includes/sessions.php
changeset 181 06bdbdfec160
parent 179 36b287f1d85c
child 182 c69730750be3
equal deleted inserted replaced
180:c63c5ee6c6d6 181:06bdbdfec160
   555   function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false)
   555   function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false)
   556   {
   556   {
   557     global $db, $session, $paths, $template, $plugins; // Common objects
   557     global $db, $session, $paths, $template, $plugins; // Common objects
   558     
   558     
   559     $privcache = $this->private_key;
   559     $privcache = $this->private_key;
   560     
   560 
   561     // Lockout stuff
   561     if ( !defined('IN_ENANO_INSTALL') )
   562     $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
   562     {
   563     $duration  = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
   563       // Lockout stuff
   564     // convert to minutes
   564       $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
   565     $duration  = $duration * 60;
   565       $duration  = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
   566     $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
   566       // convert to minutes
   567     if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
   567       $duration  = $duration * 60;
   568     {
   568       $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
   569       // policy is captcha -- check if it's correct, and if so, bypass lockout check
   569       if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
   570       $real_code = $this->get_captcha($captcha_hash);
   570       {
   571     }
   571         // policy is captcha -- check if it's correct, and if so, bypass lockout check
   572     if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
   572         $real_code = $this->get_captcha($captcha_hash);
   573     {
   573       }
   574       $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   574       if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
   575       $timestamp_cutoff = time() - $duration;
   575       {
   576       $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
   576         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   577       $fails = $db->numrows();
   577         $timestamp_cutoff = time() - $duration;
   578       if ( $fails > $threshold )
   578         $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
   579       {
   579         $fails = $db->numrows();
   580         // ooh boy, somebody's in trouble ;-)
   580         if ( $fails > $threshold )
   581         $row = $db->fetchrow();
   581         {
       
   582           // ooh boy, somebody's in trouble ;-)
       
   583           $row = $db->fetchrow();
       
   584           $db->free_result();
       
   585           return array(
       
   586               'success' => false,
       
   587               'error' => 'locked_out',
       
   588               'lockout_threshold' => $threshold,
       
   589               'lockout_duration' => ( $duration / 60 ),
       
   590               'lockout_fails' => $fails,
       
   591               'lockout_policy' => $policy,
       
   592               'lockout_last_time' => $row['timestamp']
       
   593             );
       
   594         }
   582         $db->free_result();
   595         $db->free_result();
   583         return array(
   596       }
   584             'success' => false,
       
   585             'error' => 'locked_out',
       
   586             'lockout_threshold' => $threshold,
       
   587             'lockout_duration' => ( $duration / 60 ),
       
   588             'lockout_fails' => $fails,
       
   589             'lockout_policy' => $policy,
       
   590             'lockout_last_time' => $row['timestamp']
       
   591           );
       
   592       }
       
   593       $db->free_result();
       
   594     }
   597     }
   595     
   598     
   596     // Instanciate the Rijndael encryption object
   599     // Instanciate the Rijndael encryption object
   597     $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
   600     $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
   598     
   601     
   631       // This wasn't logged in <1.0.2, dunno how it slipped through
   634       // This wasn't logged in <1.0.2, dunno how it slipped through
   632       if($level > USER_LEVEL_MEMBER)
   635       if($level > USER_LEVEL_MEMBER)
   633         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   636         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   634       else
   637       else
   635         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   638         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   636       
   639     
   637       if ( $policy != 'disable' )
   640       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
   638       {
   641       {
   639         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   642         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   640         // increment fail count
   643         // increment fail count
   641         $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
   644         $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
   642         $fails++;
   645         $fails++;
   744         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   747         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   745       else
   748       else
   746         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   749         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   747         
   750         
   748       // Do we also need to increment the lockout countdown?
   751       // Do we also need to increment the lockout countdown?
   749       if ( $policy != 'disable' )
   752       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
   750       {
   753       {
   751         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   754         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   752         // increment fail count
   755         // increment fail count
   753         $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
   756         $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
   754         $fails++;
   757         $fails++;
   789     if($this->compat)
   792     if($this->compat)
   790     {
   793     {
   791       return $this->login_compat($username, $pass_hashed, $level);
   794       return $this->login_compat($username, $pass_hashed, $level);
   792     }
   795     }
   793     
   796     
   794     // Lockout stuff
   797     if ( !defined('IN_ENANO_INSTALL') )
   795     $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
   798     {
   796     $duration  = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
   799       // Lockout stuff
   797     // convert to minutes
   800       $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
   798     $duration  = $duration * 60;
   801       $duration  = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
   799     $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
   802       // convert to minutes
   800     if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
   803       $duration  = $duration * 60;
   801     {
   804       $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
   802       // policy is captcha -- check if it's correct, and if so, bypass lockout check
   805       if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
   803       $real_code = $this->get_captcha($captcha_hash);
   806       {
   804     }
   807         // policy is captcha -- check if it's correct, and if so, bypass lockout check
   805     if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
   808         $real_code = $this->get_captcha($captcha_hash);
   806     {
   809       }
   807       $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   810       if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
   808       $timestamp_cutoff = time() - $duration;
   811       {
   809       $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
   812         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   810       $fails = $db->numrows();
   813         $timestamp_cutoff = time() - $duration;
   811       if ( $fails > $threshold )
   814         $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
   812       {
   815         $fails = $db->numrows();
   813         // ooh boy, somebody's in trouble ;-)
   816         if ( $fails > $threshold )
   814         $row = $db->fetchrow();
   817         {
       
   818           // ooh boy, somebody's in trouble ;-)
       
   819           $row = $db->fetchrow();
       
   820           $db->free_result();
       
   821           return array(
       
   822               'success' => false,
       
   823               'error' => 'locked_out',
       
   824               'lockout_threshold' => $threshold,
       
   825               'lockout_duration' => ( $duration / 60 ),
       
   826               'lockout_fails' => $fails,
       
   827               'lockout_policy' => $policy,
       
   828               'lockout_last_time' => $row['timestamp']
       
   829             );
       
   830         }
   815         $db->free_result();
   831         $db->free_result();
   816         return array(
   832       }
   817             'success' => false,
       
   818             'error' => 'locked_out',
       
   819             'lockout_threshold' => $threshold,
       
   820             'lockout_duration' => ( $duration / 60 ),
       
   821             'lockout_fails' => $fails,
       
   822             'lockout_policy' => $policy,
       
   823             'lockout_last_time' => $row['timestamp']
       
   824           );
       
   825       }
       
   826       $db->free_result();
       
   827     }
   833     }
   828     
   834     
   829     // Instanciate the Rijndael encryption object
   835     // Instanciate the Rijndael encryption object
   830     $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
   836     $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
   831     
   837     
   841         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   847         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   842       else
   848       else
   843         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   849         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   844       
   850       
   845       // Do we also need to increment the lockout countdown?
   851       // Do we also need to increment the lockout countdown?
   846       if ( $policy != 'disable' )
   852       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
   847       {
   853       {
   848         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   854         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   849         // increment fail count
   855         // increment fail count
   850         $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
   856         $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
   851         $fails++;
   857         $fails++;
   946         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   952         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
   947       else
   953       else
   948         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   954         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
   949         
   955         
   950       // Do we also need to increment the lockout countdown?
   956       // Do we also need to increment the lockout countdown?
   951       if ( $policy != 'disable' )
   957       if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
   952       {
   958       {
   953         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   959         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
   954         // increment fail count
   960         // increment fail count
   955         $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
   961         $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
   956         $fails++;
   962         $fails++;