Untitled

<?php
#   AUTHENTICATION CONTROLLER:
error_reporting(E_ALL);
session_start();

#   require config:
require_once $_SERVER['DOCUMENT_ROOT'] .  "shoppingCART/lib/constants.inc.php";

#   get the database:
require DATABASE;

#   get auth library:
require AUTH_LIB;

#   get output lib:
require_once OUTPUT;

#   variables required:
$form_token = hash('sha512', rand() . md5(rand() ) );       #   required when submitting the login form.
$ip_address = $_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$failed_attempts = array();
$max_failed_attempts = 5;
$error = array();   #   array to collect errors

#   set the sessions:
if (!isset($_SESSION['form_token']) && !isset($_SESSION['form_token_start']) )
{
    $_SESSION['form_token'] = $form_token;
    $_SESSION['form_token_start'] = time();
}


#   calculate token age:
$token_age = time() - $_SESSION['form_token_start'];

#   check if session has expired:
if ($token_age < 900)
{
    #   check if correct submit button was clicked and that everything was filled in:
    if (isset($_POST['username']) && isset($_POST['password'])
        && isset($_POST['action']) && $_POST['action'] == "Sign In"
        && $_SESSION['form_token'] === $_POST['form_token']
        )
    {
        if (!empty($_POST['username']) && !empty($_POST['password']))
        {
    #   make user input safe:
        $username = userInput($_POST['username']);
        $password = userInput($_POST['password']);

        #   check if valid username and password:
            if (validUser($username, $password) )
            {
                #   get the users url token from the datbase:
                $user = getUserDetails($username);
                foreach ($user as $user_value)
                {
                    $url_token = $user_value['url_token'];
                }

                #   the following token will now be used in each request the user makes:
                $user_token = hash('sha256', rand() . $user_agent . $ip_address . $url_token);

                setcookie("user_token", "$user_token-$ip_address", time()+4500);

                if (!isset($_SESSION['user_token']) )
                {
                    $_SESSION['user_token'] = $user_token;
                }

                echo "<a href='?token=$user_token'>Click here</a>";

                echo "<p>" . $username;     #   REDIRECT TO USER HOME HERE, show content here
                die();
            }
            else
            {
                #   FAILED login attempt:
                $failed_attempts[] = 1;
                $error['invalid'][] = "Username or Password is invalid.";
                $_SESSION['form_token'] = $form_token;  #   generate new form token
            }
        }
        else
        {
            #   empty username or password
            $failed_attempts[] = 1;
            $error['empty'][] = "Enter a Username and Password.";
            $_SESSION['form_token'] = $form_token;  #   generate new form token
        }
    }
}
else
{
    $error['timeout'] = "Session Expired.";
}

#   after user has been validated, check that this is the correct cookie:


if (isset($_COOKIE['user_token']) && $_SESSION['user_token'])
{

    if (isset($_GET['token']))
    {
        $cookie = explode("-", $_COOKIE['user_token']);
        if ($cookie[0] === $_GET['token'] && $cookie[1] === $_SERVER['REMOTE_ADDR'])    #   match ip address
        {
            $session_token = $_SESSION['user_token'];
            $ip_address = $_SERVER['REMOTE_ADDR'];
            setcookie("user_token", "$session_token-$ip_address", time()+4500 );      #allowed to continue, otherwise show form
        }
    }
}
else
{
    require h_LOGIN;   # show html form
    die();
}

 ?>