OpencachingDeutschland/oc-server3
1
0
Fork 0
Code Issues Pull Requests Releases Activity
oc-server3/htdocs/lib/login.class.php
ocoliver a4aee625a9 - session id is now generated from truly random value, previous used mysql UUID() had weak randomness 
- added session id brute force prevention to old template engine (as used in new template engine)
- forced login->verify() in old template engine
- removed unused login/logout related codes from old template engine
- uuid of new database records is now generated in before insert trigger
2012-11-17 18:04:35 +01:00

167 lines
5.1 KiB
PHP
Raw Blame History

<?php
/***************************************************************************
* For license information see doc/license.txt
*
* Unicode Reminder メモ
*
* This class provides access to the login user data. Informations are
* stored in a cookie.
*
* Methods:
* verify() validate the login-session
*
* Properties:
* userid Integer 0 if no login, userid otherwise
* username String username or ''
*
***************************************************************************/
define('LOGIN_UNKNOWN_ERROR', -1); // unkown error occured
define('LOGIN_OK', 0); // login succeeded
define('LOGIN_BADUSERPW', 1); // bad username or password
define('LOGIN_TOOMUCHLOGINS', 2); // too many logins in short time
define('LOGIN_USERNOTACTIVE', 3); // the useraccount locked
define('LOGIN_EMPTY_USERPASSWORD', 4); // given username/password was empty
define('LOGIN_LOGOUT_OK', 5); // logout was successfull
// login times in seconds
define('LOGIN_TIME', 60*60);
define('LOGIN_TIME_PERMANENT', 90*24*60*60);
$login = new login();
class login
{
var $userid = 0;
var $username = '';
var $lastlogin = 0;
var $permanent = false;
var $sessionid = '';
var $verified = false;
var $admin = false;
function login()
{
global $cookie;
if ($cookie->is_set('userid') && $cookie->is_set('username'))
{
$this->userid = $cookie->get('userid')+0;
$this->username = $cookie->get('username');
$this->permanent = (($cookie->get('permanent')+0) == 1);
$this->lastlogin = $cookie->get('lastlogin');
$this->sessionid = $cookie->get('sessionid');
$this->admin = (($cookie->get('admin')+0) == 1);
$this->verified = false;
$this->verify();
}
else
$this->pClear();
}
function pClear()
{
// set to no valid login
$this->userid = 0;
$this->username = '';
$this->permanent = false;
$this->lastlogin = '';
$this->sessionid = '';
$this->admin = false;
$this->verified = true;
$this->pStoreCookie();
}
function pStoreCookie()
{
global $cookie;
$cookie->set('userid', $this->userid);
$cookie->set('username', $this->username);
$cookie->set('permanent', ($this->permanent==true ? 1 : 0));
$cookie->set('lastlogin', $this->lastlogin);
$cookie->set('sessionid', $this->sessionid);
$cookie->set('admin', ($this->admin==true ? 1 : 0));
}
function verify()
{
if ($this->verified == true)
return;
if ($this->userid == 0)
{
$this->pClear();
return;
}
if ($this->checkLoginsCount() == false)
{
$this->pClear();
return;
}
$min_lastlogin = date('Y-m-d H:i:s', time() - LOGIN_TIME);
$min_lastlogin_permanent = date('Y-m-d H:i:s', time() - LOGIN_TIME_PERMANENT);
$rs = sql("SELECT `sys_sessions`.`last_login`, `user`.`admin` FROM &db.`sys_sessions`, &db.`user` WHERE `sys_sessions`.`user_id`=`user`.`user_id` AND `user`.`is_active_flag`=1 AND `sys_sessions`.`uuid`='&1' AND `sys_sessions`.`user_id`='&2' AND ((`sys_sessions`.`permanent`=1 AND `sys_sessions`.`last_login`>'&3') OR (`sys_sessions`.`permanent`=0 AND `sys_sessions`.`last_login`>'&4'))", $this->sessionid, $this->userid, $min_lastlogin_permanent, $min_lastlogin);
if ($rUser = sql_fetch_assoc($rs))
{
if ((($this->permanent == true) && (strtotime($rUser['last_login']) + LOGIN_TIME/2 < time())) ||
(($this->permanent == false) && (strtotime($rUser['last_login']) + LOGIN_TIME_PERMANENT/2 < time())))
{
sql("UPDATE `sys_sessions` SET `sys_sessions`.`last_login`=NOW() WHERE `sys_sessions`.`uuid`='&1' AND `sys_sessions`.`user_id`='&2'", $this->sessionid, $this->userid);
$rUser['last_login'] = date('Y-m-d H:i:s');
}
// user.last_login is used for statics, so we keep it up2date
sql("UPDATE `user` SET `user`.`last_login`=NOW() WHERE `user`.`user_id`='&1'", $this->userid);
$this->lastlogin = $rUser['last_login'];
$this->admin = ($rUser['admin'] == 1);
$this->verified = true;
}
else
{
// prevent bruteforce
sql("INSERT INTO `sys_logins` (`remote_addr`, `success`) VALUES ('&1', 0)", $_SERVER['REMOTE_ADDR']);
$this->pClear();
}
sql_free_result($rs);
$this->pStoreCookie();
return;
}
public function hasAdminPriv($privilege = false)
{
global $cookie;
$this->verify();
if ($privilege === false)
return $this->admin != 0;
return ($this->admin & $privilege) == $privilege;
}
function checkLoginsCount()
{
global $opt;
// cleanup old entries
// (execute only every 50 search calls)
if (rand(1, 50) == 1)
sql("DELETE FROM `sys_logins` WHERE `date_created`<'&1'", date('Y-m-d H:i:s', time() - 3600));
// check the number of logins in the last hour ...
$logins_count = sqlValue("SELECT COUNT(*) `count` FROM `sys_logins` WHERE `remote_addr`='" . sql_escape($_SERVER['REMOTE_ADDR']) . "' AND `date_created`>'" . sql_escape(date('Y-m-d H:i:s', time() - 3600)) . "'", 0);
if ($logins_count > $opt['page']['max_logins_per_hour'])
return false;
else
return true;
}
}
?>
Reference in New Issue View Git Blame Copy Permalink