourcedir . '/Subs-Compat.php');
  329. $other_passwords[] = sha1_smf(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
  330. }
  331. // Allows mods to easily extend the $other_passwords array
  332. call_integration_hook('integrate_other_passwords', array(&$other_passwords));
  333. // Whichever encryption it was using, let's make it use SMF's now ;).
  334. if (in_array($user_settings['passwd'], $other_passwords))
  335. {
  336. $user_settings['passwd'] = $sha_passwd;
  337. $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
  338. // Update the password and set up the hash.
  339. updateMemberData($user_settings['id_member'], array('passwd' => $user_settings['passwd'], 'password_salt' => $user_settings['password_salt'], 'passwd_flood' => ''));
  340. }
  341. // Okay, they for sure didn't enter the password!
  342. else
  343. {
  344. // They've messed up again - keep a count to see if they need a hand.
  345. $_SESSION['failed_login'] = isset($_SESSION['failed_login']) ? ($_SESSION['failed_login'] + 1) : 1;
  346. // Hmm... don't remember it, do you? Here, try the password reminder ;).
  347. if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold'])
  348. redirectexit('action=reminder');
  349. // We'll give you another chance...
  350. else
  351. {
  352. // Log an error so we know that it didn't go well in the error log.
  353. log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
  354. $context['login_errors'] = array($txt['incorrect_password']);
  355. return;
  356. }
  357. }
  358. }
  359. elseif (!empty($user_settings['passwd_flood']))
  360. {
  361. // Let's be sure they weren't a little hacker.
  362. validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood'], true);
  363. // If we got here then we can reset the flood counter.
  364. updateMemberData($user_settings['id_member'], array('passwd_flood' => ''));
  365. }
  366. // Correct password, but they've got no salt; fix it!
  367. if ($user_settings['password_salt'] == '')
  368. {
  369. $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
  370. updateMemberData($user_settings['id_member'], array('password_salt' => $user_settings['password_salt']));
  371. }
  372. // Check their activation status.
  373. if (!checkActivation())
  374. return;
  375. DoLogin();
  376. }
  377. /**
  378. * Check activation status of the current user.
  379. */
  380. function checkActivation()
  381. {
  382. global $context, $txt, $scripturl, $user_settings, $modSettings;
  383. if (!isset($context['login_errors']))
  384. $context['login_errors'] = array();
  385. // What is the true activation status of this account?
  386. $activation_status = $user_settings['is_activated'] > 10 ? $user_settings['is_activated'] - 10 : $user_settings['is_activated'];
  387. // Check if the account is activated - COPPA first...
  388. if ($activation_status == 5)
  389. {
  390. $context['login_errors'][] = $txt['coppa_no_concent'] . ' <a href="' . $scripturl . '?action=coppa;member=' . $user_settings['id_member'] . '">' . $txt['coppa_need_more_details'] . '</a>';
  391. return false;
  392. }
  393. // Awaiting approval still?
  394. elseif ($activation_status == 3)
  395. fatal_lang_error('still_awaiting_approval', 'user');
  396. // Awaiting deletion, changed their mind?
  397. elseif ($activation_status == 4)
  398. {
  399. if (isset($_REQUEST['undelete']))
  400. {
  401. updateMemberData($user_settings['id_member'], array('is_activated' => 1));
  402. updateSettings(array('unapprovedMembers' => ($modSettings['unapprovedMembers'] > 0 ? $modSettings['unapprovedMembers'] - 1 : 0)));
  403. }
  404. else
  405. {
  406. $context['disable_login_hashing'] = true;
  407. $context['login_errors'][] = $txt['awaiting_delete_account'];
  408. $context['login_show_undelete'] = true;
  409. return false;
  410. }
  411. }
  412. // Standard activation?
  413. elseif ($activation_status != 1)
  414. {
  415. log_error($txt['activate_not_completed1'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', false);
  416. $context['login_errors'][] = $txt['activate_not_completed1'] . ' <a href="' . $scripturl . '?action=activate;sa=resend;u=' . $user_settings['id_member'] . '">' . $txt['activate_not_completed2'] . '</a>';
  417. return false;
  418. }
  419. return true;
  420. }
  421. /**
  422. * Perform the logging in. (set cookie, call hooks, etc)
  423. */
  424. function DoLogin()
  425. {
  426. global $user_info, $user_settings, $smcFunc;
  427. global $maintenance, $modSettings, $context, $sourcedir;
  428. // Load cookie authentication stuff.
  429. require_once($sourcedir . '/Subs-Auth.php');
  430. // Call login integration functions.
  431. call_integration_hook('integrate_login', array($user_settings['member_name'], isset($_POST['hash_passwrd']) && strlen($_POST['hash_passwrd']) == 40 ? $_POST['hash_passwrd'] : null, $modSettings['cookieTime']));
  432. // Get ready to set the cookie...
  433. $username = $user_settings['member_name'];
  434. $user_info['id'] = $user_settings['id_member'];
  435. // Bam! Cookie set. A session too, just in case.
  436. setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['id_member'], sha1($user_settings['passwd'] . $user_settings['password_salt']));
  437. // Reset the login threshold.
  438. if (isset($_SESSION['failed_login']))
  439. unset($_SESSION['failed_login']);
  440. $user_info['is_guest'] = false;
  441. $user_settings['additional_groups'] = explode(',', $user_settings['additional_groups']);
  442. $user_info['is_admin'] = $user_settings['id_group'] == 1 || in_array(1, $user_settings['additional_groups']);
  443. // Are you banned?
  444. is_not_banned(true);
  445. // An administrator, set up the login so they don't have to type it again.
  446. if ($user_info['is_admin'] && isset($user_settings['openid_uri']) && empty($user_settings['openid_uri']))
  447. {
  448. $_SESSION['admin_time'] = time();
  449. unset($_SESSION['just_registered']);
  450. }
  451. // Don't stick the language or theme after this point.
  452. unset($_SESSION['language'], $_SESSION['id_theme']);
  453. // First login?
  454. $request = $smcFunc['db_query']('', '
  455. SELECT last_login
  456. FROM {db_prefix}members
  457. WHERE id_member = {int:id_member}
  458. AND last_login = 0',
  459. array(
  460. 'id_member' => $user_info['id'],
  461. )
  462. );
  463. if ($smcFunc['db_num_rows']($request) == 1)
  464. $_SESSION['first_login'] = true;
  465. else
  466. unset($_SESSION['first_login']);
  467. $smcFunc['db_free_result']($request);
  468. // You've logged in, haven't you?
  469. updateMemberData($user_info['id'], array('last_login' => time(), 'member_ip' => $user_info['ip'], 'member_ip2' => $_SERVER['BAN_CHECK_IP']));
  470. // Get rid of the online entry for that old guest....
  471. $smcFunc['db_query']('', '
  472. DELETE FROM {db_prefix}log_online
  473. WHERE session = {string:session}',
  474. array(
  475. 'session' => 'ip' . $user_info['ip'],
  476. )
  477. );
  478. $_SESSION['log_time'] = 0;
  479. // Log this entry, only if we have it enabled.
  480. if (!empty($modSettings['loginHistoryDays']))
  481. $smcFunc['db_insert']('insert',
  482. '{db_prefix}member_logins',
  483. array(
  484. 'id_member' => 'int', 'time' => 'int', 'ip' => 'string', 'ip2' => 'string',
  485. ),
  486. array(
  487. $user_info['id'], time(), $user_info['ip'], $user_info['ip2']
  488. ),
  489. array(
  490. 'id_member', 'time'
  491. )
  492. );
  493. // Just log you back out if it's in maintenance mode and you AREN'T an admin.
  494. if (empty($maintenance) || allowedTo('admin_forum'))
  495. redirectexit('action=login2;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']);
  496. else
  497. redirectexit('action=logout;' . $context['session_var'] . '=' . $context['session_id'], $context['server']['needs_login_fix']);
  498. }
  499. /**
  500. * Logs the current user out of their account.
  501. * It requires that the session hash is sent as well, to prevent automatic logouts by images or javascript.
  502. * It redirects back to $_SESSION['logout_url'], if it exists.
  503. * It is accessed via ?action=logout;session_var=...
  504. *
  505. * @param bool $internal if true, it doesn't check the session
  506. * @param $redirect
  507. */
  508. function Logout($internal = false, $redirect = true)
  509. {
  510. global $sourcedir, $user_info, $user_settings, $context, $smcFunc;
  511. // Make sure they aren't being auto-logged out.
  512. if (!$internal)
  513. checkSession('get');
  514. require_once($sourcedir . '/Subs-Auth.php');
  515. if (isset($_SESSION['pack_ftp']))
  516. $_SESSION['pack_ftp'] = null;
  517. // They cannot be open ID verified any longer.
  518. if (isset($_SESSION['openid']))
  519. unset($_SESSION['openid']);
  520. // It won't be first login anymore.
  521. unset($_SESSION['first_login']);
  522. // Just ensure they aren't a guest!
  523. if (!$user_info['is_guest'])
  524. {
  525. // Pass the logout information to integrations.
  526. call_integration_hook('integrate_logout', array($user_settings['member_name']));
  527. // If you log out, you aren't online anymore :P.
  528. $smcFunc['db_query']('', '
  529. DELETE FROM {db_prefix}log_online
  530. WHERE id_member = {int:current_member}',
  531. array(
  532. 'current_member' => $user_info['id'],
  533. )
  534. );
  535. }
  536. $_SESSION['log_time'] = 0;
  537. // Empty the cookie! (set it in the past, and for id_member = 0)
  538. setLoginCookie(-3600, 0);
  539. // And some other housekeeping while we're at it.
  540. session_destroy();
  541. if (!empty($user_info['id']))
  542. updateMemberData($user_info['id'], array('password_salt' => substr(md5(mt_rand()), 0, 4)));
  543. // Off to the merry board index we go!
  544. if ($redirect)
  545. {
  546. if (empty($_SESSION['logout_url']))
  547. redirectexit('', $context['server']['needs_login_fix']);
  548. elseif (!empty($_SESSION['logout_url']) && (strpos('http://', $_SESSION['logout_url']) === false && strpos('https://', $_SESSION['logout_url']) === false))
  549. {
  550. unset ($_SESSION['logout_url']);
  551. redirectexit();
  552. }
  553. else
  554. {
  555. $temp = $_SESSION['logout_url'];
  556. unset($_SESSION['logout_url']);
  557. redirectexit($temp, $context['server']['needs_login_fix']);
  558. }
  559. }
  560. }
  561. /**
  562. * MD5 Encryption used for older passwords. (SMF 1.0.x/YaBB SE 1.5.x hashing)
  563. *
  564. * @param string $data
  565. * @param string $key
  566. * @return string, the HMAC MD5 of data with key
  567. */
  568. function md5_hmac($data, $key)
  569. {
  570. $key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00));
  571. return md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)) . $data)));
  572. }
  573. /**
  574. * Custom encryption for phpBB3 based passwords.
  575. *
  576. * @param string $passwd
  577. * @param string $passwd_hash
  578. * @return string
  579. */
  580. function phpBB3_password_check($passwd, $passwd_hash)
  581. {
  582. // Too long or too short?
  583. if (strlen($passwd_hash) != 34)
  584. return;
  585. // Range of characters allowed.
  586. $range = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
  587. // Tests
  588. $strpos = strpos($range, $passwd_hash[3]);
  589. $count = 1 << $strpos;
  590. $count2 = $count;
  591. $salt = substr($passwd_hash, 4, 8);
  592. $hash = md5($salt . $passwd, true);
  593. for (; $count != 0; --$count)
  594. $hash = md5($hash . $passwd, true);
  595. $output = substr($passwd_hash, 0, 12);
  596. $i = 0;
  597. while ($i < 16)
  598. {
  599. $value = ord($hash[$i++]);
  600. $output .= $range[$value & 0x3f];
  601. if ($i < 16)
  602. $value |= ord($hash[$i]) << 8;
  603. $output .= $range[($value >> 6) & 0x3f];
  604. if ($i++ >= 16)
  605. break;
  606. if ($i < 16)
  607. $value |= ord($hash[$i]) << 16;
  608. $output .= $range[($value >> 12) & 0x3f];
  609. if ($i++ >= 16)
  610. break;
  611. $output .= $range[($value >> 18) & 0x3f];
  612. }
  613. // Return now.
  614. return $output;
  615. }
  616. /**
  617. * This protects against brute force attacks on a member's password.
  618. * Importantly, even if the password was right we DON'T TELL THEM!
  619. *
  620. * @param $id_member
  621. * @param $password_flood_value = false
  622. * @param $was_correct = false
  623. */
  624. function validatePasswordFlood($id_member, $password_flood_value = false, $was_correct = false)
  625. {
  626. global $cookiename, $sourcedir;
  627. // As this is only brute protection, we allow 5 attempts every 10 seconds.
  628. // Destroy any session or cookie data about this member, as they validated wrong.
  629. require_once($sourcedir . '/Subs-Auth.php');
  630. setLoginCookie(-3600, 0);
  631. if (isset($_SESSION['login_' . $cookiename]))
  632. unset($_SESSION['login_' . $cookiename]);
  633. // We need a member!
  634. if (!$id_member)
  635. {
  636. // Redirect back!
  637. redirectexit();
  638. // Probably not needed, but still make sure...
  639. fatal_lang_error('no_access', false);
  640. }
  641. // Right, have we got a flood value?
  642. if ($password_flood_value !== false)
  643. @list ($time_stamp, $number_tries) = explode('|', $password_flood_value);
  644. // Timestamp or number of tries invalid?
  645. if (empty($number_tries) || empty($time_stamp))
  646. {
  647. $number_tries = 0;
  648. $time_stamp = time();
  649. }
  650. // They've failed logging in already
  651. if (!empty($number_tries))
  652. {
  653. // Give them less chances if they failed before
  654. $number_tries = $time_stamp < time() - 20 ? 2 : $number_tries;
  655. // They are trying too fast, make them wait longer
  656. if ($time_stamp < time() - 10)
  657. $time_stamp = time();
  658. }
  659. $number_tries++;
  660. // Broken the law?
  661. if ($number_tries > 5)
  662. fatal_lang_error('login_threshold_brute_fail', 'critical');
  663. // Otherwise set the members data. If they correct on their first attempt then we actually clear it, otherwise we set it!
  664. updateMemberData($id_member, array('passwd_flood' => $was_correct && $number_tries == 1 ? '' : $time_stamp . '|' . $number_tries));
  665. }
  666. ?>