login.php

   1 <?php
   2
   3
   4 function login_get_fields() {
   5     $data = array();
   6
   7     $data['after_login_url'] = format_oneline(_REQUEST_cut('after_login_url'));
   8     $data['username'] = format_auth_username(trim(_REQUEST_cut('username')));
   9     $data['password'] = format_oneline(trim(_REQUEST_cut('password')));
  10
  11     return $data;
  12 }
  13
  14 function login_main() {
  15     $data = login_get_fields();
  16     if (strlen($data['username']) && strlen($data['password'])) {
  17         $row = db_get_assoc('users', 'id,name,role,password', 'where username=%"', $data['username']);
  18         if ($row) # &&
  19         if (strlen($row['password'])) {
  20             $needs_rehash = false;
  21             $password_good = false;
  22             if (substr($row['password'], 0, 5) === 'sha1:') {
  23                 if (sha1($data['password']) === substr($row['password'], 5)) {
  24                     $password_good = true;
  25                     $needs_rehash = true;
  26                 }
  27             } else {
  28                 if (!function_exists('password_hash')) {
  29                     require_once(__DIR__.'/'.'inc/password_funcs_backported.php');
  30                 }
  31                 if (password_verify($data['password'], $row['password'])) {
  32                     $password_good = true;
  33                     if (password_needs_rehash($row['password'], PASSWORD_DEFAULT)) {
  34                         $needs_rehash = true;
  35                     }
  36                 }
  37             }
  38             if ($password_good) {
  39                 if ($needs_rehash) {
  40                     if (!function_exists('password_hash')) {
  41                         require_once(__DIR__.'/'.'inc/password_funcs_backported.php');
  42                     }
  43                     $hash = password_hash($data['password'], PASSWORD_DEFAULT);
  44                     db_update('users', 'password', $hash, 'where id=%i', $row['id']);
  45                 }
  46
  47                 session_new();
  48                 session_set('auth_id', $row['id']);
  49                 # we're about to http redirect, so no need to update session_auth now
  50                 db_update('users', 'last_login', time(), 'where id=%i', $row['id']);
  51                 message("You are now logged in.");
  52                 if(!$data['after_login_url']) {
  53                     if ($row['role'] == 'admin') {
  54                         $data['after_login_url'] = './admin';
  55                     } else {
  56                         $data['after_login_url'] = './';
  57                     }
  58                 } elseif(strpos(':', $data['after_login_url']) !== false) {
  59                     $data['after_login_url'] = "./$data[url]";
  60                 }
  61
  62                 # redirect to the page they were trying to access:
  63                 return $data['after_login_url'];
  64             }
  65         }
  66         message("Incorrect username and/or password");
  67     }
  68     $data['password'] = '';
  69     tem_set('form', $data);
  70 }