khanat-opennel-code/code/nelns/admin/public_html/session_auth.php
Guillaume Dupuy 6f1197d633 Allow target to work with sheetName and a quiet option
HG : Enter commit message.  Lines beginning with 'HG:' are removed.
2016-11-28 00:54:33 +01:00

241 lines
6.7 KiB
PHP

<?php
// NeL - MMORPG Framework <http://dev.ryzom.com/projects/nel/>
// Copyright (C) 2010 Winch Gate Property Limited
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
// published by the Free Software Foundation, either version 3 of the
// License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
// authenticate
function auth(&$error)
{
global $command, $sessionAuth, $admcookielogin, $admcookiepassword, $sessionAuth;
global $admlogin, $admpassword, $uid, $gid, $useCookie, $group, $HTTP_POST_VARS;
unset($error);
switch($HTTP_POST_VARS["command"])
{
case "logout":
addToLog("Logout!");
$uid = $sessionAuth["uid"];
logUser($uid, "LOGOUT");
//session_unregister("sessionAuth");
unset($_SESSION["sessionAuth"]);
session_destroy();
// erases cookies
eraseCookies();
unset($admlogin);
unset($admpassword);
unset($admcookielogin);
unset($admcookiepassword);
unset($uid);
htmlProlog($_SERVER['PHP_SELF'], "Logout", false);
echo "<center>\n";
echo "You are not logged any more<br>\n";
echo "Click <a href='index.php'>here</a> to login<br>\n";
echo "</center>\n";
htmlEpilog();
die();
break;
case "chPassword":
addToLog("Change pass!");
global $chOldPass, $chNewPass, $chConfirmNewPass;
if (!($uid = validateId($admlogin, $admpassword, $useCookie, $gid, $group)))
{
$error = "Invalid login '$admlogin'";
eraseCookies();
return 0;
}
if (crypt($chOldPass, "NL") == $admpassword && $chNewPass == $chConfirmNewPass)
{
sqlquery("UPDATE user SET password='".crypt($chNewPass, "NL")."' WHERE uid='$uid'");
$admpassword = $chNewPass;
addToLog("Changed password to '$chNewPass':'".crypt($chNewPass, "NL")."'");
//session_unregister("sessionAuth");
unset($_SESSION["sessionAuth"]);
session_destroy();
}
case "login":
$admpassword = crypt($admpassword, "NL");
addToLog("Login! -- admlogin='$admlogin', admpassword='$admpassword'");
if (!($uid = validateId($admlogin, $admpassword, $useCookie, $gid, $group)))
{
$error = "Invalid login '$admlogin'";
print $error;
eraseCookies();
return 0;
}
$sessionAuth = array ("admlogin" => $admlogin, "admpassword" => $admpassword, "uid" => $uid);
//session_register("sessionAuth");
$_SESSION["sessionAuth"] = $sessionAuth;
if ($useCookie)
setupCookies($admlogin, $admpassword);
logUser($uid, "LOGIN");
return 1;
break;
default:
if (!isset($sessionAuth) || $sessionAuth["admlogin"] == "")
{
print "no sessionauth or admlogin is blank";
if (!isset($admcookielogin))
{
addToLog("cookie not set");
return false;
}
else
{
$admlogin = $admcookielogin;
$admpassword = $admcookiepassword;
}
}
else
{
$admlogin = $sessionAuth["admlogin"];
$admpassword = $sessionAuth["admpassword"];
$uid = $sessionAuth["uid"];
}
if (!($uid = validateId($admlogin, $admpassword, $useCookie, $gid, $group)))
{
if (!$uid)
{
$error = "Invalid login '$admlogin'";
eraseCookies();
return false;
}
}
$sessionAuth = array ("admlogin" => $admlogin, "admpassword" => $admpassword, "uid" => $uid);
//session_register("sessionAuth");
$_SESSION["sessionAuth"] = $sessionAuth;
if ($useCookie)
setupCookies($admlogin, $admpassword);
else
eraseCookies();
//logUser($uid, "BROWSE");
return 1;
break;
}
}
// validate id
function validateId($admlogin, $admpassword, &$useCookies, &$gid, &$group)
{
global $REMOTE_ADDR;
if (!ereg('^[a-zA-Z0-9]+$', $admlogin))
{
//echo "DETECTED potential hacking login='$admlogin'<br>\n";
return false;
}
addToLog("Validate login: '$admlogin'/'$admpassword'...");
$res = mysql_query("SELECT auth.password AS password, auth.uid AS uid, auth.useCookie AS useCookie, auth.gid AS gid, ugroup.login AS gname, auth.allowed_ip AS allowed_ip FROM user AS auth, user AS ugroup WHERE BINARY auth.login='$admlogin' AND auth.gid=ugroup.uid");
if (!$res || !($arr=mysql_fetch_array($res)) || !($arr["uid"]) || $admpassword != $arr["password"])
{
addToLog("failed !!");
return false;
}
$allowed_ip = $arr["allowed_ip"];
if ($allowed_ip != "" && strstr($REMOTE_ADDR, $allowed_ip) == FALSE)
return false;
addToLog("success");
$useCookies = ($arr["useCookie"] == "yes");
$gid = $arr["gid"];
$group = $arr["gname"];
return $arr["uid"];
}
// setup cookies
function setupCookies($admlogin, $admpassword)
{
/*
setcookie("admcookielogin", $admlogin, time()+3600*24*15);
setcookie("admcookiepassword", $admpassword, time()+3600*24*15);
*/
addToLog("cookies set to admlogin=$admlogin admpassword=$admpassword");
}
// erase cookies
function eraseCookies()
{
setcookie("admcookielogin");
setcookie("admcookiepassword");
addToLog("cookies reset");
}
// log user
function logUser($uid, $act, $prefix="")
{
global $HTTP_USER_AGENT, $REMOTE_ADDR, $userlogpath;
$result = sqlquery("SELECT login FROM user WHERE uid='$uid'");
if ($result && ($result=sqlfetch($result)))
{
$login = $result["login"];
$filename = $userlogpath."/".$login.".log";
$file = fopen($filename, "a");
if ($file)
{
fwrite($file, ($prefix!="" ? $prefix." " : "").date("Y/m/d H:i:s")." $uid:$login:$HTTP_USER_AGENT:$REMOTE_ADDR $act\n");
fclose($file);
}
}
else
{
$filename = $userlogpath."/unreferenced_user.log";
$file = fopen($filename, "a");
if ($file)
{
fwrite($file, date("Y/m/d H:i:s")." $uid:<unknown login>:$HTTP_USER_AGENT:$REMOTE_ADDR $act\n");
fclose($file);
}
}
/*
$result = sqlquery("SELECT http_agent, remote_address, act FROM user_log WHERE uid='$uid' ORDER BY log_date DESC LIMIT 1");
if (!$result || !($arr=mysql_fetch_array($result)) || $arr["http_agent"]!=$HTTP_USER_AGENT || $arr["remote_address"]!=$REMOTE_ADDR || $arr["act"]!=$act)
{
sqlquery("INSERT INTO user_log SET uid='$uid', http_agent='$HTTP_USER_AGENT', remote_address='$REMOTE_ADDR', log_date=NOW(), act='$act'");
}
*/
}
?>