upgrade login/password/session/auth handling

[wfpl-cms.git] / login.php

diff --git a/login.php b/login.php
new file mode 100644 (file)
index 0000000..4ec1344
--- /dev/null
+++ b/login.php
@@ -0,0 +1,67 @@
+<?php
+
+
+function login_get_fields() {
+       $data = array();
+
+       $data['after_login_url'] = format_oneline(_REQUEST_cut('after_login_url'));
+       $data['username'] = format_oneline(trim(_REQUEST_cut('username')));
+       $data['password'] = format_oneline(trim(_REQUEST_cut('password')));
+
+       return $data;
+}
+
+function login_main() {
+       $data = login_get_fields();
+       if (strlen($data['username']) && strlen($data['password'])) {
+               $row = db_get_assoc('users', 'id,name,role,password', 'where username=%"', format_auth_username($data['username']));
+               if ($row) # &&
+               if (strlen($row['password'])) {
+                       $needs_rehash = false;
+                       $password_good = false;
+                       if (substr($row['password'], 0, 5) === 'sha1:') {
+                               if (sha1($data['password']) === substr($row['password'], 5)) {
+                                       $password_good = true;
+                                       $needs_rehash = true;
+                               }
+                       } else {
+                               if (!function_exists('password_hash')) {
+                                       require_once(DOCROOT . 'inc/password_funcs_backported.php');
+                               }
+                               if (password_verify($data['password'], $row['password'])) {
+                                       $password_good = true;
+                                       if (password_needs_rehash($row['password'], PASSWORD_DEFAULT)) {
+                                               $needs_rehash = true;
+                                       }
+                               }
+                       }
+                       if ($password_good) {
+                               if ($needs_rehash) {
+                                       $hash = password_hash($data['password'], PASSWORD_DEFAULT);
+                                       db_update('users', 'password', $hash, 'where id=%i', $row['id']);
+                               }
+
+                               session_new();
+                               session_set('auth_id', $row['id']);
+                               # we're about to http redirect, so no need to update session_auth now
+                               db_update('users', 'last_login', time(), 'where id=%i', $row['id']);
+                               message("You are now logged in.");
+                               if(!$data['after_login_url']) {
+                                       if ($row['role'] == 'admin') {
+                                               $data['after_login_url'] = './admin';
+                                       } else {
+                                               $data['after_login_url'] = './';
+                                       }
+                               } elseif(strpos(':', $data['after_login_url']) !== false) {
+                                       $data['after_login_url'] = "./$data[url]";
+                               }
+
+                               # redirect to the page they were trying to access:
+                               return $data['after_login_url'];
+                       }
+               }
+               message("Incorrect username and/or password");
+       }
+       $data['password'] = '';
+       tem_set('form', $data);
+}